Skip to main content
Every request to the SURCHI API must be authenticated with an API key passed as a Bearer token in the Authorization header. API keys are tied to your account, carry specific permission scopes, and are the primary mechanism for tracking and enforcing your plan’s rate limits. There are no public endpoints — even read-only queries require a valid key.

Getting an API Key

1

Sign in to your dashboard

Go to surchi.xyz/dashboard and sign in with your account credentials.
2

Navigate to API Keys

Open the left sidebar and click Settings, then select API Keys from the settings menu.
3

Click "Create New Key"

Click the Create New Key button in the top-right corner of the API Keys page.
4

Name your key and choose its scope

Give the key a descriptive name (e.g. prod-trading-bot or dev-portfolio-app) so you can identify it later. Select the minimum set of scopes your application needs. See the Key Scopes table below for available options.
5

Copy the key immediately

After creation, your full API key is displayed exactly once. Copy it now and store it in a secure secrets manager or environment variable. If you lose it, you will need to revoke the key and create a new one.

Using Your API Key

Pass your API key in the Authorization header using the Bearer scheme on every request. The header must be formatted exactly as shown — including the Bearer prefix followed by a single space.

Key Scopes

When you create an API key, you assign it one or more scopes that define what it is allowed to do. Use the narrowest set of scopes your application actually requires — this limits the blast radius if a key is ever exposed.
For most read-only integrations, you only need read:tokens and read:wallets. Avoid the full scope unless your application genuinely requires write access alongside all read permissions.

Key Rotation

You should rotate your API keys periodically and immediately after any suspected exposure. To rotate a key:
  1. Create a new key with the same scopes as the one you are replacing.
  2. Deploy the new key to your application and verify it works correctly.
  3. Revoke the old key from the Settings → API Keys dashboard.
Revoking a key takes effect immediately and is irreversible. Any application still using the old key will begin receiving 401 Unauthorized errors the moment you revoke it. Always confirm your new key is fully deployed and operational before revoking the old one.

Security Best Practices

Keeping your API keys secure is your responsibility. Follow these practices to minimise risk:
  • Use environment variables. Never hard-code API keys in your source code. Load them at runtime from environment variables or a secrets manager such as AWS Secrets Manager, HashiCorp Vault, or Doppler.
  • Never commit keys to source control. Add a .env file (or whichever file holds your secrets) to .gitignore. Scan your repository history if you suspect a key was ever committed, and rotate it immediately.
  • Use narrow scopes. Issue separate keys for separate applications, each with only the scopes it needs. A compromised read-only key cannot be used to create or destroy alerts.
  • Monitor key usage. The SURCHI dashboard shows per-key request volume and error rates. Unusual spikes may indicate your key has been shared or leaked.
  • Rotate keys regularly. Even without a known incident, rotating keys every 90 days is a sound practice for production applications.

Authentication Errors

If your key is missing, malformed, or has been revoked, the API returns HTTP 401. If your key is valid but lacks the required scope for the endpoint you called, it returns HTTP 403.
See the Errors reference for the full list of error codes and troubleshooting guidance.