Bootstrap
Every API call requires a bearer token. Tokens are issued in exchange for a SIWE signature and bound to a session key.
Rotating a session key
Call POST /v1/auth/rotate with a new session-key pubkey. The old key is revoked within one block; in-flight orders signed by the old key are rejected.
Request signing (trading endpoints)
Trading endpoints (/orders, /cancel, /modify) require an additional Ed25519 signature in the X-Liberx-Sig header, produced by the session key. Read-only endpoints need only the bearer.