IDENTITY

Your session is not a skeleton key.

Sensitive actions demand fresh proof. Strange network behaviour shrinks trust automatically. API keys carry only the rights you grant — and signing, not secrets, proves who calls.

RFC 9470 · perimeterLivePasskeys / WebAuthnIn build
Live
Running in canary or production now.
In build
Code in progress — status tracked in the build plan.
Planned
Design locked, not yet started.
WAS / NOWIdentity contourIn build

A retired IdP and symmetric 2FA, replaced.

The legacy identity stack ran on an end-of-life server with HMAC-based, symmetric 2FA. The new contour is a modern IdP — OIDC with PKCE — with phishing-resistant passkeys and a perimeter that asks for proof exactly where it matters.

Legacy · before

  • IdentityServer4 — now end-of-life — as the identity provider.
  • Symmetric, HMAC-based two-factor that a phished code could replay.
  • No real distinction between a logged-in session and a high-stakes action.

Now · in build

  • A modern IdP on OIDC + PKCE, with passkeys (WebAuthn) and TOTP.
  • Step-up at the perimeter (RFC 9470) — fresh proof for sensitive actions only.
  • Risk-based sessions and scoped, Ed25519-signed API keys.
LOGIN

Passkeys first, TOTP as the floor.

A passkey ties your login to this device and this origin, so a look-alike site has nothing to phish. TOTP stays available as the baseline second factor.

01 · Passkeys (WebAuthn)

Phishing-resistant by construction.

A passkey is a device-bound key pair scoped to the real origin. It never leaves your device and never travels to a server, so a phishing page cannot capture or replay it — there is no shared secret to steal.

Mechanism: WebAuthn origin-bound key pair, no shared secret.

02 · TOTP baseline

A standards-based second factor.

Time-based one-time codes (TOTP) remain available as the baseline second factor for any authenticator app, so strong 2FA does not depend on owning a passkey-capable device.

Mechanism: TOTP second factor over a modern OIDC + PKCE flow.

PERIMETER STEP-UPRFC 9470 · perimeterLive

Friction where it matters, not everywhere.

Step-up is a perimeter, not a constant nag. Boundary actions — moving funds, changing a whitelist, issuing a key, changing 2FA — demand fresh, strong proof. Ordinary trading inside your session does not keep interrupting you.

Gated · fresh proof

Step-up: fresh strong proof (RFC 9470).

  • WithdrawalMoving funds off the platform asks for fresh proof at the moment you request it.
  • Whitelist changeAdding or editing a withdrawal address is a perimeter action.
  • API key issueMinting a new API key — especially a withdraw-scoped one — requires step-up.
  • 2FA changeChanging your second factor re-proves it is really you.

Not gated · stays fluid

Inside the session — no repeated 2FA.

  • Placing tradesOrdinary in-domain trading runs on your authenticated session, without a 2FA prompt per order.
  • Viewing balancesReading your account and market data never triggers a step-up.
  • Internal movesRe-labelling balances between roles on the unified ledger is not an external boundary.
RISK-BASED SESSIONS

Strange behaviour shrinks the trust window.

A session is not a fixed-length pass. When the signals around it look anomalous, the window of trust contracts and re-authentication comes sooner.

01 · Signals

Anomalies tighten the session.

Unusual signals — a sudden cross-IP jump, an unfamiliar network, an improbable location change — are read as risk. The riskier the context, the shorter the session is trusted before it asks you to re-authenticate.

Mechanism: risk score → reduced session trust window.

02 · Cross-IP example

A mid-session network jump.

If a live session suddenly appears from a different network or country, that is treated as an anomaly: the trust window is cut short and the next sensitive action re-prompts earlier than it otherwise would.

Mechanism: cross-IP anomaly → earlier re-authentication.

API KEYS

Only the rights you grant.

API keys are scoped — read, trade, and withdraw are separate permissions. Requests are signed with Ed25519 rather than carrying a bearer secret, and withdraw-scoped keys only work against whitelisted addresses.

API key scopes and the constraints attached to each.
ScopeGrantsAuthDestination
readRead balances, orders, and market data. Nothing that moves value.Ed25519-signed
tradePlace and cancel orders. Cannot withdraw or change settings.Ed25519-signed
withdrawRequest withdrawals only — and only to addresses you have whitelisted.Ed25519-signedWhitelist-only

IP allowlisting can be attached to any key. Requests are signed, so a leaked key is not a usable bearer token on its own.

DETAILS

Questions, answered straight.

How login, sessions, and keys actually behave — the parts worth understanding before you connect an app or move funds.

What is a passkey and why is it phishing-resistant?

A passkey is a device-bound key pair created for a specific origin. The private half never leaves your device and is only usable on the real site, so a look-alike phishing page has nothing to capture and nothing to replay — there is no shared secret or code to steal. That is what makes it phishing-resistant where a one-time code is not.

Will I be asked for 2FA on every trade?

No. Step-up is a perimeter model, not a per-action prompt. Ordinary trading inside your authenticated session runs without interruption. Fresh proof is required only for boundary actions — withdrawals, whitelist changes, issuing API keys, or changing your second factor.

What can a stolen read-only key do?

Nothing that moves money. A read-scoped key can only read balances, orders, and market data — it cannot place trades, change settings, or withdraw. Scopes are separate permissions, so a leaked read key never gains write or withdrawal power, and requests are signed rather than relying on the key as a bearer secret.

What triggers a session risk escalation?

Anomalous signals around the session — a sudden cross-IP or cross-country jump, an unfamiliar network, an improbable change in context. When the risk score rises, the session's trust window contracts and the next sensitive action asks you to re-authenticate earlier than it otherwise would.

KEEP READING

Identity guards who may ask to move money; custody holds it under a threshold signature, and transparency lets you check the books behind both.

High-risk derivatives. Trading perpetuals can result in loss exceeding initial margin. Not for residents of restricted jurisdictions (non-US · non-UK).
Full risk disclosure →