Authentication & API keys
Every request authenticates with a bearer credential issued in the console. Which credential you use depends on which plane you're calling.
Product API keys
Calculation calls (equity, ICM, payouts, blinds, chip stacks) use a product API key, sent as a bearer token:
Code
Product keys are environment-scoped:
pw_test_…— the test environment. Free credits, no card required.pw_live_…— production traffic. Draws from your credit wallet and requires a card on file.
Management tokens
Automating the console itself — creating projects, rotating keys, reading usage — uses a
service-account management token (pw_mgmt_…), not a product key. Management tokens never make
calculation calls. See Service accounts & management tokens.
Key handling
- Keys and tokens are shown once at creation and hashed at rest — copy them then; they can't be recovered, only rotated or revoked.
- Rotate or revoke immediately if a credential is exposed.
- Keep them server-side. Never ship a key or token to a browser or client app.
Scopes & project-scoping
Product API keys use calculation-plane scopes:
| Scope | Grants |
|---|---|
calculations:read | Call calculation endpoints such as equity, ICM, payouts, blinds, and chip stacks. |
usage:read | Read usage for the key's account/project/environment where supported. |
account:read | Read account metadata exposed to product-key clients. |
Management tokens use management-plane scopes:
Code
Product keys always belong to one project and one environment. Management tokens can be restricted
to a set of project IDs and environments; those restrictions apply in addition to scopes. For
example, a token with api_keys:create restricted to one project can create keys only for that
project, and a token restricted to test cannot create or read live-environment resources.