The Digital Surge API uses personal API keys sent as Bearer tokens. You create keys yourself in the Digital Surge app — no application process, no waiting.
Creating an API key
- Log in to the Digital Surge app.
- Open Account Settings → API Keys.
- Click to create a new key and choose its permission level:
- Read Only — view balances, transactions, portfolio data, and prices.
- Read & Write — everything above, plus placing trades, managing price triggers and recurring buys, and initiating withdrawals.
- Confirm the creation with your two-factor authentication code.
- Copy the key immediately. For your security the full key is visible only briefly after creation — after that only a short prefix is shown, and it can never be displayed again.
API keys don’t expire; they remain valid until you delete them. There’s a small per-account limit on how many keys you can hold at once.
Using your key
Send the key in the Authorization header of every private request:
curl "https://app.digitalsurge.com.au/api/private/profile/brief/" \
-H "Authorization: Bearer YOUR_API_KEY"
Public endpoints (/api/public/...) need no authentication at all.
Key safety
Treat an API key like a password to your account. A Read & Write key can move funds.
- Store keys in a secrets manager or environment variables — never in source control, client-side code, or shared documents.
- Use Read Only keys unless you genuinely need to trade programmatically.
- Create one key per integration, so you can revoke one without breaking the others.
- Delete keys you no longer use (Account Settings → API Keys → delete). Deletion takes effect immediately.
- API keys deliberately cannot create or delete other API keys, and cannot manage connected AI agents — those actions always require logging in to the app.
What about OAuth?
The Digital Surge web and mobile apps authenticate with short-lived OAuth tokens. That flow is not intended for third-party integrations — never ask a Digital Surge customer for their email and password. For anything you build, use an API key; for AI assistants, use the MCP connection, which lets customers sign in themselves and grants your agent its own revocable access.