API Authentication
Authenticate directly with the Paradex API
API keys allow you to interact with the Paradex trading system programmatically without using the web interface. This guide covers how to generate and manage different types of credentials for trading, monitoring, and API access.
There are 2 general types of credentials used to authenticate with the Paradex API
In order to enable full trading access via API, users need to export a Private Key associated with their account. This can either be:
Please refer to the SDK documentation on how to use your Private key to interact with on Paradex via API.
For detailed API documentation, see our API Reference.
The account’s Private key can be obtained on the UI on the Wallet tab
Click on ‘Copy Private Key’ to obtain your account’s main private key.
Access to the Main Private Key grants the ability to Withdraw and Transfer funds from the user’s account. This should never be exposed. For a safer alternative, use Subkeys.
Subkeys are private keys for an account with scoped down permissions. Unlike your main private key, Subkeys do not have permissions to perform Withdrawals, Transfers, and manage sensitive account settings.
However, as private keys, they are still fully capable of creating/modifying orders and interacting with the API.
These keys provide a secure way to delegate trading permissions while maintaining control over account security.
Can place and manage orders
Cannot withdraw funds or transfer to other accounts
Operate within specific account parameters
Separate from main account private key
Subkeys behave like regular private keys. They are used for
/auth/:public_key endpointWhile using a subkey:
/auth/{public_key}PARADEX-STARKNET-ACCOUNT header should be the address of the main accountPARADEX-STARKNET-SIGNATURE must be generated by signing using the subkey private key.The main account address is required because subkeys are randomly generated keypairs registered to your account. Since we cannot derive the account address from a subkey’s private key, we must specify which account the subkey belongs to. Additionally, we need to specify the subkey’s public key so it can be used for signature verification instead of defaulting to the main account’s public key.
Paradex supports onboarding and authentication using EVM wallets via SIWE (Sign-In with Ethereum, ERC-4361) messages. This provides an alternative to the Starknet-based authentication flow.
POST /v2/onboarding)Onboards a new account using an EVM wallet.
Required headers:
PARADEX-STARKNET-ACCOUNT — The deterministic Starknet address computed from the ETH addressPARADEX-EVM-SIGNATURE — EVM personal_sign (EIP-191) signature of the SIWE messagePARADEX-SIWE-MESSAGE — Base64-encoded SIWE (ERC-4361) messageRequest body:
public_key — Uncompressed secp256k1 public key (65 bytes, starting with 0x04)referral_code (optional) — Referral codemarketing_code (optional) — Marketing codeThe SIWE onboarding message uses the statement: "Paradex Onboarding".
Example SIWE onboarding message:
The Nonce field is required but can be any randomly generated hex string.
Example pseudocode:
Address computation: The PARADEX-STARKNET-ACCOUNT address is deterministically derived from the ETH address and the EVM account class hash (available from GET /system/config as evm_account_class_hash). The computation follows the standard Starknet contract address formula:
POST /v2/auth)Authenticates an existing EVM account and returns a JWT token.
Required headers:
PARADEX-STARKNET-ACCOUNT — Starknet account addressPARADEX-EVM-SIGNATURE — EVM personal_sign (EIP-191) signature of the SIWE messagePARADEX-SIWE-MESSAGE — Base64-encoded SIWE auth messageOptional headers:
PARADEX-AUTHORIZE-ISOLATED-MARKETS — Authorize all isolated market accountsResponse:
The JWT token format is the same as Starknet auth. The SIWE auth message includes the expiration time embedded within the message itself (via the expirationTime field), rather than using a separate header.
Example pseudocode:
EVM accounts use the same Starknet-based subkey authentication as non-EVM accounts. Since subkeys are Starknet keypairs, authenticate with subkeys using the v1 endpoint POST /v1/auth/:pubkey — see Generating Auth Tokens above for details.
In order to query most APIs with account related information, a JWT Token needs to be attached to the auth headers of the request.
Readonly Tokens are special JWT Tokens with extended expiry dates. Readonly tokens provide secure, read-only access to your account data and market information. These tokens are ideal for building monitoring dashboards, creating trading analytics tools, implementing risk management systems, and developing market data applications.
Since these are JWT tokens, they do not grant trading access. They are also restricted to GET requests and cannot be used to modify account information.
Cannot place orders or modify account settings
Can be revoked at any time for security
Readonly tokens can access most GET endpoints on the API, including:
While JWT Tokens have reduced scope, they should still be stored securely and should be rotated regularly.
Readonly tokens can be used just like regular auth tokens in API calls to the platform:
Use your newly generated API token in GET requests to the API
Paradex offers three main types of API credentials:
These credentials all enable programmatic access to the Paradex API.