Security

The 618ers API is read-only by design.

User-owned keys

Users generate temporary API keys from Profile > API Key Generate. Keys can be revoked at any time and are checked for expiry on every request.

Raw key material is shown once and is never stored. The server stores only an HMAC hash.

Do not embed API keys in public frontend or browser code. Use them from trusted servers, local scripts, automation tools, or agent runtimes that can keep secrets private.

Proxy protection

The public domain runs through:

https://api.sixoneeighters.com

The Fly proxy forwards requests to the Supabase Edge Function and includes a private proxy secret. Direct calls to the raw Supabase function URL are rejected.

Read-only scope

API keys cannot:

Import data
Edit data
Delete data
Start broker syncs
Access broker credentials
Execute trades

Access logs

API requests are logged with route, status code, latency, row count, user agent, and hashed IP.

Rate Limits OpenAPI