Authentication

Every Allswap API request is authenticated with two headers — a public key id and a secret bearer token. The split lets you safely identify a request from a browser if you ever need to, without exposing anything that can move funds.

Required headers

X-Key-Id:      ak_live_yourapp
Authorization: Bearer sk_live_REPLACE_ME
Content-Type:  application/json

X-Key-Id — the public key id. Always begins with ak_. Safe to log, safe to include in client-side error reports.
Authorization: Bearer … — the secret. Always begins with sk_. Server-side only — if it ever ships in a client bundle, rotate it immediately.

Sandbox vs. live

Keys are tagged with their environment in the prefix:

ak_sandbox_… / sk_sandbox_… — quotes are real, swaps complete in-memory without on-chain settlement. Every project starts here.
ak_live_… / sk_live_… — production. Issued after we review your integration. Mixing sandbox and live keys in the same request returns 401 key_mismatch.

When a request is rejected

Two common failure modes:

{
  "error": {
    "code": "unauthorized",
    "message": "Missing or invalid credentials.",
    "requestId": "req_01HW9..."
  }
}

Rotation

From the dashboard you can mint a second active secret for the same key id, deploy it everywhere, then revoke the original — zero-downtime rotation. We recommend rotating once a quarter, and immediately on any suspected leak.

Authentication

Required headers

Sandbox vs. live

When a request is rejected

Rotation

Next