Dashboard

Flows

API keys

Open in app

Issue scoped programmatic credentials so a trader (or their bot) can call the API directly — optionally bound to a single prop account.

Create a key

POST/v2/api-keys
User session
Request body
labelstring
required
Human-readable name
prop_account_idstringoptionalScope the key to one account
200 OK — secret shown once
{
  "id": "key_...",
  "label": "Trading bot",
  "key_id": "hsk_live_...",
  "key_secret": "sk_live_...   // shown ONCE — store it now",
  "prop_account_id": "prop_..."
}

The secret is shown once

Capture key_secret at creation time. It is hashed at rest and can never be retrieved again — rotate by revoking and re-creating.

List keys

GET/v2/api-keys
User session
200 OK
[
  { "id": "key_...", "label": "Trading bot", "key_id": "hsk_live_...", "revoked_at": null }
]
GET
/v2/api-keys

Runs live against your environment using the app's server-side credentials and your session. Sign in to the dashboard first for authenticated reads.

Revoke a key

DELETE/v2/api-keys/{id}
User session
curl
curl -X DELETE http://localhost:8000/v2/api-keys/key_... \
  -H "Authorization: Bearer <app_access_token>" \
  -H "X-Session-Token: <user_session_token>"
200 OK
{ "revoked": true }