Skip to main content
This page covers the conventions shared across all Portfolio Wallet API endpoints.

Base path

Wallet resources use the /v2/wallets path prefix. Supporting APIs use their own /v2/* prefixes, including /v2/activity, /v2/accounting, /v2/webhooks, /v2/address-book, /v2/turnkey, and /v2/system.

Authentication

All requests require a Bearer token in the Authorization header. If the token is missing or invalid, the API returns 401.

Environments

Sandbox focuses on test networks while you integrate. Production processes live funds on supported chains. Swap the base URL to move between environments, but note that sandbox uses explicit testnet chain keys such as ethereum_sepolia and may expose a smaller yield-source catalog than production. Sandbox is limited to a subset of networks for integration testing. Unlike production, sandbox chain keys include the network suffix to make the testnet explicit:
  • ethereum_sepolia — Ethereum Sepolia testnet
  • solana_devnet — Solana devnet
Production uses canonical chain names (arbitrum, base, ethereum, polygon, solana). See Supported Chains for details.

Pagination

List endpoints use cursor-based pagination with limit and cursor parameters.
The response includes a nextCursor field. Pass it as cursor to fetch the next page:
When nextCursor is null, you have reached the end of the result set. Endpoint-specific filters, sort options, limits, and status semantics vary by endpoint. Treat each API reference page’s parameter table as authoritative for that endpoint.

Idempotency

Create and withdrawal endpoints accept a requestId (UUID v4). These endpoints return 200 OK for both the initial request and an idempotent replay with the same requestId — the existing resource state is returned on replay. Wallet and withdrawal creation use requestId to find and return the existing resource on replay. Do not rely on these create endpoints to compare the replayed payload field-by-field.
The public write shape uses token-keyed allocation groups with yieldSourceId and pct. Each included group independently totals 100%. Allocation pct values support 0.1% increments and must sum to 100. Replaying the same requestId with the same payload returns 200 OK with the existing resource. Replaying a requestId with a different payload returns 409 request_id_conflict:
When you receive a 409, fetch the existing resource by requestId rather than retrying the create.

Rate limiting

Endpoints are rate limited. The API applies pre-auth request limiting, global API-key limiting for authenticated requests, and endpoint-specific or wallet-scoped limits where configured. Limits vary by environment and may change; use 429 handling rather than depending on fixed numeric thresholds. Rate-limit headers are not currently emitted. When rate limited, the API returns 429 Too Many Requests; back off and retry with jitter.

Error handling

Business API errors are returned as JSON with a human-readable error string and a machine-readable code field.
Business API errors include both error and code fields. Authentication middleware can return { "error": "...", "message": "..." } before the request reaches a business handler. Use code for programmatic branching when it is present, and use the error string for logging and debugging.