# Authorization

## API Key Authorization

One way to authorize your reqeusts is to use API keys.\
You can create an API key if you are already logged into the EVEDEX Exchange:

* Click on your avatar in the upper right corner
* Go to **Settings** → **API** → **Create API Key**

Once you have created an API key, you must include it in all private API requests by adding it to the `x-api-key` header:

```
x-api-key: your_api_key
```

## JWT Token Authorization

Another approach to authorization is JWT Token usage.\
To submit orders to the exchange, the client must complete an authorization procedure (according to the [EIP-4361: Sign-In with Ethereum](https://eips.ethereum.org/EIPS/eip-4361) protocol), which includes the following steps:

1. Get a nonce using the [GET /auth/nonce](https://swagger.evedex.com/?urls.primaryName=Auth#/Auth/get_auth_nonce) method.
2. Generate the data for the authorization signature.
3. Sign the data using the user's crypto wallet.
4. Send the signed data to the [POST /auth/user/sign-up](https://swagger.evedex.com/?urls.primaryName=Auth#/User/post_auth_user_sign_up) method and receive a JWT (`token` field in the response)

<details>

<summary>Example of creating data and signature for authorization</summary>

```ts
function createSiweMessage(
  { address, uri, version, chainId, nonce, issuedAt }: {address: string, uri: string, version: string, chainId: number, nonce: string, issuedAt: string}
) {
  return `${uri} wants you to sign in with your Ethereum account:
${address}


URI: ${uri}
Version: ${version}
Chain ID: ${chainId}
Nonce: ${nonce}
Issued At: ${issuedAt}`;
}

const signer = await ethers.getSigner();
const message = `EVEDEX sign in`;
const address = await signer.getAddress();

const nonceRes = await fetch(`https://auth.evedex.com/auth/nonce`, {
  method: 'GET',
  headers: { accept: 'application/json' },
});
const { nonce } = await nonceRes.json();

const siweMessage = createSiweMessage({
  address: address,
  statement: `Sign in to https://exchange.evedex.com`,
  uri: 'https://exchange.evedex.com',
  version: '1',
  chainId: await signer.provider.getNetwork().then(({ chainId }) => chainId),
  nonce,
  issuedAt: new Date().toISOString(),
});
const signature = await signer.signMessage(siweMessage);

const response = await fetch(`https://auth.evedex.com/auth/user/sign-up`, {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    wallet: address,
    message: siweMessage,
    nonce,
    signature,
  }),
});
if (response.status >= 400) {
  throw new Error('Invalid auth');
}

const { token } = await response.json();
```

</details>

**Important:** Any request to the exchange REST API that requires an authorization JWT (`accessToken`) must include the header `Authorization: Bearer {accessToken}` (without the `{ }`).

Since the `accessToken` JWT is valid for only a few minutes, it should be refreshed periodically. To do this:

1. When receiving a 401 code from any method that requires authorization, call the [POST /auth/refresh](https://swagger.evedex.com/?urls.primaryName=Auth#/Auth/post_auth_refresh) method with the `Authorization` header set to `Bearer {refreshToken}` (without the `{ }`)
2. If the `refreshToken` is active, the response will return a new JWT, which should be used in place of the old `accessToken` and `refreshToken`
3. If the `refreshToken` is inactive and the method returns a 401 code, the user authorization procedure described above must be repeated


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.evedex.com/developers/developers/authorization.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.