Skip to main content
POST
/
auth
/
api-tokens
/
derive
Derive scoped API token
curl --request POST \
  --url https://api.limitless.exchange/auth/api-tokens/derive \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --data '
{
  "label": "production-trading-bot",
  "scopes": [
    "trading",
    "account_creation"
  ]
}
'
{
  "apiKey": "dGVzdC10b2tlbi0x",
  "secret": "c2VjcmV0LWtleS1leGFtcGxlLWJhc2U2NC1lbmNvZGVk",
  "tokenId": "dGVzdC10b2tlbi0x",
  "createdAt": "2023-11-07T05:31:56Z",
  "scopes": [
    "trading",
    "account_creation"
  ],
  "profile": {
    "id": 42,
    "account": "0x27b4afBD88fE7c88c6897BB0b4ADE338D0401E37"
  }
}
Requires Privy authentication (Bearer token). HMAC and API key auth are not accepted for this endpoint.
The secret field is returned once at creation time. Store it securely — it cannot be retrieved again.

Scopes

ScopeDescription
tradingPlace and cancel orders. Default scope. Required for delegated_signing.
account_creationCreate sub-account profiles under your partner account.
delegated_signingServer signs orders on behalf of sub-accounts via Privy server wallet. Requires trading.
If scopes is omitted from the request body, the token is created with ["trading"] only. Requested scopes must be a subset of your partner’s allowedScopes (see Get Partner Capabilities).

Using the token

After deriving a token, authenticate subsequent requests using HMAC signing with the returned apiKey (token ID) and secret. See HMAC Request Signing for the signing protocol.

Authorizations

X-API-Key
string
header
required

API key for programmatic access. Generate at limitless.exchange -> profile menu -> Api keys.

Body

application/json
label
string

Human-readable label for the token

Maximum string length: 128
Example:

"production-trading-bot"

scopes
enum<string>[]

Scopes to grant. Defaults to ["trading"] if omitted. Must be a subset of the partner's allowed scopes. delegated_signing requires trading.

Available options:
trading,
account_creation,
delegated_signing
Example:
["trading", "account_creation"]

Response

Token created successfully. The secret is only returned once.

apiKey
string
required

The token ID, used as the lmts-api-key header value for HMAC requests

Example:

"dGVzdC10b2tlbi0x"

secret
string
required

Base64-encoded secret for HMAC signing. Returned once — store securely.

Example:

"c2VjcmV0LWtleS1leGFtcGxlLWJhc2U2NC1lbmNvZGVk"

tokenId
string
required

Same as apiKey. The unique token identifier.

Example:

"dGVzdC10b2tlbi0x"

createdAt
string<date-time>
required

Token creation timestamp

scopes
string[]
required

Granted scopes

Example:
["trading", "account_creation"]
profile
object
required