API keys
Each key pair is a public key and a private secret. Send the public key in the OSL-API-KEY header on every private request. Keys are scoped: grant read-only access for dashboards, trade access for execution bots, and keep withdrawal permission disabled unless you truly need it. You can rotate or revoke a key at any time, and we recommend IP-allowlisting each key.