Authentication
PaperExchange API v1.0 supports two authentication methods: API Keys and JWT tokens.
Overview
| Method | Use Case | Header |
|---|---|---|
API Key | Trading bots, scripts, programmatic access | X-API-Key |
JWT Token | Dashboard, web applications | Authorization: Bearer |
API Key Authentication
API keys are the recommended method for trading bots and automated systems. They provide secure, long-lived access to the trading API.
Creating an API Key
- Log in to your dashboard
- Navigate to the API Keys section
- Click "Create New Key" and give it a name
- Copy the key immediately - it won't be shown again
Using Your API Key
Include your API key in the X-API-Key header:
import requests
API_KEY = "pe_your_api_key_here"
BASE_URL = "https://api.paperx.co/v1/exchanges/hyperliquid"
response = requests.post(
f"{BASE_URL}/info",
headers={
"Content-Type": "application/json",
"X-API-Key": API_KEY
},
json={"type": "allMids"}
)
print(response.json())curl -X POST https://api.paperx.co/v1/exchanges/hyperliquid/info \
-H "Content-Type: application/json" \
-H "X-API-Key: pe_your_api_key_here" \
-d '{"type": "allMids"}'const API_KEY = "pe_your_api_key_here";
const BASE_URL = "https://api.paperx.co/v1/exchanges/hyperliquid";
const response = await fetch(`${BASE_URL}/info`, {
method: "POST",
headers: {
"Content-Type": "application/json",
"X-API-Key": API_KEY
},
body: JSON.stringify({ type: "allMids" })
});
const data = await response.json();
console.log(data);JWT Token Authentication
JWT tokens are used for dashboard access and web applications. Tokens expire after 24 hours and must be refreshed.
Getting a JWT Token
Obtain a JWT token by logging in with your email and password:
POST /v1/auth/login
Content-Type: application/json
{
"email": "your@email.com",
"password": "your_password"
}{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"user_id": "uuid-here",
"email": "your@email.com"
}Using JWT Tokens
Include the token in the Authorization header:
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...Security Best Practices
Never expose API keys in client-side code
API keys should only be used in server-side code or secure environments. Never include them in frontend JavaScript or mobile apps.
Use environment variables
Store API keys in environment variables, not in your code. Use .env files for local development.
Rotate keys regularly
Create new API keys periodically and revoke old ones. You can manage keys in your dashboard.
Use separate keys for different environments
Create separate API keys for development, staging, and production environments.
Rate Limits
Rate limits are applied per API key:
| Plan | Rate Limit | Max API Keys |
|---|---|---|
| Basic | 200 requests/minute | 5 keys |
| Pro | 500 requests/minute | 10 keys |
Rate limit headers are included in all responses:
X-RateLimit-Limit- Maximum requests per minuteX-RateLimit-Remaining- Requests remainingX-RateLimit-Reset- Unix timestamp when limit resets
Next Steps
Now that you understand authentication, learn how to make API requests:
Info Endpoint Reference