Skip to main content
Phoenix auth issues short-lived access JWTs and longer-lived refresh tokens. The Rise SDK can manage the session, attach bearer tokens to authenticated requests, refresh before expiry, and persist the rotated token pair. Most Phoenix market and trader read routes are public. You can fetch exchange params, market stats, orderbooks, candles, and trader state without first creating a session. Use auth when your integration needs an identified caller, higher API limits for authenticated traffic, or authenticated workflows. Auth is required for referral-code onboarding with /v1/referral/activate-tx and for notifications.
Auth does not replace Solana transaction signing. Phoenix instructions still need the correct wallet, authority, position authority, or fee payer signature depending on the instruction.

Lifecycle

  1. Request a challenge from Phoenix.
  2. Sign the challenge with the authority wallet.
  3. Exchange the signature for an auth response.
  4. Use Authorization: Bearer <access_token> on authenticated routes.
  5. Refresh with POST /v1/auth/refresh before the access token expires.
  6. Reauthenticate when refresh fails with a terminal auth error.
The auth response shape is:
Store the full response. Refresh rotates the access token and refresh token; the previous access token is accepted for a short grace window.

Endpoints

Routes that can benefit from or require auth:
  • Referral-code onboarding: see Trader Onboarding.
  • Notifications over REST or WebSocket.
  • Any protected account, user, or builder workflow marked with bearer auth in the API reference.
  • Authenticated integrations that need higher rate limits than anonymous public traffic.

Wallet login

This TypeScript example is written for a browser wallet that supports signMessage.
In Rust builds with the solana-keypair feature, auth.login_with_wallet_keypair(&keypair).await? wraps the nonce, signing, and login sequence.

Refresh

With a managed SDK session, refresh is normally automatic before authenticated HTTP and WebSocket requests. Manual refresh is still useful when you want to force rotation after loading a saved session.
Terminal refresh failures mean the user must sign in again:
  • invalid_refresh_token
  • refresh_expired
  • session_missing

Auth errors

Auth errors use the standard API error shape:
Common unauthenticated or reauthentication cases: