Restricted Endpoints
Endpoints that reject API-key authentication, and what to do instead.
API keys are forbidden from calling the endpoints below. They will all
respond with 403.
| Endpoint | Reason | Alternative |
|---|---|---|
POST /v2/withdraw | UI-only — wallet signature required (audit fix H-4) | Web UI |
POST /v2/transfers/internal | UI-only — EIP-712 typed-data signature required (H-14) | Web UI |
POST /v2/deposit/signature | UI-only — wallet/JWT context required | Web UI |
POST /v2/deposit/confirm | UI-only | Web UI |
POST /v2/auth/logout | JWT-only (req.userId must be set; API keys do not populate it) | UI logout |
POST /v2/api-keys (+ GET / PATCH / DELETE) | UI-only — privilege-escalation guard | Web UI |
All /v2/admin/* | SUPER_ADMIN / ANALYST role only | UI admin panel |
All /v2/admin/reports/* | SUPER_ADMIN / ANALYST role only | UI |
All /api/v2/bd/* | BD / HEAD_OF_BD / MANAGER role only — cookie session | UI BD panel |
All /api/v2/manage/* | SUPER_ADMIN / ANALYST role only — cookie session | UI manage panel |
WS account channel auth | JWT-only (wallet-signed session) | REST polling |
Role-gated groups
/v2/admin/*—SUPER_ADMINorANALYST./v2/admin/reports/*— same./api/v2/bd/*—BD,HEAD_OF_BD, orMANAGER. Cookie session only./api/v2/manage/*—SUPER_ADMINorANALYST. Cookie session only.
Support
- Status / liveness —
GET /health - Feature flags —
GET /v2/platform/status - Bug reports — include the
errorIdfrom the response body.