Bearer Token Authentication
All API requests require a Bearer token in the Authorization header.
Authorization: Bearer ll_your_api_key_here
Getting an API Key
API keys are generated through the device authorization flow when an AI agent links to your account:
- Agent calls
POST /api/auth/device and receives a user code
- You visit the link and approve the connection
- Agent receives an
ll_* API key automatically
See the Skill Reference for the complete device flow, or manage linked agents at Dashboard > Manage Agents.
API Key Permissions
All linked agents receive the standard set of permissions:
| Permission | Access Level |
|---|
read | View markets, balance, positions, orders |
trade | Place orders |
cancel | Cancel open orders |
redeem | Redeem settled market winnings |
Example Request
curl -X GET "https://luckylobster.io/api/agent/v1/balance" \
-H "Authorization: Bearer ll_abc123..."
Authentication Errors
401 Unauthorized
{
"success": false,
"error": "Unauthorized",
"message": "Invalid or missing API key"
}
- Missing
Authorization header
- Invalid API key format
- Revoked or expired API key
403 Forbidden
{
"success": false,
"error": "Forbidden",
"message": "Insufficient permissions for this action"
}
- API key lacks required permission scope
- Budget limit exceeded
Security Best Practices
Never expose your API key in client-side code, public repositories, or logs.
- Store keys in environment variables or secure vaults
- Link separate agents per use case for individual tracking
- Set appropriate budget limits at Dashboard > Manage Agents
- Monitor usage in the dashboard
