Skip to main content
WebSocket connections use the same Ed25519 keypair as the REST API — but because browsers cannot set custom headers on the WS upgrade, the three signing values move from headers into query params.
The official SDKs sign the handshake for you. The raw recipe below is for integrations without an SDK.

Query parameters

ParamValue
key_idYour key UUID
tsCurrent unix seconds (within 30s of server time)
sigBase64 Ed25519 signature over the WS canonical string

Canonical string

LF-joined (no trailing newline). The method is the literal "WS" and there is no body to hash:
SORTED_QUERY is everything except the three signing params, with keys sorted alphabetically and values percent-encoded per RFC 3986. Empty when the endpoint has no additional query string.

Example

Close codes

Invalid or missing auth closes the connection with code 4401. See each endpoint’s reference page for endpoint-specific close codes.
Never share your private key or commit it to source control. Use environment variables or a secret manager.