Skip to main content

What Are Session Keys?

When you sync your trading session, Predicade creates API credentials (called L2 keys) that authenticate your requests to the Polymarket CLOB. These credentials consist of three parts:
  • API Key - Your unique identifier
  • Secret - Used to sign requests (HMAC-SHA256)
  • Passphrase - Additional authentication factor

How They’re Created

Session keys are derived from your wallet signature:
  1. You sign an EIP-712 message with your wallet (L1 authentication)
  2. This signature proves you own the wallet
  3. API credentials (L2) are generated from this signature
  4. Credentials are stored locally in your browser only
Your private key never leaves your wallet. The signature process proves ownership without exposing your key.

What Session Keys Can Do

ActionAllowed
View your balancesYes
View your positionsYes
View your open ordersYes
Cancel your ordersYes
Post orders you’ve signedYes

What Session Keys Cannot Do

ActionAllowed
Withdraw your fundsNo
Create orders without your signatureNo
Access other walletsNo
Transfer tokensNo
Even with valid session keys, every order still requires a cryptographic signature from your wallet. Session keys only authenticate API requests - they cannot authorize trades on their own.

Where Keys Are Stored

Your session keys are stored in your browser’s local storage. This means:
  • Predicade never sees your keys - They exist only on your device
  • Keys don’t sync across devices - You need to create new keys on each device
  • Clearing browser data removes them - You’ll need to sync again

When You Need to Re-Sync

You’ll see a “Sync Trading Session” prompt when:
  • You’re using a new browser or device
  • You cleared your browser data
  • Your session expired (security rotation)
  • You previously disconnected
Re-syncing is quick — just sign a message with your wallet.

Security Model

Predicade uses the same authentication system as Polymarket itself through the Builder Program:

Non-Custodial

Your funds stay in your Gnosis Safe. Neither Predicade nor Polymarket can access them.

Signature Required

Every trade requires your wallet’s cryptographic signature.

Local Storage

API keys never leave your browser or get sent to Predicade servers.

Revocable

Disconnect anytime to invalidate your session.

Terminal Setup

Complete setup guide for new and existing users

Start Trading

Learn how to place your first trade