Skip to main content
The Polymarket US API uses Private Key JWT authentication with RSA keys — the same mechanism used across the platform, including by institutional traders. You sign a JWT with your RSA private key and exchange it for a short-lived access token.

Full authentication guide

Key generation, JWT claims, code samples (Python, Go, curl), key rotation, troubleshooting, and the complete scope reference live in the Institutional API → Getting Started guide. This page covers what’s specific to partners and links you there for the implementation details.
Your RSA key pairs are generated during Partner Onboarding — you share only the public keys with Polymarket US and keep the private keys secure.

How it works

  1. Create a signed JWT assertion — sign a JWT with your private key.
  2. Exchange it for an access token — send the assertion to the token endpoint.
  3. Call the API with the access token — include it as a Bearer token on each request.
The full guide has the exact JWT claims, token request, and ready-to-use Python and Go clients.

Environments

Use https://[API Domain] for both the JWT audience claim and the API base URL. Each environment requires separate onboarding — pre-production credentials do not work in production.

Prerequisites

After completing Partner Onboarding, you will have everything you need to authenticate:

Acting on behalf of a participant

This is the main partner-specific difference. You authenticate once as your Firm, then act on behalf of the Retail Participants you onboard by including the x-participant-id header on account-scoped requests (trading, positions, reports):
Use GET /v1/users to discover the participant IDs your Firm may act on behalf of. See Participants for how to resolve identities, and Accounts & Identity for the full hierarchy.

Scopes

Your application is granted scopes that control which endpoints you can call. The scopes most relevant to partners include:
The authoritative scope list and the full scope-by-endpoint mapping are maintained in the full authentication guide. Missing a required scope returns 403 Forbidden (REST) / PERMISSION_DENIED (gRPC).

Next steps

Full authentication guide

JWT claims, code samples, key rotation, and troubleshooting.

Partner Onboarding

Get your keys registered and receive your Client ID.

Quickstart

Authenticate and place your first order end to end.

Troubleshooting

Resolve common authentication errors.