API + MCP live · talk to us

// GLOSSARY

API key signing

Authenticating API requests by signing them with a private key rather than sending a shared secret. Kalshi signs requests with an RSA private key; Polymarket orders are EIP-712 signatures from a wallet key. The venue verifies the signature, and the key never travels.

Request signing proves you hold a private key without transmitting it. Instead of a bearer token that anyone who intercepts it can replay, each request carries a signature over its contents (and usually a timestamp), which the server verifies against your registered public key.

On Kalshi and Polymarket

Kalshi's trade API authenticates with an API key ID plus a signature generated from your RSA private key on each request — check the venue docs for the exact header scheme. Polymarket's CLOB uses wallet cryptography instead: orders are EIP-712 typed messages signed by your Polygon key, with API credentials layered on top for the operator endpoints.

Why it matters for bots

Signing keys are the crown jewels of a trading system — whoever holds them can trade and, on Polymarket, move funds. That's why key custody design matters as much as strategy: keys should be encrypted at rest (see envelope encryption) and never handed to an LLM agent directly. The trade-offs are covered in agent custody for prediction markets.