Authentication

API keys, JWT tokens, and refresh token flow.

Overview

JudgeMarket supports two authentication methods:

API Key — for bot/programmatic access. Pass via X-API-KEY header.
JWT Bearer Token — for user sessions. Pass via Authorization: Bearer <token> header.

Public endpoints (market data) require no authentication.

API Key Authentication

Create API keys at judgemarket.com/builders. Include the key in every request:

X-API-KEY: jm_your_api_key_here

JWT Authentication

Login

POST/login

usernamestringrequired

Account username

passwordstringrequired

Account password

captcha_idstringrequired

Captcha ID from /auth/captcha

captcha_codestringrequired

User's captcha answer

{
  "user_id": "0x1234...abcd",
  "username": "trader1",
  "token": "eyJhbGciOiJIUzI1NiJ9...",
  "refresh_token": "a1b2c3d4e5f6..."
}

The token (JWT) expires in 15 minutes. The refresh_token expires in 30 days.

Refresh Token

POST/auth/refresh

Exchange an expired access token for a new token pair. The old refresh token is invalidated (rotation).

refresh_tokenstringrequired

Current refresh token

{
  "user_id": "0x1234...abcd",
  "username": "trader1",
  "token": "eyJhbGciOiJIUzI1NiJ9...(new)",
  "refresh_token": "f6e5d4c3b2a1...(new)"
}

Google Login

POST/auth/google

credentialstringrequired

Google ID token from Sign-In

Returns the same response shape as /login.

API Key Management

GET/auth/api-keysAuth Required

List all API keys for the authenticated user.

POST/auth/api-keysAuth Required

namestringrequired

Display name for the key

DELETE/auth/api-keys/:idAuth Required

Revoke an API key by ID.