Developer API
For agents and integrations using the Bankr API. Pair these with the wallet-level controls in Bankr Terminal — both layers are enforced.
For the full reference of every flag and error response, see Agent API → Access Control.
Use a dedicated agent wallet
For production agents, use a separate Bankr account with its own API key and wallet:
- Blast radius isolation — a compromised key only affects the agent wallet
- Independent controls — read-only mode, IP allowlist, rate limits scoped to the agent
- Easy revocation — rotate the agent key without touching your main account
Setup: create a separate account at bankr.bot, generate a key at bankr.bot/api, configure access controls, fund it with only what the agent needs.
Recommended configurations
| Use case | Read-only | IP allowlist | Recipient allowlist |
|---|---|---|---|
| Monitoring bot | Yes | Yes | — |
| Trading bot | No | Yes | Yes |
| Public-facing demo | Yes | No | — |
| Dev / testing | No | No | No |
Read-only mode
Strips all write tools (swaps, transfers, NFT trades, staking, orders, deployments, leveraged positions, Polymarket bets, fee claims) from agent sessions and returns 403 on /wallet/sign, /wallet/submit, /wallet/transfer. Use as the default for monitoring bots and public-facing surfaces. See Access Control → Read-Only Mode.
IP allowlist
Restricts which IPs can use the key. Validation runs in auth middleware before any endpoint logic. Supports IPs and CIDR ranges; minimum prefix lengths are /8 (IPv4) and /16 (IPv6). See Access Control → IP Allowlist.
Recipient allowlist
Restricts which addresses the key can send funds to. EVM and Solana lists are independent. Most useful for autonomous agents where recipients are LLM-resolved.
This is independent from the wallet-level Permitted Recipients. When both are configured, both must pass:
- API-key allowlist = where this key is allowed to send
- Wallet allowlist = where this wallet is allowed to send, regardless of key
See Access Control → Wallet Allowlist.
Layer wallet-level controls on top
Even with a hardened API key, the Bankr Terminal controls still apply. We recommend setting a daily USD limit and a per-transaction limit appropriate for the agent's purpose — they cap total damage if the key is misconfigured or compromised.
Incident response
If you suspect a key is compromised:
- Pause the wallet at bankr.bot → Security. Halts every outbound transaction immediately, including in-flight broadcasts. Revoking the key alone does not stop transactions already past auth.
- Revoke the key at bankr.bot/api.
- Rotate — generate a new key with the same access profile and update deployments.
- Audit — review recent transactions and agent job history before unpausing.