Skip to main content
The Trigger Order API V2 uses a challenge-response flow to authenticate users. Your wallet signs a challenge, and the server issues a JWT token valid for 24 hours.

Authentication Flow

Prerequisites

Signing challenges and transactions requires @solana/web3.js and bs58:

Step 1: Request a Challenge

Request a challenge for your wallet. The type field selects how your wallet will sign, and accepts exactly two values: Both prove wallet ownership and return the same JWT. Any other value returns a 400.
Message challenge response:
Transaction challenge response:
Challenges expire after 5 minutes. Request a new one if your challenge expires.

Step 2: Sign and Verify

Sign the challenge with your wallet, then submit the signature to receive a JWT token. For message signing:
For transaction signing (hardware wallets):

Using the JWT

Include the JWT in all authenticated requests:

Token Lifecycle

When a token expires, repeat the challenge-response flow to obtain a new one. There is no refresh endpoint.

Security Notes

For integrators building user-facing applications:
  • Never store JWT tokens in local storage. Use secure, httpOnly cookies or in-memory storage
  • Always verify the challenge content before signing. Do not blindly sign arbitrary messages
  • Implement token refresh logic to handle expiration gracefully
  • The JWT is tied to the wallet public key. Do not reuse tokens across wallets

What Happens if a JWT is Leaked

The JWT grants limited access. An attacker with a leaked token can:
  • Cancel orders: This transitions the order from open to ready_to_cancel, but does not withdraw funds. Withdrawal requires signing a transaction with the wallet private key.
  • Edit order parameters: Updating trigger prices or slippage does not require transaction signing.
An attacker cannot:
  • Withdraw funds: All withdrawal operations require the wallet owner to sign a transaction. The vault’s funds remain secure.
  • Create new orders: Depositing tokens requires signing a deposit transaction with the wallet.
All operations involving funds (deposits, withdrawals) require the wallet owner to sign a transaction. A leaked JWT alone cannot result in loss of funds. However, if the wallet private key is also compromised, an attacker could sign transactions and withdraw funds from the vault.