Authentication

Every request to the polyReplay REST API is authenticated with a bearer token. Keys are issued from your dashboard and tied to a single account.

Sending the key

Keys are prefixed pr_. Pass the key in the Authorization header on every request.

terminal
curl https://polyreplay.dev/api/v1/markets \
  -H "Authorization: Bearer $POLYREPLAY_API_KEY"

Query-string keys (?api_key=...) are not accepted. Requests with a missing or malformed header return 401 Unauthorized.

Issuing and rotating keys

Manage keys at /api-keys. Each key is sha256-hashed at rest; the plaintext is shown exactly once at creation time and cannot be recovered afterward. Revoke a compromised key immediately — there is no grace period.

Warning
Treat keys like passwords. Don't commit them to a repo, embed them in client code, or paste them into a third-party tool. Server-side use only.

Plan limits

Each key inherits the rate limits and scope of the account's plan.

limits
Free
  rate          60 req/min · 10,000 req/day
  endpoints     last 7 days · BTC only
  tiers         quotes + trades
  active keys   1

Pro ($19.99/mo)
  rate          1,200 req/min · 250,000 req/day
  endpoints     BTC + ETH · full history
  tiers         quotes + trades + L25 book snapshots
  active keys   5

Errors

  • 401 — missing, malformed, or unrecognized key.
  • 403 — key is revoked or expired.
  • 402— key is valid but the plan doesn't cover the requested asset, date range, or data tier.
  • 429 — rate limit exceeded. The response includesRetry-After in seconds.