Skip to main content
POST
Derive scoped API token
Requires Privy authentication. Pass the token field from the Privy authenticate response (the identity token) in the identity header as Bearer <token>. Do not use privy_access_token. HMAC and API key auth are not accepted for this endpoint.
The secret field is returned once at creation time. Store it securely — it cannot be retrieved again.

Scopes

If scopes is omitted from the request body, the token is created with ["trading"] only. Requested scopes must be a subset of your partner’s allowedScopes (see Get Partner Capabilities).

Using the token

After deriving a token, authenticate subsequent requests using HMAC signing with the returned apiKey (token ID) and secret. See HMAC Request Signing for the signing protocol.

Authorizations

lmts-api-key
string
header
required

Scoped API token with HMAC-SHA256 signing. Requires three headers: lmts-api-key (token ID), lmts-timestamp (ISO-8601), lmts-signature (Base64-encoded HMAC). See Authentication docs for details.

Body

application/json
label
string

Human-readable label for the token

Maximum string length: 128
Example:

"production-trading-bot"

scopes
enum<string>[]

Scopes to grant. Defaults to ["trading"] if omitted. Must be a subset of the partner's allowed scopes. delegated_signing requires trading.

Available options:
trading,
account_creation,
delegated_signing
Example:

Response

Token created successfully. The secret is only returned once.

apiKey
string
required

The token ID, used as the lmts-api-key header value for HMAC requests

Example:

"dGVzdC10b2tlbi0x"

secret
string
required

Base64-encoded secret for HMAC signing. Returned once — store securely.

Example:

"c2VjcmV0LWtleS1leGFtcGxlLWJhc2U2NC1lbmNvZGVk"

tokenId
string
required

Same as apiKey. The unique token identifier.

Example:

"dGVzdC10b2tlbi0x"

createdAt
string<date-time>
required

Token creation timestamp

scopes
string[]
required

Granted scopes

Example:
profile
object
required