1) Obtain a JWT
Request a token from the authorization endpoint:public_key: Canton Party ID associated with the usertimestamp_ms: Unix time in millisecondsnonce: Unique value generated for the authorization request
2) API Key Auth
Gateway supports API-key auth headers for programmatic access without obtaining a JWT first. Headers:X-API-KEY: Your API public keyX-SIGNATURE: Ed25519 signature overEKIDEN_API|{method}|{uri}|{timestamp_ms}|{nonce}X-TIMESTAMP-MS: Unix millisecondsX-NONCE: Random unique string
3) Use the token for REST
Include the token as a Bearer in the Authorization header:/api/v1/user/* and certain actions require this header.
4) Use the token for private WebSocket
Connect to the private WS endpoint and authenticate, then subscribe to private topics:- Connect:
wss://api.cnt.ekiden.fi/ws/private - Authenticate:
- Subscribe to private topics (examples):
orderbook.1.BTCUSDC, trade.BTCUSDC, ticker.BTCUSDC are available on /ws/public without auth.
Timestamp units and replay protection
timestamp_msis required in the authorize request and must be close to server time.- Each
(public_key, nonce)pair may be used once; reusing a nonce will be rejected.
Optional: curl examples
Request token:Troubleshooting
- 400 on /authorize: check the request payload, timestamp_ms freshness, and nonce validity.
- 401 on private REST or WS auth: token expired or invalid.
- WS: authenticate before subscribing to private topics on
/ws/private.