PAPI
API Reference

Account

Profile, API key management, and exchange credential endpoints

Account Endpoints

Manage your profile, API keys, and exchange credentials. All account endpoints require JWT authentication (issued via the auth endpoints).

Profile

Get Profile

GET /account/profile
curl -s https://papi.tylerthebuildor.com/account/profile \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."
{
  "id": "usr_abc123",
  "email": "user@example.com",
  "name": "Jane Doe",
  "avatar_url": "https://...",
  "email_verified": true,
  "providers": ["email", "google"],
  "created_at": "2026-01-15T08:00:00Z"
}
FieldTypeDescription
idstringUser ID
emailstringEmail address
namestringDisplay name
avatar_urlstring | nullProfile image URL
email_verifiedbooleanWhether email has been verified
providersarrayAuth providers linked (e.g., email, google, github)
created_atstringISO 8601 account creation time

Update Profile

PATCH /account/profile
curl -X PATCH https://papi.tylerthebuildor.com/account/profile \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
  -H "Content-Type: application/json" \
  -d '{
    "display_name": "Jane D.",
    "avatar_url": "https://example.com/avatar.jpg"
  }'
FieldTypeDescription
display_namestringNew display name
avatar_urlstringNew avatar URL

Both fields are optional. Only provided fields are updated.

API Keys

Each user is limited to one API key. Delete your existing key before creating a new one.

List API Keys

GET /account/api-keys
curl -s https://papi.tylerthebuildor.com/account/api-keys \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."
{
  "keys": [
    {
      "prefix": "papi_sk_live_a1b2",
      "name": "Production",
      "scopes": ["read", "trade"],
      "created_at": "2026-01-15T08:00:00Z",
      "last_used_at": "2026-03-18T10:30:00Z"
    }
  ]
}

The full key is never returned -- only a prefix for identification.

Create API Key

POST /account/api-keys
curl -X POST https://papi.tylerthebuildor.com/account/api-keys \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production",
    "scopes": ["read", "trade"]
  }'

Request body:

FieldTypeRequiredDescription
namestringNoLabel for the key
scopesarrayNoArray of scopes: read, trade, admin

Response:

{
  "key": "papi_sk_live_a1b2c3d4e5f6g7h8...",
  "prefix": "papi_sk_live_a1b2",
  "name": "Production",
  "scopes": ["read", "trade"]
}

The key field contains the full API key. This is the only time it is returned. Save it immediately and store it securely.

Revoke API Key

DELETE /account/api-keys/{key_prefix}
curl -X DELETE https://papi.tylerthebuildor.com/account/api-keys/papi_sk_live_a1b2 \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

Revoked keys immediately stop working. This cannot be undone.

Exchange Credentials

Check Credential Status

GET /account/credentials

Check which exchanges have credentials configured without revealing any credential values.

curl -s https://papi.tylerthebuildor.com/account/credentials \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."
{
  "exchanges": {
    "polymarket": {
      "configured": true,
      "wallet_address": "0x742d35Cc..."
    },
    "kalshi": {
      "configured": false
    }
  }
}

Store Polymarket Credentials

PUT /account/credentials/polymarket
curl -X PUT https://papi.tylerthebuildor.com/account/credentials/polymarket \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
  -H "Content-Type: application/json" \
  -d '{
    "api_key": "your-clob-api-key",
    "secret": "your-clob-secret",
    "passphrase": "your-passphrase",
    "wallet_address": "0x742d35Cc..."
  }'
FieldTypeRequiredDescription
api_keystringYesPolymarket CLOB API key
secretstringYesCLOB API secret
passphrasestringYesCLOB API passphrase
wallet_addressstringYesYour Polymarket wallet address

Store Kalshi Credentials

PUT /account/credentials/kalshi
curl -X PUT https://papi.tylerthebuildor.com/account/credentials/kalshi \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
  -H "Content-Type: application/json" \
  -d '{
    "access_key": "your-kalshi-access-key",
    "private_key": "your-kalshi-private-key"
  }'
FieldTypeRequiredDescription
access_keystringYesKalshi API access key
private_keystringYesKalshi API private key

Remove Credentials

DELETE /account/credentials/{exchange}

Exchange values: polymarket, kalshi

curl -X DELETE https://papi.tylerthebuildor.com/account/credentials/polymarket \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

After removal, trading requests to that exchange will fail until new credentials are stored.

Credential Security

  • Credentials are encrypted with AES-256-GCM at the application layer before storage
  • Stored in PostgreSQL in encrypted form
  • Decrypted only at request time, in memory
  • Never logged or exposed in API responses
  • Previous credentials for the same exchange are overwritten on update

On this page

Account EndpointsProfileGet ProfileUpdate ProfileAPI KeysList API KeysCreate API KeyRevoke API KeyExchange CredentialsCheck Credential StatusStore Polymarket CredentialsStore Kalshi CredentialsRemove CredentialsCredential Security