The Totalis API accepts two authentication schemes:
- API key — for programmatic clients (bots, scripts, server-side integrations). Sent as the
X-API-Key header. Works on both REST and WebSocket.
- Privy JWT — used by the web dashboard. Sent as
Authorization: Bearer <jwt>. The session signer underpinning the JWT also signs vault transactions in the browser.
Either scheme is accepted on every authenticated endpoint, with one exception: POST /user/api-keys (create a new API key) requires a Privy JWT. You cannot mint new API keys with an existing API key.
Getting Your API Key
Generate an API key from the Totalis Dashboard:
- Log in to app.totalis.trade
- Navigate to your account settings
- Create a new API key and give it a name
- Copy the full key immediately — it is only shown once
The full API key is only displayed at creation time. Save it securely — you will not be able to retrieve it later.
Using Your API Key
Send your API key in the X-API-Key header with every request:
curl -X GET https://api.totalis.trade/rfqs \
-H "X-API-Key: <your-api-key>"
{
"type": "auth",
"api_key": "<your-api-key>"
}
Managing API Keys
You can list, create, and revoke API keys programmatically:
- List keys —
GET /user/api-keys
- Create key —
POST /user/api-keys (requires Privy JWT)
- Revoke key —
DELETE /user/api-keys/{prefix}
You can also manage keys from the Totalis Dashboard.
Key Lifecycle
- Active — Key is valid and can be used for authentication.
- Revoked — Key has been manually revoked and will be rejected.
- Expired — Key has passed its expiration date.
