// GLOSSARY
API key signing
Authenticating API requests by signing them with a private key rather than sending a shared secret. Kalshi signs requests with an RSA private key; Polymarket orders are EIP-712 signatures from a wallet key. The venue verifies the signature, and the key never travels.
Request signing proves you hold a private key without transmitting it. Instead of a bearer token that anyone who intercepts it can replay, each request carries a signature over its contents (and usually a timestamp), which the server verifies against your registered public key.
On Kalshi and Polymarket
Kalshi's trade API authenticates with an API key ID plus a signature generated from your RSA private key on each request — check the venue docs for the exact header scheme. Polymarket's CLOB uses wallet cryptography instead: orders are EIP-712 typed messages signed by your Polygon key, with API credentials layered on top for the operator endpoints.
Why it matters for bots
Signing keys are the crown jewels of a trading system — whoever holds them can trade and, on Polymarket, move funds. That's why key custody design matters as much as strategy: keys should be encrypted at rest (see envelope encryption) and never handed to an LLM agent directly. The trade-offs are covered in agent custody for prediction markets.