Operator Api

Authentication

Authenticate requests to the operator API.

Authentication

Operator API uses bearer authentication.

Authorization: Bearer {operator_api_key}

Key model

API key is operator-scoped.
OpenPoly stores only hash and metadata for secret portion.
Raw API key must never be logged or stored after issuance.
Browser clients must never receive operator API key.

Scope model

Requests are checked against scope list attached to API key.

Common scopes:

*
launch:write
users:read
markets:read
trades:read
redemptions:read
balance_operations:read
api_keys:read
api_keys:write
webhooks:read
webhooks:write
simulator:read
simulator:write

Failure behavior

Missing or invalid key -> 401
Revoked key -> 401
Missing required scope -> 403

Error envelope:

{
  "error": {
    "code": "INVALID_API_KEY",
    "message": "Invalid API key",
    "request_id": "req_..."
  }
}

Security requirements

Keep key in server-only secret storage.
Rotate keys through dashboard or API key endpoints.
Use least-privilege scopes for each integration service.

Edit this pageorReport an issue

Market visibility

Control market visibility rules for an operator integration.

Webhook endpoints

Configure webhook endpoint records through the operator API.