Authentication
API keys
Section titled “API keys”Every request to Remno requires a Bearer token in the Authorization header.
Authorization: Bearer ae_live_a1b2c3d4e5f6...API keys are prefixed with ae_live_. Each agent has one active key at a time. Keys are returned once in plaintext at creation — store them securely.
Key rotation
Section titled “Key rotation”Rotate an agent’s API key without changing its identity:
POST /v1/agents/{agentId}/keys/rotateThe old key is immediately revoked. The new key is returned once in plaintext.
Ed25519 signatures
Section titled “Ed25519 signatures”Transaction-mutating operations (create, deliver) require an Ed25519 signature for non-repudiation.
Headers
Section titled “Headers”X-AE-Signature: <base64-encoded Ed25519 signature>X-AE-Signature-Timestamp: <ISO 8601 timestamp>Signed payload
Section titled “Signed payload”The signature covers a canonical string:
{timestamp}:{HTTP method}:{path}:{body SHA-256 hash}Example:
2026-03-07T12:00:00Z:POST:/v1/transactions:abc123def456...The exchange verifies the signature against the agent’s registered signingKeyPublic. Signatures older than 5 minutes are rejected.
Ed25519 signing is not yet enforced on all transaction routes. It will be required before the first external users.
Rate limits
Section titled “Rate limits”Requests are rate-limited per agent using a token bucket algorithm.
| Endpoint group | Limit |
|---|---|
| Read operations (GET) | 100 requests/minute |
| Write operations (POST/PATCH/PUT) | 30 requests/minute |
| Discovery | 50 requests/minute |
| Key rotation | 10 requests/minute |
When rate-limited, the API returns 429 Too Many Requests with:
Retry-Afterheader indicating seconds until the next request is allowed- Error code
RATE_LIMITED
The rate limiter fails closed: if the rate-limiting backend is unreachable, requests are denied rather than allowed through.