Authentication

Every request to the Sharpe API must be authenticated. The API supports two production-safe authentication methods: a Bearer token in the Authorization header (recommended) or an X-API-Key header.

Getting your API key

Once you have your key, store it in an environment variable:

export SHARPE_API_KEY="sk_live_your_key_here"

Verify the key works by making a test request:

curl -s https://www.sharpe.ai/api/v1/health \
  && echo "API is reachable" \
  && curl -s -o /dev/null -w "%{http_code}" \
    https://www.sharpe.ai/api/v1/funding/rates?type=current \
    -H "Authorization: Bearer $SHARPE_API_KEY"
# Should print 200

Bearer token (recommended)

Pass your API key as a Bearer token in the Authorization header. This is the standard approach and works with most HTTP clients out of the box.

curl https://www.sharpe.ai/api/v1/funding/rates?type=current \
  -H "Authorization: Bearer sk_live_your_key_here"

X-API-Key header

As an alternative, you can pass the key in the X-API-Key header. This is useful in environments where the Authorization header is reserved or stripped by a proxy.

curl https://www.sharpe.ai/api/v1/funding/rates?type=current \
  -H "X-API-Key: sk_live_your_key_here"

Query parameters are not accepted

API keys must not be sent in URLs. Query strings are captured by browser history, server logs, analytics tools, and referrer headers, so ?api_key= requests are rejected by default. Use Authorization: Bearer or X-API-Key instead.

Key format

When both supported authentication methods are present, the API uses this precedence order: Authorization: Bearer header > X-API-Key header. Only the highest-priority credential is evaluated.

All API keys follow a predictable format so you can identify them in logs and configuration:

Prefix	Environment	Example
`sk_live_`	Production	`sk_live_a1b2c3d4e5f6...`

Keys are 56 characters long including the prefix (8-character prefix + 48 hex characters). Treat them like passwords — never commit them to source control or expose them in client-side code.

Rate limit headers

Every API response includes headers that tell you where you stand against your rate limit quota:

Name
X-RateLimit-Limit
Type
integer
Description
Maximum number of requests allowed per minute for your tier.
Name
X-RateLimit-Remaining
Type
integer
Description
Number of requests remaining in the current window.
Name
X-RateLimit-Reset
Type
integer
Description
Unix timestamp (seconds) when the rate limit window resets.
Name
X-Request-Id
Type
string
Description
Unique identifier for the request. Include this when contacting support.

HTTP/2 200
content-type: application/json
x-ratelimit-limit: 500
x-ratelimit-remaining: 498
x-ratelimit-reset: 1743062460
x-request-id: req_abc123def456

Security best practices

Rotate keys regularly and immediately if you suspect a compromise
Use environment variables to store keys — never hardcode them
Restrict by IP if your plan supports IP allowlisting

Learn about rate limit tiers