Skip to main content
API keys are the credentials your applications use to call Predexy’s external data endpoints. Each key carries a name you choose, a set of permission scopes, and a per-minute rate limit. You can create multiple keys — one per application is recommended — and revoke any of them instantly if they are compromised or no longer needed. All key management calls require a valid console session token in the Authorization header.
The full API key is returned only once at creation. Predexy stores a hashed version and cannot recover the raw value. Copy and store the key securely before closing the response.

Creating a key

Send a POST request to /api/v1/console/keys with a name and optional configuration: Request fields:
FieldTypeRequiredDefaultNotes
namestringYes1–100 characters. Use a descriptive label like "Trading Bot – Prod".
permissionsstringNo'["read:arbitrage","read:markets","read:questions"]'JSON-encoded array of permission strings.
rate_limitintegerNo60Requests per minute. Maximum is 10000.
curl -X POST https://api.predexy.com/api/v1/console/keys \
  -H "Authorization: Bearer <your-access-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Trading Bot – Prod",
    "permissions": "[\"read:arbitrage\",\"read:markets\",\"read:questions\"]",
    "rate_limit": 120
  }'
Response: 
{
  "data": {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "name": "Trading Bot – Prod",
    "key": "pdx_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
    "key_prefix": "pdx_a1b2c3d4",
    "permissions": "[\"read:arbitrage\",\"read:markets\",\"read:questions\"]",
    "rate_limit": 120
  },
  "message": "Save this API key — it will not be shown again."
}
The key field in the response is the value you use with the X-API-Key header. It will not appear in any subsequent API call.

Listing your keys

Retrieve all keys on your account with GET /api/v1/console/keys. The response includes metadata for each key but not the full key value — only the first 12 characters (key_prefix) are returned. 
curl https://api.predexy.com/api/v1/console/keys \
  -H "Authorization: Bearer <your-access-token>"
Response: 
{
  "data": [
    {
      "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "name": "Trading Bot – Prod",
      "key_prefix": "pdx_a1b2c3d4",
      "permissions": "[\"read:arbitrage\",\"read:markets\",\"read:questions\"]",
      "rate_limit": 120,
      "is_active": true,
      "last_used_at": "2026-04-25T14:32:00Z",
      "created_at": "2026-04-01T09:00:00Z"
    }
  ],
  "meta": {
    "count": 1
  }
}
Response fields:
FieldDescription
idUUID used to identify the key in management and analytics calls
nameThe label you gave the key at creation
key_prefixFirst 12 characters — use this to identify which physical key a prefix refers to
permissionsJSON-encoded permission array
rate_limitRequests per minute
is_activefalse if the key has been revoked
last_used_atTimestamp of the most recent authenticated request, or null if never used
created_atCreation timestamp
Save the id from this response. You will need it to pull usage statistics and logs for a specific key.

Revoking a key

Pass the key’s UUID to DELETE /api/v1/console/keys/{id}. Revocation takes effect immediately — there is no grace period. 
curl -X DELETE \
  https://api.predexy.com/api/v1/console/keys/3fa85f64-5717-4562-b3fc-2c963f66afa6 \
  -H "Authorization: Bearer <your-access-token>"
Response: 
{
  "data": {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "status": "revoked"
  }
}
Revocation is permanent. Any request that uses a revoked key immediately receives 401 INVALID_API_KEY. Revoked keys cannot be reactivated — create a new key if you need to restore access.

Using a key to call external endpoints

Pass the full key value in the X-API-Key header when calling any /api/v1/external/* endpoint: 
curl "https://api.predexy.com/api/v1/external/arbitrage/opportunities?classification=actionable" \
  -H "X-API-Key: pdx_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"
Every request made with the key is logged and visible in Usage Analytics.

Best practices

  • One key per application. Keep your keys scoped to a single service so you can revoke one without affecting others.
  • Use descriptive names. Labels like "Arbitrage Bot – Staging" or "Dashboard – Production" make it easy to identify keys in the list and in usage logs.
  • Revoke unused keys. If a key has not been used in weeks (check last_used_at), revoke it to limit your attack surface.
  • Store keys in environment variables. Never hardcode a key in source code or commit it to version control.
  • Request only the permissions you need. If your application only reads arbitrage data, set permissions to '["read:arbitrage"]' rather than the full default set.