Authentication

Session cookies for the app, Bearer API keys for programmatic access, x402 for agents.

Polyrank has three auth surfaces. Pick by use case:

You are…	Use	Header / mechanism
A browser user	Session cookie	Set automatically by signing in at polyrank.app
A script, bot, or backend	API key	`Authorization: Bearer pk_live_…`
An autonomous AI agent	x402 payment	`X-PAYMENT` header — no account at all
Anonymous	nothing	`/v1/public/*` and `/v1/stats/overview` are open

Signing in at polyrank.app (passkey via Turnkey, magic-link email, or SIWE) sets the __Secure-polyrank_sid cookie scoped to .polyrank.app. The browser sends it to api.polyrank.app automatically. Sessions last 30 days.

API keys

Mint keys at polyrank.app/api-keys (or via POST /v1/api-keys with a session). Then:

curl -s "https://api.polyrank.app/v1/trader/0x…/trades" \
  -H "Authorization: Bearer pk_live_xxxxxxxxxxxxxxxxxxxxxx"

Keys work on every /v1/* route and inherit your plan's rate limits and quotas. See API keys for format, rotation, and security details.

What's gated where

Anonymous callers get /v1/public/* (commodity-depth, cached) and /v1/stats/overview. Everything else under /v1 returns 401 auth_required.
Some features are plan-gated on top of auth (Ranking Builder, Compare, full metric grid, webhooks). Those return 403 plan_required on Free — see Billing & plans.

Authentication

Session cookie

API keys

What's gated where

On this page