Overview
All programmatic access to the Limitless Exchange API requires authentication via scoped API tokens with HMAC-SHA256 request signing.Scoped API Tokens (HMAC)
Scoped API tokens are the authentication method for the Limitless Exchange API. Every request is authenticated by signing it with HMAC-SHA256 using your token’s secret. Tokens are scoped to control what actions they can perform.Scopes
HMAC Request Signing
Required headers:SDK users should pass HMAC credentials to the SDK client (
hmacCredentials / hmac_credentials / WithHMACCredentials) and let the SDK build these headers automatically. Manual header signing is only needed when you call the REST API directly.Getting a Scoped API Token
Most builders should generate a token from the UI. The programmatic flow below is for headless / CI environments where you can’t open a browser.From the UI (recommended)
1
Connect your wallet
Go to limitless.exchange and connect your wallet. No smart wallet required.
2
Derive a token
Open the API token modal → API Tokens tab → Derive. Copy the
tokenId and secret. The browser handles the login session for you, so there’s no identity token to copy by hand.3
Use the credentials
Pass them to the SDK as
hmacCredentials (TypeScript), hmac_credentials (Python), or WithHMACCredentials (Go) — the SDK signs every request automatically. This is a one-time setup.Programmatically (headless / CI)
When you can’t use a browser, call the same endpoint the UI calls:1
Obtain a Privy identity token
Authenticate with Privy and capture the
token field from the authenticate response (not privy_access_token).2
Derive a token
POST /auth/api-tokens/derive with the identity token in the identity header as Bearer <token>. The response includes a tokenId and secret. Use these HMAC credentials for all subsequent requests.trading scope is available to all users — no application required. For partner-level scopes (account_creation, delegated_signing), apply for programmatic API access to get your account enabled.
The token secret is returned once at creation time. Store it securely — it cannot be retrieved again.
Delegated Signing
With thedelegated_signing scope, partners can submit orders without providing signature and signatureType in the order payload. The server signs the order using a Privy server wallet linked to the target sub-account.
Use the onBehalfOf field in the order payload to specify which sub-account the order is for. The target profile must be linked to your partner account.
Checksummed Addresses
All Ethereum addresses in API requests must use checksummed format (EIP-55 mixed-case):x-accountheadermakerandsignerfields in orders
0x5aAeb6053F3E94C9b9A09f33669435E7Ef1BeAed
Your private key is still required for EIP-712 order signing (unless using delegated signing), but the scoped token handles request authentication.