Authentication
Use a business API key for server reads and wallet provisioning. Use a user token only when that user is approving a trade or cash-out. Three credential paths below. Business keys are rate-limited to 100 requests per rolling minute. See Errors & Rate Limits.
At a Glance
| Credential | Header | Layers |
|---|---|---|
| sk_live_… | Authorization: Bearer sk_live_… | READ, DECIDE, Actions (merchant channel) |
| Smart Wallet JWT | Authorization: Bearer <jwt> | EXECUTE: Actions on_chain (/api/v1/execute/**, alias /actions/**) |
| Connect delegated JWT | Authorization: Bearer <delegated_jwt> | EXECUTE: third-party via OAuth (see below) |
Business API Key
# sk_live_… → app.torque.fi → API Integration (server only)
export TORQUE_KEY="sk_live_…"
curl -sS "https://app.torque.fi/api/v1/intelligence/feed" \
-H "Authorization: Bearer $TORQUE_KEY" \
| jq '.meta.manifestVersion, (.items | length)'Smart Wallet JWT
Torque sign-in (email code, passkey, Google, or X): onchain POST /execute/** & GET /accounts/wallet. Lost access or expired JWT → Account Recovery. Partners → Partner Integration Profiles.
export WALLET_JWT="<smart_wallet_jwt>"
curl -sS -X POST "https://app.torque.fi/api/v1/execute/trades" \
-H "Authorization: Bearer $WALLET_JWT" \
-H "Content-Type: application/json" \
-d '{ ... }'Partner Integration Profiles
sk_live_… → read, decide, connect (server only)
walletAddress → chat context, not auth
User JWT → execute
A data, B chat+hosted, C OAuth, D platform wallets| Profile | Who | What You Get |
|---|---|---|
| A: Data / Terminal | Server with sk_live_… | Intelligence, markets, GET /read/portfolio |
| B: Advisory / Copilot | Server + walletAddress | Assistant, hosted confirm |
| C: Embedded Money | Connect OAuth | Connect OAuth consent + delegated JWT for POST /execute/** |
| D: Platform / App | Server + sk_live_… + entitlement | POST /accounts/end-users; embedded deposits + cash-out consent via Connect (v1) |
D = smart wallets (provision + deposits in your UI; Connect consent for execute in v1). C = Connect OAuth execute layer (overlaps D). B = hosted confirm. A = data only.
Credential by Surface
| Surface | Layer | Credential |
|---|---|---|
| Portfolio | READ | Smart Wallet JWT |
| Intelligence | READ | sk_live_… |
| Assistant | DECIDE | sk_live_… |
| Execute | EXECUTE | Smart Wallet JWT (on_chain); sk_live_… (merchant) |
Testing
| Execution API | https://app.torque.fi/api/v1 |
| Local development | http://localhost:3000/api/v1 |
| Capabilities probe (no auth) | https://app.torque.fi/api/v1/capabilities |
Related
Authorize session, token exchange, delegated execute
Actions HandoffConnect confirm and OAuth
Account RecoverySame email sign-in, passkeys, and INVALID_TOKEN refresh
QuickstartEnd-to-end flow from capabilities probe to EXECUTE
SDK CredentialsPackage-by-package auth requirements
API OverviewStages, capabilities, OpenAPI, and surface index
RoutesAll v1 routes grouped by runtime stage
FAQ
Can I use sk_live_… for execute routes?
No. POST /execute/** requires a smart wallet JWT or Connect delegated JWT for the user who is approving the action.
What is Connect?
Connect is Torque's v1 user consent gate for cash-out and execute. Your app starts authorize; the user signs in and approves scopes; you exchange the code for a delegated JWT. That is the launch-safe custody boundary; embedded branded consent in your app is on the roadmap.
Can my server cash out users with sk_live_…?
No. Business API keys provision wallets and read balances only. POST /execute/** requires a smart wallet JWT or Connect delegated JWT for the user who approved the action. Unattended sweeps without consent are not supported.
What are integrator profiles A–D?
A: data and read only. B: advisory copilot with hosted confirm or deep links. C: Connect OAuth for execute in partner apps. D: smart wallets — provision and deposits in your UI; cash-out via Connect consent in v1 (overlaps C for wallet partners).
Questions or corrections? hello@torque.fi