Authentication

This section is a draft for how the product should be documented publicly.

Public API Model

The likely split is:

Public or trial keys for low-risk discovery and delayed data
Paid API keys for realtime and historical data products
User JWT or workspace tokens for product APIs like bots and backtests

Current Internal Reality

The codebase already uses multiple auth modes:

Supabase JWTs for user-scoped product routes
Engine admin secrets for server-to-server proxying
Service credentials for lake and infrastructure access

Recommendation

When this moves from internal docs to public docs, standardize the external contract to one API key format for market data and one user-auth pattern for workspace APIs.

Example Header

Authorization: Bearer YOUR_API_KEY

For product APIs tied to a user account, the same Authorization header can carry a session or JWT token instead of a market data key.

​Authentication

​Public API Model

​Current Internal Reality

​Recommendation

​Example Header

Authentication

Public API Model

Current Internal Reality

Recommendation

Example Header