Authentication

API Key Authentication

The Lavarage API uses API keys passed via the x-api-key HTTP header.

curl https://api.lavarage.xyz/api/v1/positions \
  -H "x-api-key: YOUR_API_KEY"

Public Endpoints (No Key Required)

These endpoints are freely accessible:

Protected Endpoints (Key Required)

All position, order, staking, and partner management endpoints require a valid API key.

Getting an API Key

1. Contact the team at lavarage.io to get a partner account
2. Use the Partners API to generate additional keys:

curl -X POST https://api.lavarage.xyz/api/v1/partners/keys \
  -H "x-api-key: YOUR_EXISTING_KEY"

The raw key is only returned once — store it securely.

Key Management

• List keys: GET /api/v1/partners/keys
• Revoke a key: DELETE /api/v1/partners/keys/:id

Revoking a key is permanent and immediate.

Security Best Practices

• Never expose API keys in client-side code
• Use environment variables for key storage
• Rotate keys periodically using the Partners API
• Revoke compromised keys immediately

Wallet Signature Authentication

Some endpoints (orders, referral) require wallet signature authentication via 3 headers:

Message Format

```
lavarage:<wallet_address>:<timestamp_ms>
```

TypeScript Example

```typescript
import nacl from 'tweetnacl';
import bs58 from 'bs58';

const wallet = keypair; // Your Solana Keypair
const timestamp = Date.now().toString();
const message = `lavarage:${wallet.publicKey.toBase58()}:${timestamp}`;
const messageBytes = new TextEncoder().encode(message);
const signature = nacl.sign.detached(messageBytes, wallet.secretKey);

const headers = {
'x-wallet-address': wallet.publicKey.toBase58(),
'x-wallet-signature': bs58.encode(signature),
'x-wallet-message': message,
};
```