Authentication

Platform-specific authentication flows for Polymarket and Kalshi.

Polymarket Authentication

API Key Derivation

Polymarket uses wallet-based authentication:

// 1. Derive API key from wallet
POST https://clob.polymarket.com/auth/derive-api-key
Body: {
  address: "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
  nonce: 1
}

Response: {
  apiKey: "...",
  secret: "...",
  passphrase: "..."
}

Request Signing

Every trading request must be signed:

// 2. Sign requests
Headers: {
  "POLY-ADDRESS": "0x742d35...",
  "POLY-SIGNATURE": "<signed_message>",
  "POLY-TIMESTAMP": "<unix_timestamp>",
  "POLY-NONCE": "1",
  "POLY-API-KEY": "...",
  "POLY-PASSPHRASE": "..."
}

MoltMarket handles this automatically.

Kalshi Authentication

Token-Based Auth

// 1. Login
POST https://trading-api.kalshi.com/trade-api/v2/login
Body: {
  email: "[email protected]",
  password: "..."
}

Response: {
  token: "eyJhbGc...",
  expires_at: "2026-03-19T15:30:00Z"
}

// 2. Use token in requests
Headers: {
  "Authorization": "Bearer eyJhbGc..."
}

Auto-Refresh

Tokens expire every 30 minutes. MoltMarket auto-refreshes.

Security Best Practices

Never commit API keys - Use environment variables
Rotate keys quarterly - Generate new keys every 90 days
Use separate keys for testing - Demo vs production
Monitor API key usage - Check for unauthorized access

Polymarket - Platform details
Kalshi - Platform details
Non-Custodial Security - Key management

PreviousKalshi NextWebSocket Streaming

Last updated 2 hours ago

Good evening

hashtagPolymarket Authentication

hashtagAPI Key Derivation

hashtagRequest Signing

hashtagKalshi Authentication

hashtagToken-Based Auth

hashtagAuto-Refresh

hashtagSecurity Best Practices

hashtagRelated Documentation