X-API-Key header for authenticated REST market-data requests and configure the same key in SDK, CLI, MCP, and WebSocket clients.
API key created in the 0xArchive dashboard.
success, data, and meta:
401 with success: false and an error object. See Error handling. Keep meta.request_id (or the x-request-id header) from any response when you need support.
GET /health is an unauthenticated liveness check. Use it to check service reachability, not whether a key is valid. A market-data route with X-API-Key is the right first authentication test.
Free tier, no card
Get a key and run a real call
New accounts start free, no card required. Create a key in the dashboard and paste it into any example here.
Key Handling
Create a key in the dashboard
Use the dashboard for standard key creation and rotation.
Store it outside source control
Use environment variables or your secret manager. Do not paste keys into checked-in examples.
Send it on market-data calls
Authenticated REST market-data requests use
X-API-Key. WebSocket examples use the key during connection setup.Wallet Flows
The OpenAPI contract includes SIWE routes for wallet-signature account verification. Use/v1/auth/web3/challenge to create the SIWE challenge, sign it in the wallet environment, then submit the signed message to POST /v1/auth/web3/verify. Use these when an account flow needs wallet ownership confirmed before issuing an X-API-Key credential or browser session.
SIWE verification does not give 0xArchive custody or transaction control. 0xArchive never requests private keys or seed phrases, cannot move funds, cannot approve transactions, and cannot place or cancel venue orders.
Credential Checklist
Use this checklist before wiring credentials into a backend, script, notebook, MCP server, Skill, or coding-agent session.| Surface | Credential rule |
|---|---|
| REST market data | Send X-API-Key on every authenticated request. Use OXARCHIVE_API_KEY as the shell variable in docs examples. |
| Health check | GET /health is unauthenticated liveness; it does not confirm key validity. |
| WebSocket | Configure the same API key during connection setup, then keep request and stream logs free of the raw key. |
| CLI | Export OXA_API_KEY for oxa commands. |
| MCP Server and Skill | Pass OXARCHIVE_API_KEY through the host environment or secret store. |
| SDKs | Read the key from the runtime environment or secret manager before constructing the client. |
| Browser apps | Call your own backend; do not expose a 0xArchive API key directly to users. |
| SIWE-confirmed access | Use /v1/auth/web3/challenge, POST /v1/auth/web3/verify, and web3 account routes only when credential issuance should follow wallet ownership. |
Production Checklist
Use one key per environment when possible: local development, CI, staging, production, and agent/tooling work should not all share the same credential. That separation makes rotation and debugging much easier when a script misbehaves or a teammate leaves a workflow. For server code, read the key from an environment variable or secret manager at process start. For notebooks, shells, CLI jobs, MCP servers, and coding-agent sessions, export the key into the session environment and keep it out of prompt transcripts. For browser clients, call your own backend rather than exposing a 0xArchive key directly to users. When an authentication error occurs, log the method, path, venue family, symbol, status code, and request handle. Usemeta.request_id when a response envelope exposes it, or the x-request-id header when an auth response returns a simpler JSON body. Do not log the key. If the same key works in curl but fails in a client, compare the exact header name first: REST market-data requests use X-API-Key.
Interface Notes
The CLI usesOXA_API_KEY. The MCP Server and Skill examples use OXARCHIVE_API_KEY. REST examples in these docs use OXARCHIVE_API_KEY as the shell variable and send it as X-API-Key. Keep the variable name that matches the product surface you are using, but keep the HTTP header stable for authenticated market-data requests.
SIWE verification
Wallet-signature account verification before issuing
X-API-Key credentials.Error handling
Handle missing keys, invalid keys, rate limits, and request IDs.