Skip to main content

Bearer authentication

Protected endpoints require an API key passed as a bearer token:
Authorization: Bearer rialto_live_<prefix>.<secret>
The public tokens endpoint does not require a key. Quote, gasless, and integrator endpoints do.

Obtaining a key

API keys are created through a wallet-signed onboarding flow. The wallet that applies becomes the owner of the integrator profile and the fee-recipient wallet. See Integrator Onboarding for the full flow. The raw key is shown only once at creation, so store it securely when it is returned.

Scopes

A key is issued with one or more scopes that determine which endpoints it can call:
ScopeGrants
quote:readRequest quotes.
swap:createSubmit gasless swaps to the relayer.
swap:integratorApply an integrator fee to quotes.
A key without the required scope is rejected with 403.

Rate limits and expiry

Keys are rate limited per minute, with separate limits for quoting and for swap submission. The limits applied to a key are returned when it is created, for example a quote limit and a lower swap limit. Exceeding a limit returns 429. Keys may also be scoped to expire or be revoked, after which trading endpoints reject them.

Key safety

Keep API keys private. Do not expose them in public frontend code, mobile apps, source repositories, logs, or analytics tools. Anyone holding a key can act within its scopes. For integrator keys, fee payout and fee caps are bound to the key server-side, so a leaked key can never redirect fees to another wallet or raise the fee above the configured cap, but it should still be treated as a secret.