Back to docs

Authentication

Wallet signing, API keys, and rate limits

Authentication Methods

Styx supports two authentication methods: wallet-based signing for client-side applications and API keys for server-side integrations.

Wallet Signing

Recommended for client-side apps. Uses Ed25519 signatures from the user's wallet.

API Keys

For server-side applications. Generate keys from your dashboard.

Wallet-Based Authentication

For client-side applications, users authenticate by signing a challenge message with their wallet. This proves ownership without exposing private keys.

1. Request a challenge

const response = await fetch('/api/auth/challenge', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    publicKey: wallet.publicKey.toBase58(),
  }),
});

const { challenge, expiresAt } = await response.json();
// challenge: "Sign this message to authenticate: abc123..."
// expiresAt: Unix timestamp (valid for 5 minutes)

2. Sign the challenge

import { sign } from '@noble/ed25519';
import bs58 from 'bs58';

// Encode challenge as bytes
const message = new TextEncoder().encode(challenge);

// Sign with wallet
const signature = await wallet.signMessage(message);

// Encode signature as base58
const signatureBase58 = bs58.encode(signature);

3. Verify and get session

const authResponse = await fetch('/api/auth/verify', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    publicKey: wallet.publicKey.toBase58(),
    signature: signatureBase58,
    challenge,
  }),
});

const { sessionToken, expiresAt } = await authResponse.json();
// sessionToken: JWT valid for 24 hours
// Use in subsequent requests: Authorization: Bearer <sessionToken>

API Key Authentication

For server-side applications, generate an API key from your dashboard and include it in the request headers.

Keep your API key secure!

Never expose API keys in client-side code or commit them to version control. Use environment variables.

Generate an API Key

  1. 1.Go to Dashboard → API Keys
  2. 2.Click "Generate New Key"
  3. 3.Copy the key immediately (it won't be shown again)

Using the API Key

# Include in request headers
curl -X POST https://api.styx.finance/v1/messages \
  -H "Authorization: Bearer styx_sk_live_abc123..." \
  -H "Content-Type: application/json" \
  -d '{"recipient": "...", "payload": "..."}'

In TypeScript

import { StyxPMP } from '@styx-stack/pmp-sdk';
import { Connection } from '@solana/web3.js';

const connection = new Connection('https://api.mainnet-beta.solana.com');
const pmp = new StyxPMP(connection);

const result = await pmp.sendPrivateMessage(
  senderWallet,
  recipientPubkey,
  encryptedData,
);

Rate Limits

Rate limits are applied per API key or wallet address. Upgrade your plan for higher limits.

PlanMonthly RequestsRate LimitBurst Limit
Free1,000/month10/min20
Pro100,000/month100/min200
Enterprise1,000,000/monthUnlimitedUnlimited

Rate Limit Headers

All responses include headers to help you track your usage:

X-RateLimit-Limit: 100           # Max requests per minute
X-RateLimit-Remaining: 87       # Requests remaining
X-RateLimit-Reset: 1699574400   # Unix timestamp when limit resets
Retry-After: 30                 # Seconds to wait (when rate limited)

Best Practice

Implement exponential backoff when you receive a 429 (Too Many Requests) response. Start with the Retry-After value and double it for subsequent retries.

Security Best Practices

Use environment variables

Store API keys in environment variables, never in code.

Rotate keys regularly

Generate new API keys every 90 days and revoke old ones.

Use separate keys per environment

Use different API keys for development, staging, and production.

Monitor usage in dashboard

Regularly check your usage and watch for anomalies.