Skip to main content

Hosts

PMXT serves two hostnames.
  • api.pmxt.dev — reads, catalog search via Router, MCP server, venue passthrough (/api/*).
  • trade.pmxt.dev — hosted writes (build / submit / cancel) and hosted account state (orders, positions, balances, trades) via /v0/trade/*, /v0/user/*, and /v0/orders/*.
The same pmxt_api_key authenticates against both — no separate credentials. Reads and writes have different latency and availability profiles; the trading host is the hot path for signed-order submission and is operated independently.

API key

Every request to https://api.pmxt.dev needs a Bearer token. Get one from pmxt.dev/dashboard — it works immediately.
X-Api-Key: pmxt_live_... also works as a fallback, but Bearer is canonical and what every SDK sends.

SDK setup

Set PMXT_API_KEY and the SDK automatically routes to the hosted endpoint. No code changes versus local development.
Or pass it directly:
Explicit argument takes precedence over the environment variable.

Venue credentials

In hosted mode, trade writes use PMXT’s PreFundedEscrow custody plus a locally-signed EIP-712 payload. You pass your pmxt_api_key, the wallet address you trade from, and a private key used only for local signing — the private key never leaves your machine, and PMXT custodies USDC in the escrow contract on your behalf.
See Trading quickstart for the full 60-second flow and Escrow lifecycle for the approve / deposit / withdraw mechanics. Hosted writes today: Polymarket, Opinion, and Limitless.

Self-hosted / direct venue credentials (advanced)

When you run pmxt-core locally, or when you need venue-native trading where the venue exposes writes but hosted mode does not, you pass venue-native credentials (Polymarket private key, Kalshi RSA, Smarkets session, etc.) directly:
PMXT never stores venue credentials. They are forwarded to the venue and dropped when the call completes.
Some venues (Polymarket, Limitless, Probable, Opinion, Baozi) require raw wallet private keys with full fund control. Use a dedicated trading wallet and read Security & Credential Handling before passing private keys to PMXT — hosted or self-hosted.

Rotating keys

Rotate immediately if you suspect a key is exposed. Old keys are revoked atomically — in-flight requests with the old key are rejected within 60 seconds.
  1. Create a new key from the dashboard.
  2. Deploy the new key to your application.
  3. Revoke the old key once traffic has drained.
All revocations are logged under Settings > Audit Log.

Errors

Today the SDKs raise the base pmxt.errors.PmxtError for both 401 cases — match on the message string. A dedicated InvalidApiKey subclass may be added in a future SDK release; this doc will be updated when that ships.
See API Reference / Errors for the full error class hierarchy.