Authentication
Public market data needs no credentials. Trading and portfolio endpoints authenticate with a Bearer token sent in the Authorization header.
Bearer tokens
Every authenticated request must include an Authorization header with a Bearer token. The token is either a long-lived API key or a short-lived JWT from the login flow.
Authorization: Bearer pmx_live_8f2c…API keys
Service API keys are the recommended credential for bots and server-side integrations. They are prefixed with pmx_, do not expire, and act on behalf of a single account.
- Treat keys like passwords — never commit them or expose them in client-side code.
- Each key inherits the role of its account (
USERorADMIN). - Store the key in an environment variable, not in source control.
Keep keys server-side
pmx_ key to a browser. Proxy trading calls through your own backend.JWT from email + password
If you're building against a user account directly, exchange credentials for a JWT at POST /api/auth/login. The returned token is used exactly like an API key and is valid for 30 days.
curl -X POST "https://api.majjha.com/api/auth/login" \
-H "Content-Type: application/json" \
-d '{ "email": "[email protected]", "password": "••••••••" }'{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9…",
"user": {
"id": "usr_123",
"email": "[email protected]",
"name": "Ada",
"username": "ada",
"role": "USER"
}
}Verify a token and read the current account with GET /api/auth/me:
curl "https://api.majjha.com/api/auth/me" \
-H "Authorization: Bearer $PMX_API_KEY"Auth errors
A missing or invalid token returns 401 Unauthorized. A valid token without sufficient role (e.g. calling an admin endpoint) returns 403 Forbidden. See Errors for the full envelope.