Authentication

The API uses a layered authentication model. User-session endpoints use bearer tokens, while server-to-server operational endpoints usually require an API key.

Bearer tokens

Call POST /v1/auth/login with your approved integrator email and password. Use the returned token in the Authorization header: 
Authorization: Bearer <token>
Bearer-token sessions can be revoked by calling POST /v1/auth/logout. Changing your password also invalidates the current session.

API keys

API keys identify the approved integrator for server-side API operations. Send the key in the x-api-key header: 
x-api-key: <api-key>
Each integrator has one active API key at a time. Regenerating a key immediately invalidates the previous key, and the plain-text key is only shown once.

Required combinations

Endpoint typeRequired authentication
Public onboardingNo authentication
Login and password resetNo authentication
Profile and key metadataBearer token or API key where accepted by the endpoint
Account creationx-api-key
Investor lookupx-api-key
Wallet funding and balanceCSCS AOS portal access
HistoryCSCS AOS portal access

Idempotency

Account creation and lookup requests require an Idempotency-Key header. Use a unique key for each new operation and reuse the same key only when retrying an identical request after a timeout or network failure. 
Idempotency-Key: acct-20260505-0001

Staging credentials

The interactive playground points to staging. Do not enter production secrets, live customer data, or reusable credentials in shared browser sessions.