ApiTokenService handles the partner self-service token lifecycle: checking capabilities, deriving tokens, listing active tokens, and revoking them.
Token derivation and capability queries require a Privy identity token. The SDK does not obtain this token for you — your application must authenticate the partner via Privy and pass the resulting token.
Access
The service is available on the rootClient:
Get partner capabilities
Check whether token management is enabled and which scopes are allowed.Derive a token
Create a new scoped API token. Thesecret is returned once — store it securely.
Creating an HMAC-authenticated client
After deriving a token, create a newClient with the HMAC credentials:
scopes is omitted, the token defaults to ['trading']. Requested scopes must be a subset of the partner’s allowed_scopes.