Build payments into your product with MyTPE Pay. Start integrating →
Logo
API reference

Authentication

How to generate, send, and revoke API credentials for the external API.

Every request to the external API (/api/ext) is authenticated with an API key and an API secret tied to your trader account. Both are sent as HTTP headers.

The API secret is shown only once, at generation. Store it server‑side. Never expose either value in browser, mobile, or client‑side code — all external calls must originate from your backend.

Sending credentials

Send both headers on every request:

HeaderValue
X-Api-KeyYour API key
X-Api-SecretYour API secret
curl https://api.mytpe.appp/api/ext/me \
  -H "X-Api-Key: $MYTPE_API_KEY" \
  -H "X-Api-Secret: $MYTPE_API_SECRET"
200 OK
{
  "data": {
    "id": "9c1f0e2a-4b6d-4a8e-9f10-2c3d4e5f6a7b",
    "email": "trader@example.com",
    "name": "Boutique Centrale",
    "role": "trader",
    "created_at": "2026-01-12T09:30:00.000000Z"
  }
}

GET /me is the simplest authenticated call — use it to verify credentials and read the authenticated trader.

Managing keys

API keys are generated and revoked from your dashboard (Settings → Developers → API keys) using your logged‑in session. These management endpoints are not part of /api/ext; they are session‑authenticated dashboard endpoints (use your session token, not the API key/secret).

MethodEndpointDescription
GET/api/trader/api-keysShow current key status.
POST/api/trader/api-keysGenerate a new key pair (returns the secret once).
DELETE/api/trader/api-keysRevoke the current key pair.

Show key status

Request
curl https://api.mytpe.appp/api/trader/api-keys \
  -H "Authorization: Bearer $MYTPE_SESSION_TOKEN"
200 OK
{
  "api_key": "mtk_live_8f3c1a9b2d4e5f60718293a4b5c6d7e8",
  "api_secret": "***",
  "has_key": true
}

Generate a key pair

Request
curl -X POST https://api.mytpe.appp/api/trader/api-keys \
  -H "Authorization: Bearer $MYTPE_SESSION_TOKEN"
201 Created
{
  "api_key": "mtk_live_8f3c1a9b2d4e5f60718293a4b5c6d7e8",
  "api_secret": "mts_live_a1b2c3d4e5f6071829304a5b6c7d8e9f"
}

Generating a new pair invalidates the previous one.

Revoke the key pair

Request
curl -X DELETE https://api.mytpe.appp/api/trader/api-keys \
  -H "Authorization: Bearer $MYTPE_SESSION_TOKEN"
200 OK
{ "message": "API key revoked." }

Authentication errors

A missing or invalid key/secret returns 401:

401 Unauthorized
{
  "error": "UNAUTHORIZED",
  "message": "Invalid API credentials."
}

Only trader accounts can use the external API. See the full error format in Responses → Errors.

Webhook signatures

Authentication of incoming webhook calls (MyTPE → your server) is separate: each delivery is signed with the webhook's secret via the X-Mytpe-Signature header. See Webhooks.

API reference

Base URL, authentication, conventions, and the list of external API resources.

Identifications

Manage your KYC dossier — the legal entity MyTPE verifies before activation.

PostmanOpen in Postman

On this page

Sending credentialsManaging keysShow key statusGenerate a key pairRevoke the key pairAuthentication errorsWebhook signatures