| Surface | Auth | Header |
|---|---|---|
| Landing public + agent reads | Optional for basic reads | Authorization: Bearer sf_live_... only when using authenticated overlays or higher tiers |
| Thesis + portfolio + watch APIs | SimpleFunctions API key | Authorization: Bearer sf_live_... |
| Web terminal sessions | Supabase JWT | Authorization: Bearer eyJ... |
Terminal data API (data.simplefunctions.dev) | Data API key | Authorization: Bearer sft_live_... |
| Kalshi exchange | BYOK private key | Local-only (CLI), or AES-256-GCM encrypted upload (autopilot) |
| Polymarket exchange | BYOK wallet | Local-only or wallet-connect on web terminal |
| MCP | SimpleFunctions API key | Authorization: Bearer sf_live_... |
CLI login
~/.config/simplefunctions/config.json.
Manual API key
Get one atsimplefunctions.dev/dashboard/keys. Set:
HTTP
User scoping
Authenticated account and portfolio routes are scoped to the authenticated user. Do not passuserId from the client for normal reads — server-side resolution always wins.
Secrets
The CLI and API never return raw exchange private keys. Key metadata may include presence, id suffixes, or created/rotated timestamps, but never secret material.BYOK encryption (cloud autopilot)
sf portfolio enable does:
Read local Kalshi PEM
From your local
~/.config/simplefunctions/config.json or environment variable.Encrypt client-side
AES-256-GCM with your SimpleFunctions account-derived key. The plain PEM never leaves the local process.
See also
API keys
Scopes and rotation.
Portfolio autopilot
Cloud autopilot setup with BYOK.
Security
Encryption and audit guarantees.