This guide covers the complete authentication flow for accessing the Polymarket Exchange API.
Authentication Flow Overview
One-Time Registration
Before you can use the API, you must complete a one-time registration process.
Step 1: Request a Registration JWT
Contact your account manager to receive a registration JWT. This token is used only once to create your account credentials.
Step 2: Register with Your Chosen Password
Call the /auth/v1beta1/register endpoint with your registration JWT and a password you choose:
curl -X POST "https://traderapi.us-east-1.privatelink.preprod.polymarketexchange.com/auth/v1beta1/register" \
-H "Host: rest.preprod.polymarketexchange.com" \
-H "Content-Type: application/json" \
-d '{
"token": "JWT_FROM_ACCOUNT_MANAGER",
"password": "YOUR_CHOSEN_PASSWORD"
}'
Password Requirements: Use the /auth/v1beta1/check_password endpoint to verify your password meets minimum strength requirements before registering.
Registration is a one-time operation. Store your password securely - you will need it to log in.
Login
After registration, authenticate using your username and password to obtain access and refresh tokens.
curl -X POST "https://traderapi.us-east-1.privatelink.preprod.polymarketexchange.com/auth/v1beta1/login" \
-H "Host: rest.preprod.polymarketexchange.com" \
-H "Content-Type: application/json" \
-d '{
"username": "YOUR_USERNAME",
"password": "YOUR_PASSWORD"
}'
Response
{
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"accessIssueTime": "2025-01-15T10:00:00Z",
"accessExpirationTime": "2025-01-15T11:00:00Z",
"refreshIssueTime": "2025-01-15T10:00:00Z",
"refreshExpirationTime": "2025-01-22T10:00:00Z"
}
| Field | Description |
|---|
accessToken | JWT used to authenticate API requests |
refreshToken | JWT used to obtain new access tokens |
accessExpirationTime | When the access token expires |
refreshExpirationTime | When the refresh token expires |
Using Access Tokens
Include the access token in the Authorization header for all API requests:
curl -X POST "https://traderapi.us-east-1.privatelink.preprod.polymarketexchange.com/api/v1beta1/insert_order" \
-H "Host: rest.preprod.polymarketexchange.com" \
-H "Authorization: YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"symbol": "aec-nfl-buf-nyj-2025-01-15",
"side": "SIDE_BUY",
"order_qty": "10",
"price": "0.55",
"type": "ORDER_TYPE_LIMIT",
"time_in_force": "TIME_IN_FORCE_GOOD_TILL_CANCEL",
"clord_id": "client-order-123",
"account": "your-account-id"
}'
Do not include “Bearer ” prefix - use the token value directly in the Authorization header.
Refreshing Tokens
Access tokens have a limited lifespan. Before your access token expires, use the refresh token to obtain a new one:
curl -X POST "https://traderapi.us-east-1.privatelink.preprod.polymarketexchange.com/auth/v1beta1/refresh_access_token" \
-H "Host: rest.preprod.polymarketexchange.com" \
-H "Content-Type: application/json" \
-d '{
"refreshToken": "YOUR_REFRESH_TOKEN"
}'
Response
{
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"accessIssueTime": "2025-01-15T11:00:00Z",
"accessExpirationTime": "2025-01-15T12:00:00Z"
}
Best Practice: Refresh your access token proactively before it expires. The JWT itself contains an exp claim with the expiration timestamp - most JWT libraries can decode this automatically. This is easier than storing the separate accessExpirationTime value from the response.
Multi-Factor Authentication (Optional)
For additional security, you can enable MFA using a time-based one-time password (TOTP) authenticator app.
Enroll in MFA
curl -X POST "https://traderapi.us-east-1.privatelink.preprod.polymarketexchange.com/auth/v1beta1/enroll_mfa" \
-H "Host: rest.preprod.polymarketexchange.com" \
-H "Content-Type: application/json" \
-d '{
"username": "YOUR_USERNAME",
"password": "YOUR_PASSWORD"
}'
enrollmentUrl in the format otpauth://totp/... that you can scan with an authenticator app (Google Authenticator, Authy, etc.).
Confirm MFA Setup
After scanning the QR code, confirm MFA with a one-time password from your authenticator:
curl -X POST "https://traderapi.us-east-1.privatelink.preprod.polymarketexchange.com/auth/v1beta1/confirm_mfa" \
-H "Host: rest.preprod.polymarketexchange.com" \
-H "Content-Type: application/json" \
-d '{
"username": "YOUR_USERNAME",
"password": "YOUR_PASSWORD",
"otp": "123456"
}'
Login with MFA
Once MFA is enabled, include the otp field when logging in:
curl -X POST "https://traderapi.us-east-1.privatelink.preprod.polymarketexchange.com/auth/v1beta1/login" \
-H "Host: rest.preprod.polymarketexchange.com" \
-H "Content-Type: application/json" \
-d '{
"username": "YOUR_USERNAME",
"password": "YOUR_PASSWORD",
"otp": "123456"
}'
Other Operations
Change Password
curl -X POST "https://traderapi.us-east-1.privatelink.preprod.polymarketexchange.com/auth/v1beta1/change_password" \
-H "Host: rest.preprod.polymarketexchange.com" \
-H "Content-Type: application/json" \
-d '{
"username": "YOUR_USERNAME",
"oldPassword": "YOUR_OLD_PASSWORD",
"newPassword": "YOUR_NEW_PASSWORD"
}'
Logout
Revoke your tokens when ending a session:
curl -X POST "https://traderapi.us-east-1.privatelink.preprod.polymarketexchange.com/auth/v1beta1/logout" \
-H "Host: rest.preprod.polymarketexchange.com" \
-H "Authorization: YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"accessToken": "YOUR_ACCESS_TOKEN",
"refreshToken": "YOUR_REFRESH_TOKEN"
}'
Next Steps
