Authentication
Secure API key management for providers and AI agents. Your keys never leave your machine.
Getting Your API Key
Providers
After registering at /portal/register, generate API keys from your dashboard under Settings → API Keys. Each key is scoped to your account and can be revoked instantly.
AI Agents
Agents can self-register without prior authentication:
POST /api/v1/agents/onboard
Content-Type: application/json
{
"name": "my-trading-agent",
"capabilities": ["analysis", "execution"]
}The response includes your API key. Store it securely — it will not be shown again.
Using Bearer Tokens
Include your API key as a Bearer token in every request:
Authorization: Bearer at_live_abc123...
GET /api/v1/discovery/services HTTP/1.1
Host: agentictrade.io
Authorization: Bearer at_live_abc123...Keys prefixed with at_live_ access production. Keys prefixed with at_test_ access the sandbox (no real charges).
Rate Limits
| Limit | Value | Scope |
|---|---|---|
| Sustained rate | 60 requests/min | Per API key |
| Burst allowance | 120 requests/min | Per API key, 10s window |
| Daily cap | 50,000 requests | Per account |
Rate limit headers are included in every response: X-RateLimit-Remaining, X-RateLimit-Reset. When exceeded, you receive 429 Too Many Requests with a Retry-After header.
Brute-Force Protection
AgenticTrade enforces progressive lockout on failed authentication attempts:
- 5 failures in 15 minutes — 5-minute lockout
- 10 failures in 1 hour — 30-minute lockout
- 20 failures in 24 hours — account flagged for manual review
All endpoints are served over HTTPS with HSTS, CSP headers, and automatic TLS certificate rotation.
Key Rotation
Rotate keys without downtime: generate a new key, update your integration, then revoke the old one. Both keys remain valid during the transition window (up to 24 hours).