Authentication

Every endpoint (except /health and /v1/meta/credit-costs) requires an API key. Keys are opaque strings starting with tt_, issued from the dashboard.

Header (preferred)

Pass your key in the X-API-Key header. This is the canonical method for HTTP clients.

curl -H "X-API-Key: tt_..." https://api.realflow.so/v1/tokens/{addr}

Query parameter

For environments that can't set custom headers — notably browser EventSource — pass the key as ?api_key=:

const es = new EventSource(
  "https://api.realflow.so/v1/prices/stream?tokens=SOL,...&api_key=tt_..."
);

What we don't support

Authorization: Bearer ... is intentionally not supported. Bearer implies OAuth-style access tokens (scopes, expiry, refresh) which our opaque keys aren't — using the wrong scheme would mislead consumers about the auth model.

Origin allowlist

Each key can optionally restrict which browser origins may use it. If you set origin_allowlist on a key, requests from other origins return 403 origin_not_allowed. Server-to-server calls bypass this entirely (no Origin header).

Scopes

Keys can be scoped to a subset of resources: tokens.read, prices.read, prices.stream. Unscoped keys have full access. Configure scopes per-key in the dashboard.

Rotation

Generate a second key, deploy it, then revoke the old one — keys are revoked instantly. Both can coexist briefly without downtime.