APIs
//
Auth Service API
Auth Service API (1.0.0)
Authentication and authorization service for the True Markets platform — issues JWT access/refresh tokens used across the Gateway, DeFi, and other True Markets APIs.
| Environment | Base URL |
|---|---|
| Production | https://api.truemarkets.co/v1/auth |
| UAT (sandbox) | https://api.uat.truemarkets.co/v1/auth |
Programmatic clients use an ECDSA-signed challenge to mint short-lived JWTs.
- Create an account at https://www.truemarkets.co (passkey, email, magic link, or Sign in with Apple).
- Register an API key in your account's API Keys settings page. Generate an EC P-256 key pair locally and submit only the public key — the private key never leaves your machine. You'll receive a
key_id(UUID). - Mint JWTs by calling
POST /api-key/tokenwithkey_id, a currenttimestamp(Unix seconds, within ±30s of server UTC time), andsignature— an ES256 (ECDSA P-256 + SHA-256) signature of the message{key_id}.{timestamp}, base64url-encoded. The response returnsaccess_tokenandrefresh_token. - Call True Markets APIs (Gateway, DeFi) with
Authorization: Bearer <access_token>. - Refresh expired access tokens via
POST /token/refreshwith therefresh_token— no re-signing required.
# 1. Mint a JWT (key_id and signature computed client-side)
curl -X POST https://api.truemarkets.co/v1/auth/api-key/token \
-H "Content-Type: application/json" \
-d '{"key_id":"<UUID>","timestamp":<UNIX_SECONDS>,"signature":"<BASE64URL_ES256_SIG>"}'
# 2. Fetch JWKS to verify token signatures locally
curl https://api.truemarkets.co/.well-known/jwks.json
# 3. Refresh a token before expiry
curl -X POST https://api.truemarkets.co/v1/auth/token/refresh \
-H "Content-Type: application/json" \
-d '{"refresh_token":"<REFRESH_TOKEN>"}'