Skip to main content
POST
/
auth
/
api-tokens
/
derive
Derive scoped API token
curl --request POST \
  --url https://api.limitless.exchange/auth/api-tokens/derive \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --data '
{
  "label": "production-trading-bot",
  "scopes": [
    "trading",
    "account_creation"
  ]
}
'
{
  "apiKey": "dGVzdC10b2tlbi0x",
  "secret": "c2VjcmV0LWtleS1leGFtcGxlLWJhc2U2NC1lbmNvZGVk",
  "tokenId": "dGVzdC10b2tlbi0x",
  "createdAt": "2023-11-07T05:31:56Z",
  "scopes": [
    "trading",
    "account_creation"
  ],
  "profile": {
    "id": 42,
    "account": "0x27b4afBD88fE7c88c6897BB0b4ADE338D0401E37"
  }
}

Documentation Index

Fetch the complete documentation index at: https://limitless-docs-ws-settlement-events.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Requires Privy authentication. Pass the token field from the Privy authenticate response (the identity token) in the identity header as Bearer <token>. Do not use privy_access_token. HMAC and API key auth are not accepted for this endpoint.
The secret field is returned once at creation time. Store it securely — it cannot be retrieved again.

Scopes

ScopeDescription
tradingPlace and cancel orders. Default scope. Required for delegated_signing.
account_creationCreate sub-account profiles under your partner account.
delegated_signingServer signs orders on behalf of sub-accounts via Privy server wallet. Requires trading.
If scopes is omitted from the request body, the token is created with ["trading"] only. Requested scopes must be a subset of your partner’s allowedScopes (see Get Partner Capabilities).

Using the token

After deriving a token, authenticate subsequent requests using HMAC signing with the returned apiKey (token ID) and secret. See HMAC Request Signing for the signing protocol.

Authorizations

X-API-Key
string
header
required

API key for programmatic access. Generate at limitless.exchange -> profile menu -> Api keys.

Body

application/json
label
string

Human-readable label for the token

Maximum string length: 128
Example:

"production-trading-bot"

scopes
enum<string>[]

Scopes to grant. Defaults to ["trading"] if omitted. Must be a subset of the partner's allowed scopes. delegated_signing requires trading.

Available options:
trading,
account_creation,
delegated_signing
Example:
["trading", "account_creation"]

Response

Token created successfully. The secret is only returned once.

apiKey
string
required

The token ID, used as the lmts-api-key header value for HMAC requests

Example:

"dGVzdC10b2tlbi0x"

secret
string
required

Base64-encoded secret for HMAC signing. Returned once — store securely.

Example:

"c2VjcmV0LWtleS1leGFtcGxlLWJhc2U2NC1lbmNvZGVk"

tokenId
string
required

Same as apiKey. The unique token identifier.

Example:

"dGVzdC10b2tlbi0x"

createdAt
string<date-time>
required

Token creation timestamp

scopes
string[]
required

Granted scopes

Example:
["trading", "account_creation"]
profile
object
required