Overview
API keys provide long-lived authentication for:
- Automated trading bots
- Server-to-server integrations
- CI/CD pipelines
- Third-party app integrations
Unlike JWT tokens, API keys don’t expire automatically and can be scoped to specific permissions.
Creating an API Key
curl -X POST https://api.cryptorobot.ai/keys \
-H "Authorization: Bearer eyJ..." \
-H "Content-Type: application/json" \
-d '{
"name": "My Trading Bot",
"scopes": ["read:strategies", "read:exchanges", "write:traders"]
}'
Response
{
"_id": "key-id-123",
"name": "My Trading Bot",
"key": "cr_live_a1b2c3d4e5f6...",
"scopes": ["read:strategies", "read:exchanges", "write:traders"],
"lastUsed": null,
"createdAt": "2024-01-15T10:00:00Z"
}
The full API key (key field) is only returned once at creation time. Store it securely — it cannot be retrieved again.
Using an API Key
Include the key in the Authorization header with the ApiKey prefix:
curl https://api.cryptorobot.ai/strategies \
-H "Authorization: ApiKey cr_live_a1b2c3d4e5f6..."
const api = axios.create({
baseURL: 'https://api.cryptorobot.ai',
headers: {
'Authorization': 'ApiKey cr_live_a1b2c3d4e5f6...',
'Content-Type': 'application/json'
}
});
const { data } = await api.get('/strategies');
import requests
headers = {
'Authorization': 'ApiKey cr_live_a1b2c3d4e5f6...',
'Content-Type': 'application/json'
}
response = requests.get('https://api.cryptorobot.ai/strategies', headers=headers)
Available Scopes
| Scope | Description |
|---|
read:strategies | View strategies, templates, indicators |
write:strategies | Create/update/delete strategies |
read:exchanges | View exchange connections, balances, market data |
write:exchanges | Create/update/delete exchange connections |
read:traders | View trading bots and pod status |
write:traders | Create/start/stop trading bots |
read:portfolio | View trades, balance series, snapshots |
read:insights | View market insights and signals |
read:models | View model signals and subscriptions |
write:models | Subscribe/unsubscribe to signals |
Managing API Keys
List Keys
curl https://api.cryptorobot.ai/keys \
-H "Authorization: Bearer eyJ..."
Revoke a Key
curl -X DELETE https://api.cryptorobot.ai/keys/key-id-123 \
-H "Authorization: Bearer eyJ..."
Revoking an API key is immediate. Any requests using that key will receive a 401 error.
Restricted Endpoints
When using API keys, certain endpoints enforce scope-based access through the /restricted path:
# Access scoped data via API key
curl https://api.cryptorobot.ai/restricted?resource=strategies \
-H "Authorization: ApiKey cr_live_..."
The restricted endpoint validates that your API key has the required scope for the requested resource.
Best Practices
Use descriptive names
Name keys after their purpose: “Production Trading Bot”, “Backtest Runner”, “Portfolio Dashboard”
Apply least-privilege scopes
Only grant the scopes the integration actually needs. A monitoring dashboard only needs read:* scopes.
Rotate keys periodically
Create a new key, update your integration, then revoke the old key.
Use environment variables
Never hardcode API keys in source code. Use environment variables or secret managers.
Monitor usage
Check the lastUsed field to identify unused keys that should be revoked.