API keys and programmatic access

KnightsVault exposes the same API the web app uses. You can integrate trading, balances, and transactions into your own systems.

Issuing an API key

Profile → API keys → Create new. You will pick:

• Label — a memorable name (we'll show it on every audit log entry).
• Permissions — read, trade, withdraw. The withdraw scope is highly restricted: every API-driven withdrawal still goes through the same approval pipeline as web withdrawals.
• IP allowlist (optional but recommended) — comma-separated CIDRs the key can be used from.

You will see the API key and secret once. Copy them into a password manager immediately; we cannot recover the secret.

Authentication

Every authenticated request includes:

X-KV-Key: <api-key>
X-KV-Timestamp: <unix-seconds>
X-KV-Signature: <hex hmac-sha256 over canonical-string>

The canonical string is:

<METHOD>\n<path>\n<sorted-query>\n<timestamp>\n<sha256-of-body>

The HMAC key is your API secret as bytes. See docs/API_AUTH.md in the repo for working examples in Python, Node, and Go.

Rate limits

Rate limits are scoped per endpoint type and tracked per API key:

• Read endpoints — 20 requests / second
• Trade endpoints — 10 requests / second
• Withdraw endpoints — 2 requests / second
• Auth endpoints — 5 requests / minute

Exceeded limits return HTTP 429 with a Retry-After header.

WebSocket streams

Real-time order book and trade-tape data is available over WebSocket at wss://api.app.kxco.io/v1/ws. Authenticate with the same HMAC scheme via the initial subscribe message. Streams are throttled to 50 events / second per subscriber.

Idempotency

Order placement and withdrawal endpoints accept an X-KV-Idempotency-Key header. Repeated requests with the same key return the original response — safe to retry on network failure without risk of double-execution.

SDKs

We do not yet ship official SDKs. The HMAC scheme is plain enough that we recommend rolling your own thin client; anyone can audit it. Community SDKs may exist — caveat emptor.