Skip to main content

Documentation Index

Fetch the complete documentation index at: https://cryptorobot.ai/docs/llms.txt

Use this file to discover all available pages before exploring further.

Overview

API keys provide long-lived authentication for:
  • Automated trading bots
  • Server-to-server integrations
  • CI/CD pipelines
  • Third-party app integrations
Unlike JWT tokens, API keys don’t expire automatically and can be scoped to specific permissions.

Creating an API Key

curl -X POST https://api.cryptorobot.ai/keys \
  -H "Authorization: Bearer eyJ..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My Trading Bot",
    "scopes": ["read:strategies", "read:exchanges", "write:traders"]
  }'

Response

{
  "_id": "key-id-123",
  "name": "My Trading Bot",
  "key": "cr_live_a1b2c3d4e5f6...",
  "scopes": ["read:strategies", "read:exchanges", "write:traders"],
  "lastUsed": null,
  "createdAt": "2024-01-15T10:00:00Z"
}
The full API key (key field) is only returned once at creation time. Store it securely — it cannot be retrieved again.

Using an API Key

Include the key in the Authorization header with the ApiKey prefix: 
curl https://api.cryptorobot.ai/strategies \
  -H "Authorization: ApiKey cr_live_a1b2c3d4e5f6..."

const api = axios.create({
  baseURL: 'https://api.cryptorobot.ai',
  headers: {
    'Authorization': 'ApiKey cr_live_a1b2c3d4e5f6...',
    'Content-Type': 'application/json'
  }
});

const { data } = await api.get('/strategies');

Available Scopes

ScopeDescription
read:strategiesView strategies, templates, indicators
write:strategiesCreate/update/delete strategies
read:exchangesView exchange connections, balances, market data
write:exchangesCreate/update/delete exchange connections
read:tradersView trading bots and pod status
write:tradersCreate/start/stop trading bots
read:portfolioView trades, balance series, snapshots
read:insightsView market insights and signals
read:modelsView model signals and subscriptions
write:modelsSubscribe/unsubscribe to signals

Managing API Keys

List Keys

curl https://api.cryptorobot.ai/keys \
  -H "Authorization: Bearer eyJ..."

Revoke a Key

curl -X DELETE https://api.cryptorobot.ai/keys/key-id-123 \
  -H "Authorization: Bearer eyJ..."
Revoking an API key is immediate. Any requests using that key will receive a 401 error.

Restricted Endpoints

When using API keys, certain endpoints enforce scope-based access through the /restricted path: 
# Access scoped data via API key
curl https://api.cryptorobot.ai/restricted?resource=strategies \
  -H "Authorization: ApiKey cr_live_..."
The restricted endpoint validates that your API key has the required scope for the requested resource.

Best Practices

1

Use descriptive names

Name keys after their purpose: “Production Trading Bot”, “Backtest Runner”, “Portfolio Dashboard”
2

Apply least-privilege scopes

Only grant the scopes the integration actually needs. A monitoring dashboard only needs read:* scopes.
3

Rotate keys periodically

Create a new key, update your integration, then revoke the old key.
4

Use environment variables

Never hardcode API keys in source code. Use environment variables or secret managers.
5

Monitor usage

Check the lastUsed field to identify unused keys that should be revoked.