Skip to main content

Current model

Joyride is still in a trust-based paper-trading phase.

HTTP

User identity is taken from:
  1. x-device-id header, or
  2. user_id query parameter
The header takes precedence. 
curl -H 'x-device-id: alice' \
  http://127.0.0.1:8084/v1/account

WebSocket

The gateway requires a public/auth call before any private/* method: 
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "public/auth",
  "params": {
    "grant_type": "client_credentials",
    "client_id": "alice"
  }
}
Successful auth returns the user ID and creates the account if it does not exist yet.

Admin endpoints

Admin routes require: 
Authorization: Bearer <ADMIN_TOKEN>
ADMIN_TOKEN is read from the environment. If it is unset or empty, admin routes are open in development mode.

Planned evolution

The checked-in OpenAPI spec already describes a production-oriented bearer or signed-request model. Until that is implemented in code, use the runtime behavior above as the authoritative reference.