Authentication
API Keys
y0 uses API keys for authentication. API keys are scoped to a tier (Free, Growth, Business, Enterprise).
Getting an API Key
- Sign up at y0.exchange/business
- Create a new project
- Generate an API key (prefix:
y0_) - Set it as an environment variable
Using Your API Key
MCP Server:
{
"mcpServers": {
"y0": {
"command": "npx",
"args": ["@y0exchange/mcp"],
"env": {
"Y0_API_KEY": "y0_your-api-key"
}
}
}
}REST API:
curl -H "Authorization: Bearer y0_your-api-key" \
https://api.y0.exchange/v1/balance?address=0xd8dA...Sessions
For write tools, the signing service creates sessions that link an API key to a user’s wallet address.
Session Management
POST /api/sessions — Create session (returns session ID + API key)
GET /api/sessions — List active sessions
DELETE /api/sessions/:id — Revoke sessionSession Properties
| Property | Description |
|---|---|
id | Unique session ID |
userAddress | Linked wallet address |
apiKeyHash | Hashed API key (never stored in plain text) |
permissions | JSON: allowed tools, chains, token pairs |
spendingLimits | JSON: per-tx and daily USD limits |
Rate Limits
| Tier | Rate Limit | Monthly Limit |
|---|---|---|
| Free | 10 req/min | Unlimited |
| Growth | 60 req/min | Unlimited |
| Business | 300 req/min | Unlimited |
| Enterprise | Custom | Unlimited |
Security
- API keys are hashed (SHA-256) before storage
- All API traffic is HTTPS-only
- Sessions can be revoked at any time
- Spending limits are enforced server-side
- Users can disconnect wallet and revoke all sessions