Skip to main content

Programmatic Access

TL;DR

Darknyx exposes a REST + WebSocket API served directly by the enclave over RA-TLS. Authentication is two layers: an account bearer token (who is allowed to talk to the venue) plus a per-order trading-key signature (who cryptographically owns the order). Read endpoints are public; order management is authenticated.

The authentication model

Two independent layers gate the API. They answer different questions and you need both to trade.

LayerCredentialAnswersUsed on
AccountBearer token from POST /auth/token"Is this caller allowed to use the venue?" (rate-limiting, audit)Every authenticated request, as Authorization: Bearer <token>
OrderEd25519 trading-key signature over the canonical order body"Who cryptographically owns this order?"Every place / cancel / modify

The separation is deliberate. One account may operate many trading keys (sub- portfolios, a market-maker fleet), and the trading key, not the account, is the cryptographic identity that authorizes settlement. The bearer token only enables operational controls; it cannot, by itself, move or cancel another key's orders.

See Authentication for the full credential model and Place Order for how the order signature is constructed.

Available APIs

SurfaceUse it for
RESTOne-off calls, cold starts, snapshots: auth, instruments, order management, account state via Merkle proofs, transparency, settlement status.
WebSocketLong-running clients: a bidirectional trading socket, a per-account orders lifecycle stream, and a per-account fills stream.

REST is simplest to start with. A long-running trading client should move order submission to the WebSocket trading socket (one warm, pre-authenticated connection instead of a TLS + bearer round-trip per request) and subscribe to the orders and fills channels for push updates.

Endpoint map

REST

MethodPathAuthPurpose
POST/auth/tokenpublicExchange API credentials for a bearer token
POST/auth/token/revokebearerRevoke the calling token
GET/instrumentspublicList tradable markets
GET/instruments/{symbol}publicOne market's metadata
POST/ordersbearer + sigPlace an order
DELETE/orders/{order_id}bearer + sigCancel an order
PUT/orders/{order_id}bearer + sigModify (atomic cancel + replace)
GET/orders/{order_id}bearerOrder status
POST/orders/{order_id}/anchorsbearer + sigTop up an order's continuation anchor pool
GET/tree/rootpublicCurrent Merkle root of a shard
GET/tree/inclusionbearerInclusion proof for a note commitment
GET/tree/leavesbearerPaginated leaf read
GET/transparencypublicProof-of-reserves + engine identity + stats
GET/settlement/status/{batch_id}bearerOn-chain settlement status of a batch
GET/system/statuspublicLiveness / degraded-mode snapshot
GET/timepublicServer slot + unix time
GET/attestationpublicTDX attestation quote
GET/infopublicRunning image identity (compose hash, app id, signer)
GET/healthpublicLiveness probe

WebSocket

PathDirectionPurpose
/ws/tradingbidirectionalStream framed order.place / order.cancel / order.modify; optional cancel-on-disconnect
/ws/ordersserver → clientPer-account order-lifecycle events (partial / filled / cancelled / expired)
/ws/fillsserver → clientPer-account continuation-fill memos

WebSocket sockets self-authenticate with the bearer token as a ?token= query parameter (browsers and the global WebSocket cannot set an Authorization header on the upgrade); an Authorization: Bearer header is also accepted.

Quick start

# 1. Exchange credentials for a bearer token.
TOKEN=$(curl -s -X POST "$GATEWAY/auth/token" \
-H "Content-Type: application/json" \
-d '{"api_key":"...","api_secret":"...","passphrase":"..."}' \
| jq -r .access_token)

# 2. Read the markets (public).
curl -s "$GATEWAY/instruments" | jq .

# 3. Check the venue is healthy before trading.
curl -s "$GATEWAY/system/status" | jq .

# 4. Place an order. The body carries the collateral-note commitment, the
# VALID_INPUT proof, the continuation anchor pool, and a trading-key
# signature over the canonical body. The SDK builds all of these. See
# Orders → Place Order for the full field reference.
curl -s -X POST "$GATEWAY/orders" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d @order.json | jq .
Use the SDK

A raw place-order body is large: it includes a note commitment, a 256-byte zero-knowledge input proof, an owner-commitment opening, and a ten-entry continuation anchor pool, all of which the TypeScript SDK derives and signs for you from your keys and a deposited note. Hand-building the body is possible (the wire contract is documented), but the SDK is the intended path. See SDK → TypeScript Client.

Rate limits

Read endpoints and authenticated order management are subject to operational rate limiting at the venue. Design clients to back off on 429 responses and to prefer the WebSocket trading socket for high-frequency order management, since one authenticated connection avoids the per-request handshake cost. See System Status for how the venue signals degradation.