> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ekiden.fi/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

Authentication is required only for the private WebSocket endpoint.

Ekiden supports two authentication methods:

* **JWT Access Token** — recommended for authenticated user sessions.
* **API Key** — recommended for server-side applications, trading bots, and automated integrations.

***

## JWT Authentication

Authenticate by sending an **Auth** message.

| Field    | Value                           |
| -------- | ------------------------------- |
| `op`     | `auth`                          |
| `bearer` | Your JWT access token           |
| `req_id` | Optional correlation identifier |

```json theme={null}
{
  "op": "auth",
  "bearer": "<token>",
  "req_id": "1"
}
```

See the **Auth** message in the [**Private WebSocket Reference**](./api-reference/websockets/private) for the complete request and response schema.

***

## API Key Authentication

Unlike the REST API, WebSocket API key authentication uses a dedicated signing payload.

**Signing payload**

```text theme={null}
EKIDEN_WS|AUTH|{timestamp_ms}|{nonce}
```

| Step | Description                                                               |      |   |   |
| ---- | ------------------------------------------------------------------------- | ---- | - | - |
| 1    | Generate `timestamp_ms` (Unix time in milliseconds) and a unique `nonce`. |      |   |   |
| 2    | Sign \`EKIDEN\_WS                                                         | AUTH |   |   |
| 3    | Send an **AuthApiKey** message (`op: "auth_api_key"`).                    |      |   |   |

```json theme={null}
{
  "op": "auth_api_key",
  "api_key": "0x...",
  "signature": "0x...",
  "timestamp_ms": 1700000000000,
  "nonce": "unique-nonce",
  "req_id": "1"
}
```

### Validation Rules

| Rule       | Description                                                   |
| ---------- | ------------------------------------------------------------- |
| Clock skew | ±30 seconds from server time                                  |
| Nonce      | Must be unique per API key                                    |
| Scopes     | The API key must allow access to the requested private topics |

See the **AuthApiKey** message in the [**Private WebSocket Reference**](./api-reference/websockets/private) for the complete request format and response schema.
