Skip to main content
Zero Latency Labs (ZLL) is a crypto perpetuals exchange. The ZLL Trading API is its REST surface for order entry, account and portfolio management, transfers, and market metadata. The private WebSocket stream (/ws) and the Market Data API are separate services, not documented here yet. The API is live on staging at https://staging.zerolatencylabs.com; testnet is coming. See Environments for base URLs and rate limits.

Signing your requests

Official SDKs are on the way, and they’ll handle request signing for you. Until then, you build and sign each request yourself. It’s exacting work — ZLL uses a compact binary signing format — so the signing reference walks through it step by step, and Common signing mistakes lists the errors that bite first.

Authentication flow

Signing chains from a long-lived master key down to a short-lived session key.
1

Register a master key

The account owner registers a master key (Secp256k1 or Passkey) as the root of trust. Admin keys reach every subaccount; scoped keys reach only their permitted subaccounts and cannot sign admin operations.
2

Create a session key

The master key signs a request to register an ephemeral Ed25519 session key. The session inherits its parent’s reach, takes a role, an optional subaccount pin, and an expiry.
3

Sign the request

The session key signs the request payload (Ed25519 over the raw bytes). You POST the Base64SignedPayload envelope, or use the SessionSig header triple for session, key, and device management endpoints.
4

The exchange verifies and processes

The exchange verifies the signature, checks that the request-id timestamp is current, processes the request, and returns the result.

Header credential or signature?

  • Reads take a header credential. Account, order, fill, portfolio, and position reads accept X-API-KEY (API key) or X-DEVICE-KEY (device key) — no signature.
  • Writes take a signature. Placing orders, moving cash, and managing keys or sessions all require a signed request, not just a header.
  • Withdrawals go one step further. POST /api/v1/trading/withdraw is signed by a session key like any other write, but the exchange rejects any session that doesn’t chain to an admin master key.
The Authentication section covers credentials, the signing envelope, and the per-curve rules in full.

Using the API playground

The Trading API tab renders a “Try it” playground per endpoint, and what works there depends on how the endpoint authenticates.
Endpoints that authenticate with a header credential (X-API-KEY or X-DEVICE-KEY) work in “Try it”. Paste your key into the header field and send the request. These are the account, order, fill, portfolio, position, leverage, and session read endpoints, plus a few header-authenticated writes such as POST /api/v1/ws-ticket.
Next: Quickstart places your first order end to end.