Skip to content
APIs
/
/Token

Auth Service API (1.0.0)

Authentication and authorization service for the True Markets platform — issues JWT access/refresh tokens used across the Gateway, DeFi, and other True Markets APIs.

Base URLs

EnvironmentBase URL
Productionhttps://api.truemarkets.co/v1/auth
UAT (sandbox)https://api.uat.truemarkets.co/v1/auth

Authentication tutorial

Programmatic clients use an ECDSA-signed challenge to mint short-lived JWTs.

  1. Create an account at https://www.truemarkets.co (passkey, email, magic link, or Sign in with Apple).
  2. Register an API key in your account's API Keys settings page. Generate an EC P-256 key pair locally and submit only the public key — the private key never leaves your machine. You'll receive a key_id (UUID).
  3. Mint JWTs by calling POST /api-key/token with key_id, a current timestamp (Unix seconds, within ±30s of server UTC time), and signature — an ES256 (ECDSA P-256 + SHA-256) signature of the message {key_id}.{timestamp}, base64url-encoded. The response returns access_token and refresh_token.
  4. Call True Markets APIs (Gateway, DeFi) with Authorization: Bearer <access_token>.
  5. Refresh expired access tokens via POST /token/refresh with the refresh_token — no re-signing required.

Quick start

# 1. Mint a JWT (key_id and signature computed client-side)
curl -X POST https://api.truemarkets.co/v1/auth/api-key/token \
  -H "Content-Type: application/json" \
  -d '{"key_id":"<UUID>","timestamp":<UNIX_SECONDS>,"signature":"<BASE64URL_ES256_SIG>"}'

# 2. Fetch JWKS to verify token signatures locally
curl https://api.truemarkets.co/.well-known/jwks.json

# 3. Refresh a token before expiry
curl -X POST https://api.truemarkets.co/v1/auth/token/refresh \
  -H "Content-Type: application/json" \
  -d '{"refresh_token":"<REFRESH_TOKEN>"}'

Support

Download OpenAPI description
v1.json
v1.yaml
Languages
Servers
Production

https://api.truemarkets.co/v1/auth/

UAT (sandbox)

https://api.uat.truemarkets.co/v1/auth/

JWKS

Operations

Refresh access token

Request

Exchange a valid refresh token for a new access/refresh token pair

Bodyapplication/jsonrequired
refresh_tokenstringrequired

The refresh token to exchange

curl -i -X POST \
  https://api.truemarkets.co/v1/auth/token/refresh \
  -H 'Content-Type: application/json' \
  -d '{
    "refresh_token": "string"
  }'

Responses

Tokens refreshed successfully

Bodyapplication/json
access_tokenstringrequired

JWT access token

refresh_tokenstringrequired

JWT refresh token

expires_instring(date-time)required

Access token expiration timestamp

token_typestringrequired

Token type (always "Bearer")

Example: "Bearer"
Response
application/json
{
  "access_token": "string",
  "refresh_token": "string",
  "expires_in": "2019-08-24T14:15:22Z",
  "token_type": "Bearer"
}

API Key Authentication

Operations