Authentication
Every request to the polyReplay REST API is authenticated with a bearer token. Keys are issued from your dashboard and tied to a single account.
Sending the key
Keys are prefixed pr_. Pass the key in the Authorization header on every request.
terminal
curl https://polyreplay.dev/api/v1/markets \ -H "Authorization: Bearer $POLYREPLAY_API_KEY"
Query-string keys (?api_key=...) are not accepted. Requests with a missing or malformed header return 401 Unauthorized.
Issuing and rotating keys
Manage keys at /api-keys. Each key is sha256-hashed at rest; the plaintext is shown exactly once at creation time and cannot be recovered afterward. Revoke a compromised key immediately — there is no grace period.
Warning
Treat keys like passwords. Don't commit them to a repo, embed them in client code, or paste them into a third-party tool. Server-side use only.
Plan limits
Each key inherits the rate limits and scope of the account's plan.
limits
Free rate 60 req/min · 10,000 req/day endpoints last 7 days · BTC only tiers quotes + trades active keys 1 Pro ($19.99/mo) rate 1,200 req/min · 250,000 req/day endpoints BTC + ETH · full history tiers quotes + trades + L25 book snapshots active keys 5
Errors
401— missing, malformed, or unrecognized key.403— key is revoked or expired.402— key is valid but the plan doesn't cover the requested asset, date range, or data tier.429— rate limit exceeded. The response includesRetry-Afterin seconds.