Skip to main content

Overview

PrometheX uses Privy for authentication. Users log in via email, social accounts, or crypto wallets. Privy issues a JWT that authenticates all subsequent API requests.

Auth Flow

1

User authenticates via Privy SDK

Email, social login, or wallet connection. Privy handles MFA and account linking.
2

Privy issues a JWT

Signed with ES256. Contains the user’s Privy DID as the sub claim.
3

Send JWT with API requests

Include the token in the Authorization: Bearer header.
4

PrometheX validates the token

Checks audience, issuer, expiry, and signature against Privy’s public keys.
5

Privy DID maps to PrometheX UID

The sub claim (Privy DID) is mapped to an internal PrometheX user ID.

Token Format

The Privy JWT is a standard JWT with these claims:
ClaimValueDescription
algES256Signing algorithm (ECDSA P-256)
issprivy.ioIssuer
audYour Privy App IDAudience — must match your app
subdid:privy:...User’s Privy decentralized identifier
expUnix timestampToken expiration
iatUnix timestampToken issued at

Using the Token

Include the JWT in every authenticated request: 
curl -X POST "https://api-staging.promethex.market/api/v1/market/place-order" \
  -H "Authorization: Bearer eyJhbGciOiJFUzI1NiIs..." \
  -H "Content-Type: application/json" \
  -d '{ ... }'

First-Time Login

When a user authenticates for the first time, register them with PrometheX: 
POST /api/v1/user/login
address
string
required
User’s smart account address (ERC-4337 account).
inviteByCode
string
Referral code from another user.
userName
string
Display name.
avatarUrl
string
Avatar image URL.
Response: 
{
  "code": 0,
  "data": {
    "uid": "12345",
    "isNewUser": true
  }
}
uid
string
PrometheX internal user ID.
isNewUser
boolean
true if the user was just created. false for returning users.

Endpoint Auth Requirements

Public (no auth)

EndpointDescription
GET /api/v1/market/get-marketsList markets
GET /api/v1/market/get-market-detailMarket detail
GET /api/v1/market/get-hot-marketsTrending markets
GET /api/v1/market/get-price-historyPrice charts
GET /api/v1/market/get-market-tradesTrade history

Authenticated

EndpointDescription
POST /api/v1/user/loginRegister / login
POST /api/v1/market/place-orderBuy or sell tokens
POST /api/v1/market/claim-market-resultClaim winnings
POST /api/v1/market/add-liquidityAdd liquidity
POST /api/v1/market/remove-liquidityRemove liquidity
POST /api/v1/sse/connectSSE stream
POST /api/v1/user/set-avatarUpdate avatar
POST /api/v1/user/set-usernameUpdate username
POST /api/v1/market/follow-marketFollow a market
Each endpoint’s reference page indicates whether authentication is required.

Token Expiry & Refresh

Privy JWTs have a short lifespan. The Privy SDK handles token refresh automatically. If you receive a 401 or error code 110303 (PRIVY), the token may be expired — refresh it via the Privy SDK and retry.