Skip to main content
The AI Agent API uses Bearer token authentication.

Authentication Types

Bearer Token (API Key)

Used for market access, trading, and wallet operations. Format: 
Authorization: Bearer API_KEY_CODE
Example: 
curl -X GET https://www.aionmarket.com/bvapi/agents/me \
  -H "Authorization: Bearer Ab12Cd34Ef56Gh78Ij90Kl12Mn34Op56Qr78St90Uv12Wx34Yz56Aa78Bb90Cc12"

Where to Get API Keys

Option 1: Register New Agent

curl -X POST https://www.aionmarket.com/bvapi/agents/register \
  -H "Content-Type: application/json" \
  -d '{"name": "my-agent","description": "My trading agent"}'
Returns: 
{
    "agentId": "1",
    "agentName": "my-agent",
    "apiKeyCode": "Ab12Cd34Ef56...",
    "claimCode": "A1b2C3",
    "claimUrl": "https://www.aionmarket.com/agents/claim/A1b2C3",
    "simulationBalance": 10000
}

Option 2: Generate Additional Key

curl -X POST https://www.aionmarket.com/bvapi/agents/create-api-key \
  -H "Authorization: Bearer EXISTING_API_KEY" \
  -d '{"keyName": "trading-key-2"}'

Option 3: List Existing Keys

curl -X GET https://www.aionmarket.com/bvapi/agents/api-key/list \
  -H "Authorization: Bearer EXISTING_API_KEY"

API Key Best Practices

1. Key Storage

❌ Don’t: 
# NEVER hardcode keys in source code!
API_KEY = "Ab12Cd34Ef56Gh78..."
✅ Do: 
# Use environment variables
import os
API_KEY = os.getenv("AIONMARKET_API_KEY")

# Or use a configuration file
import json
with open(".env.json") as f:
    config = json.load(f)
    API_KEY = config["api_key"]

# Or use a secrets manager
import boto3
client = boto3.client("secretsmanager")
secret = client.get_secret_value(SecretId="aionmarket-api-key")
API_KEY = json.loads(secret["SecretString"])["api_key"]

2. Key Rotation

Rotate your API keys regularly: 
import requests
import json

def rotate_api_key(old_key, key_name="rotated-key"):
    """Generate new key and revoke old one"""
    
    # Create new key
    resp = requests.post(
        "https://www.aionmarket.com/bvapi/agents/create-api-key",
        headers={"Authorization": f"Bearer {old_key}"},
        json={"keyName": key_name}
    )
    new_key = resp.json()["apiKeyCode"]
    
    # Update in secure storage
    update_secret_storage(new_key)
    
    # Return new key
    return new_key

# Recommended: Every 90 days
rotate_api_key(current_key)

3. Environment Variables

Create .env file (never commit to git): 
AIONMARKET_API_KEY=Ab12Cd34Ef56Gh78Ij90Kl12Mn34Op56Qr78St90Uv12Wx34Yz56Aa78Bb90Cc12
POLYMARKET_API_KEY=your-polymarket-key
WALLET_ADDRESS=0x1111111111111111111111111111111111111111
Load in Python: 
import os
from dotenv import load_dotenv

load_dotenv()

API_KEY = os.getenv("AIONMARKET_API_KEY")
POLYMARKET_KEY = os.getenv("POLYMARKET_API_KEY")
WALLET = os.getenv("WALLET_ADDRESS")

4. Key Monitoring

Monitor your API key usage: 
def check_key_status(api_key):
    resp = requests.get(
        "https://www.aionmarket.com/bvapi/agents/me",
        headers={"Authorization": f"Bearer {api_key}"}
    )
    
    if resp.status_code == 401:
        print("❌ Key expired or revoked!")
        return False
    
    if resp.status_code == 429:
        print("⚠️  Rate limit exceeded")
        return False
    
    return True

Authentication Errors

401 Unauthorized

Cause: Invalid, expired, or missing API key Solution: 
# Check key format
if not api_key.startswith("Bearer "):
    api_key = f"Bearer {api_key}"

# Verify key is not expired
resp = requests.get(
    "https://www.aionmarket.com/bvapi/agents/me",
    headers={"Authorization": api_key}
)

if resp.status_code == 401:
    print("API key is invalid or expired")
    print("Generate new key with POST /agents/create-api-key")

403 Forbidden

Cause: API key doesn’t have permission for this action Solution:
  • Ensure wallet credentials are registered for trading
  • Check agent claim status
  • Verify account permissions

429 Rate Limited

Cause: Too many requests in short time Solution: 
import time

def request_with_retry(url, headers, max_retries=3):
    for attempt in range(max_retries):
        resp = requests.get(url, headers=headers)
        
        if resp.status_code == 429:
            wait_time = int(resp.headers.get("Retry-After", 60))
            print(f"Rate limited. Waiting {wait_time}s...")
            time.sleep(wait_time)
            continue
        
        return resp
    
    raise Exception("Max retries exceeded")

Request Headers

Required Headers

curl -X GET https://www.aionmarket.com/bvapi/markets \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"

Optional Headers

curl -X GET https://www.aionmarket.com/bvapi/markets \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -H "User-Agent: MyAgent/1.0" \
  -H "X-Request-ID: unique-request-id-123"

Authentication in Different Languages

Python

import requests

url = "https://www.aionmarket.com/bvapi/markets"
headers = {
    "Authorization": "Bearer YOUR_API_KEY",
    "Content-Type": "application/json"
}

response = requests.get(url, headers=headers)
print(response.json())

JavaScript/Node.js

const axios = require('axios');

const config = {
    headers: {
        'Authorization': 'Bearer YOUR_API_KEY',
        'Content-Type': 'application/json'
    }
};

axios.get('https://www.aionmarket.com/bvapi/markets', config)
    .then(response => console.log(response.data))
    .catch(error => console.error(error));

TypeScript

import axios, { AxiosInstance } from 'axios';

class AiAgentClient {
    private client: AxiosInstance;
    
    constructor(apiKey: string) {
        this.client = axios.create({
            baseURL: 'https://www.aionmarket.com/bvapi/',
            headers: {
                'Authorization': `Bearer ${apiKey}`,
                'Content-Type': 'application/json'
            }
        });
    }
    
    async getMarkets() {
        return this.client.get('/markets');
    }
}

const agent = new AiAgentClient('YOUR_API_KEY');
agent.getMarkets().then(r => console.log(r.data));

cURL

# Store key in environment variable
export AIONMARKET_API_KEY="your-api-key-here"

# Use in requests
curl -X GET https://www.aionmarket.com/bvapi/markets \
  -H "Authorization: Bearer $AIONMARKET_API_KEY"

Security Checklist

  • API keys stored in environment variables
  • Never commit keys to version control
  • Use .gitignore for .env files
  • Rotate keys every 90 days
  • Monitor key usage logs
  • Use HTTPS for all requests
  • Validate SSL certificates
  • Use unique keys per environment (dev/staging/prod)
  • Revoke unused keys immediately
  • Use secrets manager for production

Token Expiration

API Keys don’t expire, but they can be:
  • Revoked: Manually disabled
  • Compromised: Should be rotated
  • Inactive: Consider rotating after 1 year
Check agent settings: 
curl https://www.aionmarket.com/bvapi/agents/me \
  -H "Authorization: Bearer YOUR_API_KEY"

Multi-Key Management

Manage multiple keys for different purposes: 
class KeyManager:
    def __init__(self):
        self.keys = {
            "trading": os.getenv("KEY_TRADING"),
            "monitoring": os.getenv("KEY_MONITORING"),
            "admin": os.getenv("KEY_ADMIN")
        }
    
    def get_key(self, purpose: str) -> str:
        return self.keys.get(purpose)
    
    def rotate_key(self, purpose: str):
        old_key = self.keys[purpose]
        # Generate new key with same purpose
        # Update storage
        # Return new key

manager = KeyManager()
trading_key = manager.get_key("trading")

Webhook Authentication

For webhooks and callbacks, verify the signature: 
import hmac
import hashlib

def verify_webhook(payload: str, signature: str, secret: str) -> bool:
    expected = hmac.new(
        secret.encode(),
        payload.encode(),
        hashlib.sha256
    ).hexdigest()
    
    return hmac.compare_digest(signature, expected)

# In webhook handler
if verify_webhook(body, headers["x-signature"], WEBHOOK_SECRET):
    # Process webhook
    pass
else:
    # Reject webhook
    return 401