Authentication
Overview
The 100x SDK handles authentication automatically when you use HundredX.create():
const sdk = await HundredX.create({
privateKey: process.env.PRIVATE_KEY!,
brokerId: 1,
});Your ETH private key never leaves your machine. It is used only for local signing during registration.
How It Works
When you call HundredX.create(), the SDK:
- Derives your ETH address from the private key
- Generates an ephemeral signing keypair locally
- Signs a registration message with both keys
- Sends addresses + signatures to the backend (private keys stay local)
- Backend verifies signatures and registers the session key
- Returns API credentials which are configured automatically
You don't need to manage broker keys, secrets, or signing keys — the SDK handles this for you.
Auth Headers
The SDK automatically constructs the required headers for each request type.
Read endpoints
Endpoints like fetching orders, positions, and balances:
| Header | Value | Description |
|---|---|---|
Broker-Key | string | API key (auto-configured) |
Broker-Secret | string | API secret (auto-configured) |
Broker-Id | number | Your broker ID |
Write endpoints
Endpoints like placing orders, depositing, and withdrawing additionally include:
| Header | Value | Description |
|---|---|---|
Broker-Signer-Address | address | Signing key's public address |
Broker-User-Address | address | Your ETH address |
Broker-Signature | hex string | Cryptographic signature of the request |
Request Signing
Write operations are cryptographically signed to ensure authenticity:
- Orders — signed against the offchain exchange contract
- Deposits — signed against the endpoint contract
- Withdrawals — signed against the endpoint contract
The SDK signs these automatically.
Key Security
WARNING
The ETH private key is used only during registration for signing. It is never sent over the network. The signing key is held in memory only.
Best practices:
- Store your private key in environment variables
- Never commit private keys to version control
// Load from environment
const sdk = await HundredX.create({
privateKey: process.env.PRIVATE_KEY!,
brokerId: Number(process.env.BROKER_ID!),
});Rate Limiting
The SDK includes a built-in token bucket rate limiter:
- Capacity: 100 tokens
- Refill rate: 10 tokens/second
- Default weight: 2 tokens per request (write operations use 1)
The rate limiter automatically queues requests when the bucket is empty.