Skip to main content
The SDK authenticates with a secret API key. Keys look like cesto_sk_… and are sent automatically with every request — you never set headers yourself.

Getting a key

API keys are issued by the Cesto team — there’s no self-serve portal yet.Contact us to request a key: reach out on our community or through your Cesto contact.

Providing the key

Pass it explicitly, or set the CESTO_API_KEY environment variable and omit it:
If no key is found, the constructor throws.

Key scopes

Keys are read (default) or write-scoped:
  • Read covers products and position reads (products.*, positions.getPositions, positions.getPosition).
  • Write is required for opening and closing positions (open.*, close.*, positions.submit, execution polling). A read-only key gets a 403 PermissionDeniedError on write routes.
Ask for the scope you need when requesting a key.

Backend

The SDK always targets the Cesto production backend at https://backend.cesto.co. There’s nothing to configure — you supply a key and go.

Keep your key safe

Treat the key like a password — keep it server-side, store it in a secret manager or environment variable, and never commit it to source control. To rotate or revoke a key, contact the Cesto team.