Every public endpoint authenticates via a Bearer token in the
Authorization header. No OAuth, no per-tenant prefixes, no separate
session — one key, one user, scoped to your subscription tier.
Authorization: Bearer pql_live_<key>
pql_live_d7b9… (48 chars total). On the
development build of the website you’ll get pql_test_… keys
instead — same shape, hits the same staging endpoint.
Mint a key
Create
Click Create key, give it a label (bot-prod, laptop-jupyter, etc.).
The full token displays once — copy it immediately.
Revoke if compromised
Click the trash icon next to the key’s row. The token is invalidated
instantly on the API side; existing in-flight requests succeed, the
next call returns 401.
Test it
curl -s https://api.polyquantlab.com/health
# {"ok":true,"latest_snapshot":"2026-06-05T…","snapshots_last_5min":1235}
curl -s https://api.polyquantlab.com/v1/markets/resolved?limit=1 \
-H "Authorization: Bearer $POLYQUANTLAB_API_KEY"
# {"markets":[{ ... }]}
/health does NOT require auth — it’s the cheap way to verify the API
is reachable. Every /v1/* endpoint does.
Errors
| Status | Meaning |
|---|
401 | Missing / malformed Authorization header, or key revoked. |
403 | Key valid but your tier doesn’t include this endpoint (e.g. /v1/backtest/sweep on Free). |
429 | Rate limit exceeded — see Rate limits. |
Security notes
Treat your key like a password — anyone who has it can read your data
AND consume your tier’s quota. Don’t commit keys to git. Use a secrets
manager (.env, direnv, AWS SM, doppler, etc.).
Rotate keys whenever a teammate leaves or a machine is decommissioned.
Revocation is instant; minting a fresh key takes 10 seconds.
