@0xmonaco/core 0.8.5 → 0.8.7-develop.34bd452

package/dist/api/auth/api.d.ts

@@ -28,7 +28,7 @@
  * const backendAuth = await authAPI.authenticateBackend(secretKey);
  * ```
  */
-import type { AuthAPI, AuthState, BackendAuthResponse, ChallengeResponse, TokenRefreshResponse } from "@0xmonaco/types";
+import type { AuthAPI, AuthState, BackendAuthResponse, ChallengeResponse, SessionCredentials, SessionRefreshResponse } from "@0xmonaco/types";
 import type { Chain, WalletClient } from "viem";
 import { BaseAPI } from "../base";
 export declare class AuthAPIImpl extends BaseAPI implements AuthAPI {
@@ -51,20 +51,24 @@ export declare class AuthAPIImpl extends BaseAPI implements AuthAPI {
      * Complete authentication flow for frontend applications.
      *
      * This method handles the entire authentication process:
-     * 1. Creates a challenge
-     * 2. Signs the challenge message
-     * 3. Verifies the signature and returns JWT tokens
+     * 1. Generates a fresh ed25519 session keypair locally
+     * 2. Creates a challenge that commits to the session public key
+     * 3. Signs the challenge message with the wallet
+     * 4. Verifies the signature, registering the session public key
+     *
+     * The returned {@link AuthState} carries the session keypair; sign subsequent
+     * requests with the private key (the wallet is not used again until the
+     * session expires).
      *
      * @param clientId - Client ID of the application
-     * @returns Promise resolving to the verification response with JWT tokens
+     * @returns Promise resolving to the authentication state (with the session keypair)
      * @throws {APIError} When authentication fails
      * @throws {InvalidConfigError} When wallet account is not available
      *
      * @example
      * ```typescript
-     * // Complete authentication in one call
      * const authResult = await authAPI.authenticate("my-app-client-id");
-     * console.log(`Access token: ${authResult.access_token}`);
+     * console.log(`Session public key: ${authResult.sessionPublicKey}`);
      * console.log(`User ID: ${authResult.user.id}`);
      * ```
      */
@@ -109,7 +113,7 @@ export declare class AuthAPIImpl extends BaseAPI implements AuthAPI {
      * console.log(`Nonce: ${challenge.nonce}`);
      * ```
      */
-    createChallenge(address: string, clientId: string): Promise<ChallengeResponse>;
+    createChallenge(address: string, clientId: string, sessionPublicKey: string): Promise<ChallengeResponse>;
     /**
      * Verifies a signature for frontend authentication.
      *
@@ -117,33 +121,24 @@ export declare class AuthAPIImpl extends BaseAPI implements AuthAPI {
      * authenticated API access. This is the second step in the authentication flow.
      *
      * @param address - Wallet address of the user
-     * @param signature - Signature of the challenge message
+     * @param signature - Wallet signature of the challenge message
      * @param nonce - Nonce from the challenge response
      * @param clientId - Client ID of the application
-     * @returns Promise resolving to the verification response with JWT tokens
+     * @param session - The locally-generated session keypair (hex-encoded)
+     * @returns Promise resolving to the authentication state (with the session keypair)
      * @throws {APIError} When signature verification fails
      *
      * @example
      * ```typescript
-     * // First create a challenge
-     * const challenge = await authAPI.createChallenge(address, clientId);
-     *
-     * // User signs the challenge message with their wallet
+     * const keypair = generateSessionKeypair();
+     * const session = { publicKey: publicKeyHex(keypair), privateKey: privateKeyHex(keypair) };
+     * const challenge = await authAPI.createChallenge(address, clientId, session.publicKey);
      * const signature = await wallet.signMessage(challenge.message);
-     *
-     * // Verify the signature and get tokens
-     * const authResult = await authAPI.verifySignature(
-     *   address,
-     *   signature,
-     *   challenge.nonce,
-     *   clientId
-     * );
-     *
-     * console.log(`Access token: ${authResult.accessToken}`);
-     * console.log(`User ID: ${authResult.user.id}`);
+     * const authResult = await authAPI.verifySignature(address, signature, challenge.nonce, clientId, session);
+     * console.log(`Session public key: ${authResult.sessionPublicKey}`);
      * ```
      */
-    verifySignature(address: string, signature: string, nonce: string, clientId: string): Promise<AuthState>;
+    verifySignature(address: string, signature: string, nonce: string, clientId: string, session: SessionCredentials): Promise<AuthState>;
     /**
      * Authenticates a backend service using a secret key.
      *
@@ -163,44 +158,36 @@ export declare class AuthAPIImpl extends BaseAPI implements AuthAPI {
      */
     authenticateBackend(secretKey: string): Promise<BackendAuthResponse>;
     /**
-     * Refreshes an access token using a refresh token.
+     * Extends the current session's expiry.
      *
-     * Obtains a new access token using a valid refresh token. This is useful for
-     * maintaining long-term authentication without requiring the user to sign
-     * a new challenge.
+     * The request is signed with the active session key (set via
+     * {@link setSessionKeypair}); the server bumps the session's `expires_at`.
+     * No new credential is issued — the same keypair keeps working.
      *
-     * @param refreshToken - The refresh token to use
-     * @returns Promise resolving to new access and refresh tokens
-     * @throws {APIError} When token refresh fails
+     * @returns Promise resolving to the new expiry
+     * @throws {APIError} When refresh fails (e.g. session expired or revoked)
      *
      * @example
      * ```typescript
-     * const newTokens = await authAPI.refreshToken(refreshToken);
-     * console.log(`New access token: ${newTokens.accessToken}`);
-     * console.log(`Expires at: ${new Date(newTokens.expiresAt * 1000)}`);
+     * const { expiresAt } = await authAPI.refreshSession();
+     * console.log(`Session now expires at: ${new Date(expiresAt * 1000)}`);
      * ```
      */
-    refreshToken(refreshToken: string): Promise<TokenRefreshResponse>;
+    refreshSession(): Promise<SessionRefreshResponse>;
     /**
-     * Revokes the current session's refresh token.
-     *
-     * Invalidates the refresh token associated with the current access token,
-     * preventing it from being used to obtain new access tokens. This is useful
-     * for logout functionality or when a token has been compromised.
+     * Revokes the current session.
      *
-     * The server identifies the token to revoke from the access token in the
-     * Authorization header — no request body is needed.
+     * The request is signed with the active session key; the server deletes the
+     * matching session row. Used for logout or when a key may be compromised.
      *
-     * @returns Promise resolving when the token is revoked
-     * @throws {APIError} When token revocation fails
+     * @returns Promise resolving when the session is revoked
+     * @throws {APIError} When revocation fails
      *
      * @example
      * ```typescript
-     * // After authentication
-     * const authResult = await authAPI.authenticate(clientId);
-     * await authAPI.revokeToken();
-     * console.log("Token revoked successfully");
+     * await authAPI.revokeSession();
+     * console.log("Session revoked successfully");
      * ```
      */
-    revokeToken(): Promise<void>;
+    revokeSession(): Promise<void>;
 }

package/dist/api/auth/api.js

@@ -28,6 +28,7 @@
  * const backendAuth = await authAPI.authenticateBackend(secretKey);
  * ```
  */
+import { generateSessionKeypair, privateKeyHex, publicKeyHex } from "../../crypto/session";
 import { InvalidConfigError } from "../../errors";
 import { BaseAPI } from "../base";
 export class AuthAPIImpl extends BaseAPI {
@@ -56,20 +57,24 @@ export class AuthAPIImpl extends BaseAPI {
      * Complete authentication flow for frontend applications.
      *
      * This method handles the entire authentication process:
-     * 1. Creates a challenge
-     * 2. Signs the challenge message
-     * 3. Verifies the signature and returns JWT tokens
+     * 1. Generates a fresh ed25519 session keypair locally
+     * 2. Creates a challenge that commits to the session public key
+     * 3. Signs the challenge message with the wallet
+     * 4. Verifies the signature, registering the session public key
+     *
+     * The returned {@link AuthState} carries the session keypair; sign subsequent
+     * requests with the private key (the wallet is not used again until the
+     * session expires).
      *
      * @param clientId - Client ID of the application
-     * @returns Promise resolving to the verification response with JWT tokens
+     * @returns Promise resolving to the authentication state (with the session keypair)
      * @throws {APIError} When authentication fails
      * @throws {InvalidConfigError} When wallet account is not available
      *
      * @example
      * ```typescript
-     * // Complete authentication in one call
      * const authResult = await authAPI.authenticate("my-app-client-id");
-     * console.log(`Access token: ${authResult.access_token}`);
+     * console.log(`Session public key: ${authResult.sessionPublicKey}`);
      * console.log(`User ID: ${authResult.user.id}`);
      * ```
      */
@@ -81,12 +86,19 @@ export class AuthAPIImpl extends BaseAPI {
         if (!account) {
             throw new InvalidConfigError("No account available in wallet client", "account");
         }
-        // 1. Create challenge
-        const challenge = await this.createChallenge(account.address, clientId);
-        // 2. Sign the challenge message
+        // 1. Generate a fresh session keypair locally — the server never sees the
+        //    private key.
+        const keypair = generateSessionKeypair();
+        const session = {
+            publicKey: publicKeyHex(keypair),
+            privateKey: privateKeyHex(keypair),
+        };
+        // 2. Create challenge (binds the session public key into the signed message)
+        const challenge = await this.createChallenge(account.address, clientId, session.publicKey);
+        // 3. Sign the challenge message with the wallet
         const signature = await this.signChallenge(challenge.message);
-        // 3. Verify signature and get tokens
-        return await this.verifySignature(account.address, signature, challenge.nonce, clientId);
+        // 4. Verify signature, registering the session public key
+        return await this.verifySignature(account.address, signature, challenge.nonce, clientId, session);
     }
     /**
      * Signs a challenge message using the wallet client.
@@ -141,13 +153,14 @@ export class AuthAPIImpl extends BaseAPI {
      * console.log(`Nonce: ${challenge.nonce}`);
      * ```
      */
-    async createChallenge(address, clientId) {
+    async createChallenge(address, clientId, sessionPublicKey) {
         const responseBody = await this.makePublicRequest("/api/v1/auth/challenge", {
             method: "POST",
             body: JSON.stringify({
                 address,
                 client_id: clientId,
                 chain_id: this.chain.id,
+                session_public_key: sessionPublicKey,
             }),
         });
         return {
@@ -163,33 +176,24 @@ export class AuthAPIImpl extends BaseAPI {
      * authenticated API access. This is the second step in the authentication flow.
      *
      * @param address - Wallet address of the user
-     * @param signature - Signature of the challenge message
+     * @param signature - Wallet signature of the challenge message
      * @param nonce - Nonce from the challenge response
      * @param clientId - Client ID of the application
-     * @returns Promise resolving to the verification response with JWT tokens
+     * @param session - The locally-generated session keypair (hex-encoded)
+     * @returns Promise resolving to the authentication state (with the session keypair)
      * @throws {APIError} When signature verification fails
      *
      * @example
      * ```typescript
-     * // First create a challenge
-     * const challenge = await authAPI.createChallenge(address, clientId);
-     *
-     * // User signs the challenge message with their wallet
+     * const keypair = generateSessionKeypair();
+     * const session = { publicKey: publicKeyHex(keypair), privateKey: privateKeyHex(keypair) };
+     * const challenge = await authAPI.createChallenge(address, clientId, session.publicKey);
      * const signature = await wallet.signMessage(challenge.message);
-     *
-     * // Verify the signature and get tokens
-     * const authResult = await authAPI.verifySignature(
-     *   address,
-     *   signature,
-     *   challenge.nonce,
-     *   clientId
-     * );
-     *
-     * console.log(`Access token: ${authResult.accessToken}`);
-     * console.log(`User ID: ${authResult.user.id}`);
+     * const authResult = await authAPI.verifySignature(address, signature, challenge.nonce, clientId, session);
+     * console.log(`Session public key: ${authResult.sessionPublicKey}`);
      * ```
      */
-    async verifySignature(address, signature, nonce, clientId) {
+    async verifySignature(address, signature, nonce, clientId, session) {
         const responseBody = await this.makePublicRequest("/api/v1/auth/verify", {
             method: "POST",
             body: JSON.stringify({
@@ -198,11 +202,12 @@ export class AuthAPIImpl extends BaseAPI {
                 nonce,
                 client_id: clientId,
                 chain_id: this.chain.id,
+                session_public_key: session.publicKey,
             }),
         });
         return {
-            accessToken: responseBody.access_token,
-            refreshToken: responseBody.refresh_token,
+            sessionPublicKey: session.publicKey,
+            sessionPrivateKey: session.privateKey,
             expiresAt: responseBody.expires_at,
             user: {
                 id: responseBody.user.id,
@@ -247,57 +252,45 @@ export class AuthAPIImpl extends BaseAPI {
         };
     }
     /**
-     * Refreshes an access token using a refresh token.
+     * Extends the current session's expiry.
      *
-     * Obtains a new access token using a valid refresh token. This is useful for
-     * maintaining long-term authentication without requiring the user to sign
-     * a new challenge.
+     * The request is signed with the active session key (set via
+     * {@link setSessionKeypair}); the server bumps the session's `expires_at`.
+     * No new credential is issued — the same keypair keeps working.
      *
-     * @param refreshToken - The refresh token to use
-     * @returns Promise resolving to new access and refresh tokens
-     * @throws {APIError} When token refresh fails
+     * @returns Promise resolving to the new expiry
+     * @throws {APIError} When refresh fails (e.g. session expired or revoked)
      *
      * @example
      * ```typescript
-     * const newTokens = await authAPI.refreshToken(refreshToken);
-     * console.log(`New access token: ${newTokens.accessToken}`);
-     * console.log(`Expires at: ${new Date(newTokens.expiresAt * 1000)}`);
+     * const { expiresAt } = await authAPI.refreshSession();
+     * console.log(`Session now expires at: ${new Date(expiresAt * 1000)}`);
      * ```
      */
-    async refreshToken(refreshToken) {
-        const responseBody = await this.makePublicRequest("/api/v1/auth/refresh", {
+    async refreshSession() {
+        const responseBody = await this.makeAuthenticatedRequest("/api/v1/auth/refresh", {
             method: "POST",
-            body: JSON.stringify({
-                refresh_token: refreshToken,
-            }),
         });
         return {
-            accessToken: responseBody.access_token,
             expiresAt: responseBody.expires_at,
         };
     }
     /**
-     * Revokes the current session's refresh token.
-     *
-     * Invalidates the refresh token associated with the current access token,
-     * preventing it from being used to obtain new access tokens. This is useful
-     * for logout functionality or when a token has been compromised.
+     * Revokes the current session.
      *
-     * The server identifies the token to revoke from the access token in the
-     * Authorization header — no request body is needed.
+     * The request is signed with the active session key; the server deletes the
+     * matching session row. Used for logout or when a key may be compromised.
      *
-     * @returns Promise resolving when the token is revoked
-     * @throws {APIError} When token revocation fails
+     * @returns Promise resolving when the session is revoked
+     * @throws {APIError} When revocation fails
      *
      * @example
      * ```typescript
-     * // After authentication
-     * const authResult = await authAPI.authenticate(clientId);
-     * await authAPI.revokeToken();
-     * console.log("Token revoked successfully");
+     * await authAPI.revokeSession();
+     * console.log("Session revoked successfully");
      * ```
      */
-    async revokeToken() {
+    async revokeSession() {
         await this.makeAuthenticatedRequest("/api/v1/auth/revoke", {
             method: "POST",
         });

package/dist/api/base.d.ts

@@ -20,13 +20,16 @@
  * }
  * ```
  */
+import type { SessionCredentials } from "@0xmonaco/types";
+import { type SessionKeypair } from "../crypto/session";
 export interface RetryOptions {
     maxRetries?: number;
     baseDelayMs?: number;
 }
 export declare abstract class BaseAPI {
     protected readonly apiUrl: string;
-    protected accessToken?: string;
+    /** Active session keypair (raw bytes) used to sign authenticated requests. */
+    protected sessionKeypair?: SessionKeypair;
     protected retryOptions: Required<RetryOptions>;
     /**
      * Creates a new BaseAPI instance.
@@ -36,17 +39,11 @@ export declare abstract class BaseAPI {
      */
     constructor(apiUrl: string, retryOptions?: RetryOptions);
     /**
-     * Set the access token for authenticated requests.
+     * Set (or clear) the session keypair used to sign authenticated requests.
      *
-     * @param token - JWT access token
+     * @param credentials - Hex-encoded session keypair, or `undefined` to clear.
      */
-    setAccessToken(token: string): void;
-    /**
-     * Get the current access token.
-     *
-     * @returns The current access token or undefined if not set
-     */
-    protected getAccessToken(): string | undefined;
+    setSessionKeypair(credentials: SessionCredentials | undefined): void;
     /**
      * Parse request body for error logging
      *
@@ -93,6 +90,15 @@ export declare abstract class BaseAPI {
      * ```
      */
     protected makeAuthenticatedRequest<T>(endpoint: string, options?: RequestInit): Promise<T>;
+    /**
+     * Compute the per-request ed25519 signature headers.
+     *
+     * The signed payload is `METHOD\nPATH_WITH_QUERY\nTIMESTAMP_MS\nSHA256_BODY_HEX`,
+     * matching the server (`handlers::auth::compose_signing_string`). `endpoint`
+     * is the path-with-query exactly as sent; the body hash covers the raw bytes
+     * so a request can't be replayed with a different body.
+     */
+    private buildSignatureHeaders;
     /**
      * Makes an unauthenticated API request.
      *

package/dist/api/base.js

@@ -20,11 +20,14 @@
  * }
  * ```
  */
+import { bytesToHex, utf8ToBytes } from "@noble/hashes/utils";
 import { StatusCodes } from "http-status-codes";
+import { composeSigningString, keypairFromHex, sha256Hex, signMessage } from "../crypto/session";
 import { APIError } from "../errors";
 export class BaseAPI {
     apiUrl;
-    accessToken;
+    /** Active session keypair (raw bytes) used to sign authenticated requests. */
+    sessionKeypair;
     retryOptions;
     /**
      * Creates a new BaseAPI instance.
@@ -40,20 +43,12 @@ export class BaseAPI {
         };
     }
     /**
-     * Set the access token for authenticated requests.
+     * Set (or clear) the session keypair used to sign authenticated requests.
      *
-     * @param token - JWT access token
+     * @param credentials - Hex-encoded session keypair, or `undefined` to clear.
      */
-    setAccessToken(token) {
-        this.accessToken = token;
-    }
-    /**
-     * Get the current access token.
-     *
-     * @returns The current access token or undefined if not set
-     */
-    getAccessToken() {
-        return this.accessToken;
+    setSessionKeypair(credentials) {
+        this.sessionKeypair = credentials ? keypairFromHex(credentials.publicKey, credentials.privateKey) : undefined;
     }
     /**
      * Parse request body for error logging
@@ -229,23 +224,51 @@ export class BaseAPI {
      * ```
      */
     async makeAuthenticatedRequest(endpoint, options = {}) {
-        if (!this.accessToken) {
-            throw new APIError("Access token not set. Call setAccessToken() first.", {
+        if (!this.sessionKeypair) {
+            throw new APIError("Session keypair not set. Authenticate (login) first.", {
                 endpoint: `${this.apiUrl}${endpoint}`,
                 statusCode: StatusCodes.UNAUTHORIZED,
             });
         }
         const url = `${this.apiUrl}${endpoint}`;
         const requestBody = this.parseRequestBody(options.body);
+        const signatureHeaders = this.buildSignatureHeaders(endpoint, options);
         return this.executeRequest(url, endpoint, {
             ...options,
             headers: {
                 "Content-Type": "application/json",
-                Authorization: `Bearer ${this.accessToken}`,
+                ...signatureHeaders,
                 ...options.headers,
             },
         }, requestBody);
     }
+    /**
+     * Compute the per-request ed25519 signature headers.
+     *
+     * The signed payload is `METHOD\nPATH_WITH_QUERY\nTIMESTAMP_MS\nSHA256_BODY_HEX`,
+     * matching the server (`handlers::auth::compose_signing_string`). `endpoint`
+     * is the path-with-query exactly as sent; the body hash covers the raw bytes
+     * so a request can't be replayed with a different body.
+     */
+    buildSignatureHeaders(endpoint, options) {
+        if (!this.sessionKeypair) {
+            throw new APIError("Session keypair not set. Authenticate (login) first.", {
+                endpoint: `${this.apiUrl}${endpoint}`,
+                statusCode: StatusCodes.UNAUTHORIZED,
+            });
+        }
+        const method = (options.method ?? "GET").toUpperCase();
+        const timestampMs = Date.now();
+        const bodyBytes = typeof options.body === "string" ? utf8ToBytes(options.body) : new Uint8Array(0);
+        const bodyHash = sha256Hex(bodyBytes);
+        const signingString = composeSigningString(method, endpoint, timestampMs, bodyHash);
+        const signature = signMessage(this.sessionKeypair.privateKey, signingString);
+        return {
+            "X-Monaco-PublicKey": bytesToHex(this.sessionKeypair.publicKey),
+            "X-Monaco-Timestamp": String(timestampMs),
+            "X-Monaco-Signature": signature,
+        };
+    }
     /**
      * Makes an unauthenticated API request.
      *

package/dist/api/orderbook/api.js

@@ -12,7 +12,8 @@ export class OrderbookAPIImpl extends BaseAPI {
             params.set("denomination", denomination.toLowerCase());
         const response = await this.makePublicRequest(`/api/v1/orderbook/${encodeURIComponent(tradingPairId)}?${params.toString()}`);
         return {
-            tradingPairId: response.symbol,
+            // `trading_pair_id` is the pair UUID; `symbol` is the display string.
+            tradingPairId: response.trading_pair_id,
             tradingMode: response.trading_mode,
             bids: response.data.bids.map((level) => ({
                 price: level.price,

package/dist/api/trading/api.js

@@ -493,8 +493,11 @@ export class TradingAPIImpl extends BaseAPI {
      * ```
      */
     async getOrder(orderId) {
-        return await this.makeAuthenticatedRequest(perpRoutes.orders.get(orderId), {
-            method: "GET",
-        });
+        // The REST endpoint returns the order fields at the top level (a flat
+        // `Order`), not wrapped in `{ order, status }`. Wrap it here so the SDK
+        // honors its declared `GetOrderResponse` contract. A non-2xx response
+        // throws in `makeAuthenticatedRequest`, so reaching here means success.
+        const order = await this.makeAuthenticatedRequest(perpRoutes.orders.get(orderId), { method: "GET" });
+        return { order, status: "SUCCESS" };
     }
 }

package/dist/api/websocket/types.d.ts

@@ -1,9 +1,9 @@
-import type { ConditionalOrderEvent, Interval, OHLCVEvent, OrderbookEvent, OrderbookQuotationMode, OrderEvent, TradeEvent, TradingMode, UserBalanceEvent, UserMovementEvent, WebSocketStatus } from "@0xmonaco/types";
+import type { ConditionalOrderEvent, Interval, OHLCVEvent, OrderbookEvent, OrderbookQuotationMode, OrderEvent, SessionCredentials, TradeEvent, TradingMode, UserBalanceEvent, UserMovementEvent, WebSocketStatus } from "@0xmonaco/types";
 export type StatusHandler = (status: WebSocketStatus) => void;
 export type MessageHandler<T> = (data: T) => void;
 export interface MonacoWebSocketOptions {
-    /** JWT access token for authenticated channels (orders) */
-    token?: string;
+    /** Session keypair for authenticated channels (orders, balances, etc.) */
+    session?: SessionCredentials;
     /** Enable auto-reconnect on disconnect (default: true) */
     autoReconnect?: boolean;
     /** Maximum reconnection attempts (default: 5) */
@@ -20,8 +20,8 @@ export interface MonacoWebSocket {
     isConnected: () => boolean;
     /** Get current websocket connection status */
     getStatus: () => WebSocketStatus;
-    /** Update the access token (for re-auth) */
-    setToken: (token: string) => void;
+    /** Set (or clear) the session keypair used to authenticate the connection */
+    setSessionKeypair: (credentials: SessionCredentials | undefined) => void;
     /** Subscribe to order events (requires authentication) */
     orders: (tradingPairId: string, tradingMode: TradingMode, handler: MessageHandler<OrderEvent>) => () => void;
     /** Subscribe to orderbook events (public) */

package/dist/api/websocket/websocket.js

@@ -1,3 +1,5 @@
+import { hexToBytes } from "@noble/hashes/utils";
+import { composeWsSigningString, signMessage } from "../../crypto/session";
 import { ALL_MAGNITUDES } from "../../utils";
 import { keysToCamelCase } from "./utils";
 // Connection constants
@@ -107,7 +109,7 @@ function parseConditionalOrderEvent(rawData) {
  */
 export function createMonacoWebSocket(baseUrl, options = {}) {
     let ws = null;
-    let token = options.token;
+    let session = options.session;
     let reconnectAttempts = 0;
     let reconnectTimer = null;
     let heartbeatTimer = null;
@@ -127,11 +129,24 @@ export function createMonacoWebSocket(baseUrl, options = {}) {
                 return "disconnected";
         }
     };
-    const getUrl = () => {
-        const url = new URL(baseUrl);
-        if (token)
-            url.searchParams.set("token", token);
-        return url.toString();
+    const getUrl = () => baseUrl;
+    /**
+     * Send the signed auth handshake as the first message after the socket
+     * opens. The client signs `WS-AUTH\n<pubkey>\n<ts>` with the session private
+     * key; the server binds the connection to the session. No-op if no session
+     * is set (public channels work unauthenticated).
+     */
+    const sendAuthenticate = () => {
+        if (!session || ws?.readyState !== WebSocket.OPEN)
+            return;
+        const timestamp = Date.now();
+        const signature = signMessage(hexToBytes(session.privateKey), composeWsSigningString(session.publicKey, timestamp));
+        ws.send(JSON.stringify({
+            type: "Authenticate",
+            public_key: session.publicKey,
+            timestamp,
+            signature,
+        }));
     };
     const stopHeartbeat = () => {
         if (heartbeatTimer) {
@@ -217,6 +232,9 @@ export function createMonacoWebSocket(baseUrl, options = {}) {
                     }
                     reconnectAttempts = 0;
                     startHeartbeat();
+                    // Authenticate before resubscribing so user-specific channels
+                    // (orders, balances, …) are authorized when the Subscribe arrives.
+                    sendAuthenticate();
                     resubscribeAll();
                     options.onStatusChange?.("connected");
                     resolve();
@@ -324,7 +342,9 @@ export function createMonacoWebSocket(baseUrl, options = {}) {
                 const data = rawData;
                 const orderbookData = data.data;
                 const event = {
-                    tradingPairId: data.symbol,
+                    // `trading_pair_id` is the pair UUID; `symbol` is the display string
+                    // (e.g. "AMZN/USDC"). `tradingPairId` must carry the UUID.
+                    tradingPairId: data.trading_pair_id,
                     tradingMode: data.trading_mode,
                     bids: (orderbookData?.bids || []).map((level) => ({
                         price: level.price,
@@ -368,7 +388,9 @@ export function createMonacoWebSocket(baseUrl, options = {}) {
                 const data = rawData;
                 const ohlcvData = data.data;
                 const event = {
-                    tradingPairId: data.symbol,
+                    // `trading_pair_id` is the pair UUID; `symbol` is the display string.
+                    // `tradingPairId` must carry the UUID (the symbol lives in `candlestick.s`).
+                    tradingPairId: data.trading_pair_id,
                     tradingMode: data.trading_mode,
                     interval: data.interval,
                     candlestick: {
@@ -532,21 +554,20 @@ export function createMonacoWebSocket(baseUrl, options = {}) {
         disconnect,
         isConnected: () => ws?.readyState === WebSocket.OPEN,
         getStatus,
-        setToken: (newToken) => {
-            token = newToken || undefined;
-            stopReconnect();
-            const currentSocket = ws;
-            if (currentSocket?.readyState === WebSocket.OPEN ||
-                currentSocket?.readyState === WebSocket.CONNECTING ||
-                currentSocket?.readyState === WebSocket.CLOSING) {
-                currentSocket.close(1000, newToken ? "Token updated, reconnecting." : "Token cleared.");
-                ws = null;
+        setSessionKeypair: (credentials) => {
+            session = credentials ?? undefined;
+            // If already connected, (re)send the signed handshake so the connection
+            // picks up the new session without tearing down. If not yet connected,
+            // onopen will send it. Clearing the session leaves the connection up for
+            // public channels; logout calls disconnect() to fully tear down.
+            if (session && ws?.readyState === WebSocket.OPEN) {
+                sendAuthenticate();
+            }
+            else if (session && (!ws || ws.readyState === WebSocket.CLOSED)) {
+                connect().catch((err) => {
+                    console.warn("WebSocket: Failed to connect after session update:", err);
+                });
             }
-            if (!newToken)
-                return;
-            connect().catch((err) => {
-                console.warn("WebSocket: Failed to reconnect after token update:", err);
-            });
         },
         orders: subscribeOrders,
         orderbook: subscribeOrderbook,

package/dist/crypto/session.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Session keypair crypto for noncustodial request signing.
+ *
+ * On login the SDK generates a random ed25519 keypair locally. The public key
+ * is registered with the server (bound by the wallet's signature on the
+ * challenge); every subsequent authenticated request is signed with the
+ * private key. The server verifies the signature against the stored public
+ * key — it never sees the private key, so it cannot mint requests as the user.
+ */
+/** A locally-generated ed25519 session keypair (raw 32-byte values). */
+export interface SessionKeypair {
+    /** 32-byte ed25519 public key */
+    publicKey: Uint8Array;
+    /** 32-byte ed25519 private key (seed) */
+    privateKey: Uint8Array;
+}
+/**
+ * Generate a fresh ed25519 session keypair.
+ *
+ * `@noble/curves` sources entropy from `crypto.getRandomValues`. Environments
+ * without it (very old Node without webcrypto, locked-down sandboxes) will
+ * throw — we surface a clear error rather than producing a weak key.
+ */
+export declare function generateSessionKeypair(): SessionKeypair;
+export declare function publicKeyHex(keypair: SessionKeypair): string;
+export declare function privateKeyHex(keypair: SessionKeypair): string;
+/** Reconstruct a keypair from its hex-encoded halves (e.g. restored from storage). */
+export declare function keypairFromHex(publicKeyHex: string, privateKeyHex: string): SessionKeypair;
+/** Lowercase-hex sha256 of the given bytes. Use over an empty array for no-body requests. */
+export declare function sha256Hex(data: Uint8Array): string;
+/**
+ * Canonical per-request signing string. Mirrors the server
+ * (`handlers::auth::compose_signing_string`):
+ * `METHOD\nPATH_WITH_QUERY\nTIMESTAMP_MS\nSHA256_BODY_HEX`.
+ */
+export declare function composeSigningString(method: string, pathWithQuery: string, timestampMs: number, bodySha256Hex: string): string;
+/** Canonical WebSocket handshake signing string: `WS-AUTH\n<pubkey-hex>\n<ts>`. */
+export declare function composeWsSigningString(publicKeyHex: string, timestampMs: number): string;
+/** Sign an arbitrary string with the session private key, returning lowercase hex. */
+export declare function signMessage(privateKey: Uint8Array, message: string): string;

package/dist/crypto/session.js

@@ -0,0 +1,60 @@
+/**
+ * Session keypair crypto for noncustodial request signing.
+ *
+ * On login the SDK generates a random ed25519 keypair locally. The public key
+ * is registered with the server (bound by the wallet's signature on the
+ * challenge); every subsequent authenticated request is signed with the
+ * private key. The server verifies the signature against the stored public
+ * key — it never sees the private key, so it cannot mint requests as the user.
+ */
+import { ed25519 } from "@noble/curves/ed25519";
+import { sha256 } from "@noble/hashes/sha2";
+import { bytesToHex, hexToBytes, utf8ToBytes } from "@noble/hashes/utils";
+/**
+ * Generate a fresh ed25519 session keypair.
+ *
+ * `@noble/curves` sources entropy from `crypto.getRandomValues`. Environments
+ * without it (very old Node without webcrypto, locked-down sandboxes) will
+ * throw — we surface a clear error rather than producing a weak key.
+ */
+export function generateSessionKeypair() {
+    if (typeof globalThis.crypto?.getRandomValues !== "function") {
+        throw new Error("Secure randomness (crypto.getRandomValues) is unavailable; cannot generate a session keypair.");
+    }
+    const privateKey = ed25519.utils.randomPrivateKey();
+    const publicKey = ed25519.getPublicKey(privateKey);
+    return { publicKey, privateKey };
+}
+export function publicKeyHex(keypair) {
+    return bytesToHex(keypair.publicKey);
+}
+export function privateKeyHex(keypair) {
+    return bytesToHex(keypair.privateKey);
+}
+/** Reconstruct a keypair from its hex-encoded halves (e.g. restored from storage). */
+export function keypairFromHex(publicKeyHex, privateKeyHex) {
+    return {
+        publicKey: hexToBytes(publicKeyHex),
+        privateKey: hexToBytes(privateKeyHex),
+    };
+}
+/** Lowercase-hex sha256 of the given bytes. Use over an empty array for no-body requests. */
+export function sha256Hex(data) {
+    return bytesToHex(sha256(data));
+}
+/**
+ * Canonical per-request signing string. Mirrors the server
+ * (`handlers::auth::compose_signing_string`):
+ * `METHOD\nPATH_WITH_QUERY\nTIMESTAMP_MS\nSHA256_BODY_HEX`.
+ */
+export function composeSigningString(method, pathWithQuery, timestampMs, bodySha256Hex) {
+    return `${method.toUpperCase()}\n${pathWithQuery}\n${timestampMs}\n${bodySha256Hex}`;
+}
+/** Canonical WebSocket handshake signing string: `WS-AUTH\n<pubkey-hex>\n<ts>`. */
+export function composeWsSigningString(publicKeyHex, timestampMs) {
+    return `WS-AUTH\n${publicKeyHex}\n${timestampMs}`;
+}
+/** Sign an arbitrary string with the session private key, returning lowercase hex. */
+export function signMessage(privateKey, message) {
+    return bytesToHex(ed25519.sign(utf8ToBytes(message), privateKey));
+}

package/dist/sdk.d.ts

@@ -21,21 +21,26 @@ export declare class MonacoSDKImpl implements MonacoSDK {
     private readonly network;
     private readonly chain;
     /**
-     * Propagate the access token to all APIs and WebSocket
+     * Propagate the session keypair (or `undefined` to clear) to all APIs and
+     * the WebSocket client.
      */
-    private propagateAccessToken;
+    private propagateSession;
+    /** Extract the session keypair from an auth state. */
+    private sessionFromAuthState;
     constructor(cfg: SDKConfig);
     /**
      * Authenticate the user
      *
-     * Returns an AuthState object containing:
-     * - `accessToken`: For making authenticated API requests
-     * - `refreshToken`: For refreshing tokens AND revoking (logout)
-     * - `expiresAt`: When the access token expires
+     * Generates a session keypair, has the wallet authorize it, and returns an
+     * AuthState object containing:
+     * - `sessionPublicKey` / `sessionPrivateKey`: the session keypair used to
+     *   sign subsequent requests (the private key is the credential — persist it
+     *   to survive reloads without re-prompting the wallet)
+     * - `expiresAt`: When the session expires
      * - `user`: User information
      *
-     * Note: Use `sdk.logout()` to revoke the token and clean up, or call
-     * `sdk.auth.revokeToken()` directly to just revoke.
+     * Note: Use `sdk.logout()` to revoke the session and clean up, or call
+     * `sdk.auth.revokeSession()` directly to just revoke.
      *
      * @param clientId - The client ID for authentication
      * @param options - Optional configuration
@@ -49,13 +54,10 @@ export declare class MonacoSDKImpl implements MonacoSDK {
      * // Login and auto-connect WebSocket
      * const authState = await sdk.login(clientId, { connectWebSocket: true });
      *
-     * // Manual WebSocket connection
-     * await sdk.ws.connect();
-     *
      * // Later, to revoke:
-     * await sdk.auth.revokeToken(); // ✅
+     * await sdk.auth.revokeSession(); // ✅
      * // Or revoke and disconnect WebSocket:
-     * await sdk.logout(); // ✅ Calls revokeToken internally and disconnects WebSocket
+     * await sdk.logout(); // ✅ Calls revokeSession internally and disconnects WebSocket
      * ```
      */
     login(clientId: string, options?: {
@@ -77,19 +79,24 @@ export declare class MonacoSDKImpl implements MonacoSDK {
     /**
      * Log the user out
      *
-     * This method revokes the refresh token (if available), disconnects all authenticated
+     * This method revokes the session (if authenticated), disconnects all authenticated
      * WebSocket channels, and clears the local auth state.
-     * It internally calls `auth.revokeToken()` to invalidate the token on the server.
+     * It internally calls `auth.revokeSession()` to invalidate the session on the server.
      *
      * @example
      * ```typescript
      * await sdk.logout();
-     * // Token is revoked, authenticated WebSockets disconnected, and local state cleared
+     * // Session is revoked, authenticated WebSockets disconnected, and local state cleared
      * ```
      */
     logout(): Promise<void>;
     /**
-     * Refresh the access token
+     * Refresh the current session, extending its expiry.
+     *
+     * Signs a refresh request with the active session key and updates the local
+     * `expiresAt`. The session keypair is unchanged. If no session is active, or
+     * the session has expired/been revoked, this throws.
+     *
      * @returns The updated authentication state
      */
     refreshAuth(): Promise<AuthState>;

package/dist/sdk.js

@@ -13,6 +13,16 @@ import { TradingAPIImpl } from "./api/trading";
 import { VaultAPIImpl } from "./api/vault";
 import { APIError, InvalidConfigError, InvalidStateError } from "./errors";
 import { resolveApiUrl, resolveWsUrl } from "./networks";
+/** Validate a user-supplied URL override, returning it unchanged when valid. */
+function validateUrl(value, field) {
+    try {
+        new URL(value);
+    }
+    catch (_e) {
+        throw new InvalidConfigError(`${field} must be a valid URL, got: ${value}`, field);
+    }
+    return value;
+}
 export class MonacoSDKImpl {
     auth;
     delegatedAgents;
@@ -33,22 +43,30 @@ export class MonacoSDKImpl {
     network;
     chain;
     /**
-     * Propagate the access token to all APIs and WebSocket
+     * Propagate the session keypair (or `undefined` to clear) to all APIs and
+     * the WebSocket client.
      */
-    propagateAccessToken(accessToken) {
-        this.auth.setAccessToken(accessToken);
-        this.delegatedAgents.setAccessToken(accessToken);
-        this.applications.setAccessToken(accessToken);
-        this.fees.setAccessToken(accessToken);
-        this.vault.setAccessToken(accessToken);
-        this.trading.setAccessToken(accessToken);
-        this.market.setAccessToken(accessToken);
-        this.marginAccounts.setAccessToken(accessToken);
-        this.positions.setAccessToken(accessToken);
-        this.profile.setAccessToken(accessToken);
-        this.orderbook.setAccessToken(accessToken);
-        this.trades.setAccessToken(accessToken);
-        this.ws.setToken(accessToken);
+    propagateSession(credentials) {
+        this.auth.setSessionKeypair(credentials);
+        this.delegatedAgents.setSessionKeypair(credentials);
+        this.applications.setSessionKeypair(credentials);
+        this.fees.setSessionKeypair(credentials);
+        this.vault.setSessionKeypair(credentials);
+        this.trading.setSessionKeypair(credentials);
+        this.market.setSessionKeypair(credentials);
+        this.marginAccounts.setSessionKeypair(credentials);
+        this.positions.setSessionKeypair(credentials);
+        this.profile.setSessionKeypair(credentials);
+        this.orderbook.setSessionKeypair(credentials);
+        this.trades.setSessionKeypair(credentials);
+        this.ws.setSessionKeypair(credentials);
+    }
+    /** Extract the session keypair from an auth state. */
+    sessionFromAuthState(authState) {
+        return {
+            publicKey: authState.sessionPublicKey,
+            privateKey: authState.sessionPrivateKey,
+        };
     }
     constructor(cfg) {
         // Validate network - must be a preset
@@ -67,8 +85,8 @@ export class MonacoSDKImpl {
         catch (_e) {
             throw new InvalidConfigError(`seiRpcUrl must be a valid URL, got: ${cfg.seiRpcUrl}`, "seiRpcUrl");
         }
-        // Infer WebSocket URL from network
-        const wsUrl = resolveWsUrl(this.network);
+        // Resolve the WebSocket URL: explicit override (validated) or network preset.
+        const wsUrl = cfg.wsUrl ? validateUrl(cfg.wsUrl, "wsUrl") : resolveWsUrl(this.network);
         // Use Sei mainnet chain only for "mainnet" network, testnet for everything else
         const chain = this.network === "mainnet" ? sei : seiTestnet;
         this.chain = chain;
@@ -78,8 +96,8 @@ export class MonacoSDKImpl {
             chain,
             transport,
         });
-        // Resolve the API URL (from preset or custom URL)
-        const apiUrl = resolveApiUrl(this.network);
+        // Resolve the API URL: explicit override (validated) or network preset.
+        const apiUrl = cfg.apiUrl ? validateUrl(cfg.apiUrl, "apiUrl") : resolveApiUrl(this.network);
         // Validate wallet client chain if provided
         if (cfg.walletClient) {
             if (cfg.walletClient.chain?.id !== chain.id) {
@@ -107,14 +125,16 @@ export class MonacoSDKImpl {
     /**
      * Authenticate the user
      *
-     * Returns an AuthState object containing:
-     * - `accessToken`: For making authenticated API requests
-     * - `refreshToken`: For refreshing tokens AND revoking (logout)
-     * - `expiresAt`: When the access token expires
+     * Generates a session keypair, has the wallet authorize it, and returns an
+     * AuthState object containing:
+     * - `sessionPublicKey` / `sessionPrivateKey`: the session keypair used to
+     *   sign subsequent requests (the private key is the credential — persist it
+     *   to survive reloads without re-prompting the wallet)
+     * - `expiresAt`: When the session expires
      * - `user`: User information
      *
-     * Note: Use `sdk.logout()` to revoke the token and clean up, or call
-     * `sdk.auth.revokeToken()` directly to just revoke.
+     * Note: Use `sdk.logout()` to revoke the session and clean up, or call
+     * `sdk.auth.revokeSession()` directly to just revoke.
      *
      * @param clientId - The client ID for authentication
      * @param options - Optional configuration
@@ -128,24 +148,15 @@ export class MonacoSDKImpl {
      * // Login and auto-connect WebSocket
      * const authState = await sdk.login(clientId, { connectWebSocket: true });
      *
-     * // Manual WebSocket connection
-     * await sdk.ws.connect();
-     *
      * // Later, to revoke:
-     * await sdk.auth.revokeToken(); // ✅
+     * await sdk.auth.revokeSession(); // ✅
      * // Or revoke and disconnect WebSocket:
-     * await sdk.logout(); // ✅ Calls revokeToken internally and disconnects WebSocket
+     * await sdk.logout(); // ✅ Calls revokeSession internally and disconnects WebSocket
      * ```
      */
     async login(clientId, options) {
-        const response = await this.auth.authenticate(clientId);
-        this.authState = {
-            accessToken: response.accessToken,
-            refreshToken: response.refreshToken,
-            expiresAt: response.expiresAt,
-            user: response.user,
-        };
-        this.propagateAccessToken(this.authState.accessToken);
+        this.authState = await this.auth.authenticate(clientId);
+        this.propagateSession(this.sessionFromAuthState(this.authState));
         // Auto-connect WebSocket if requested
         if (options?.connectWebSocket) {
             await this.ws.connect();
@@ -168,59 +179,63 @@ export class MonacoSDKImpl {
      */
     setAuthState(authState) {
         this.authState = authState;
-        this.propagateAccessToken(authState.accessToken);
+        this.propagateSession(this.sessionFromAuthState(authState));
     }
     /**
      * Log the user out
      *
-     * This method revokes the refresh token (if available), disconnects all authenticated
+     * This method revokes the session (if authenticated), disconnects all authenticated
      * WebSocket channels, and clears the local auth state.
-     * It internally calls `auth.revokeToken()` to invalidate the token on the server.
+     * It internally calls `auth.revokeSession()` to invalidate the session on the server.
      *
      * @example
      * ```typescript
      * await sdk.logout();
-     * // Token is revoked, authenticated WebSockets disconnected, and local state cleared
+     * // Session is revoked, authenticated WebSockets disconnected, and local state cleared
      * ```
      */
     async logout() {
-        if (this.authState?.refreshToken) {
+        if (this.authState) {
             try {
-                await this.auth.revokeToken();
+                await this.auth.revokeSession();
             }
             catch (error) {
                 // Log but don't throw - we want to clear the local state regardless
-                console.warn("Failed to revoke token on logout:", error);
+                console.warn("Failed to revoke session on logout:", error);
             }
         }
         this.authState = undefined;
-        this.propagateAccessToken("");
+        this.propagateSession(undefined);
         this.ws.disconnect();
     }
     /**
-     * Refresh the access token
+     * Refresh the current session, extending its expiry.
+     *
+     * Signs a refresh request with the active session key and updates the local
+     * `expiresAt`. The session keypair is unchanged. If no session is active, or
+     * the session has expired/been revoked, this throws.
+     *
      * @returns The updated authentication state
      */
     async refreshAuth() {
-        if (!this.authState?.refreshToken) {
-            throw new APIError("No refresh token available", {
+        if (!this.authState) {
+            throw new APIError("No active session to refresh", {
                 endpoint: "auth/refresh",
                 statusCode: StatusCodes.UNAUTHORIZED,
             });
         }
         try {
-            const response = await this.auth.refreshToken(this.authState.refreshToken);
+            const response = await this.auth.refreshSession();
             this.authState = {
                 ...this.authState,
-                accessToken: response.accessToken,
                 expiresAt: response.expiresAt,
             };
-            this.propagateAccessToken(this.authState.accessToken);
             return this.authState;
         }
         catch (error) {
-            // If refresh fails, set the auth state to undefined
+            // If refresh fails, the session is no longer usable.
             this.authState = undefined;
+            this.propagateSession(undefined);
             throw error;
         }
     }

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@0xmonaco/core",
-	"version": "0.8.5",
+	"version": "0.8.7-develop.34bd452",
 	"type": "module",
 	"repository": {
 		"type": "git",
@@ -23,8 +23,10 @@
 		"viem": "^2.45.2"
 	},
 	"dependencies": {
-		"@0xmonaco/contracts": "0.8.5",
-		"@0xmonaco/types": "0.8.5",
+		"@0xmonaco/contracts": "0.8.7-develop.34bd452",
+		"@0xmonaco/types": "0.8.7-develop.34bd452",
+		"@noble/curves": "^1.9.1",
+		"@noble/hashes": "^1.8.0",
 		"http-status-codes": "^2.3.0"
 	},
 	"devDependencies": {