Skip to main content
POST
/
v1
/
api-meta
/
notifications
/
tokens
Register an Expo push token
curl --request POST \
  --url https://api.testnet.arcus.xyz/v1/api-meta/notifications/tokens \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --header 'X-Signature: <api-key>' \
  --header 'X-Timestamp: <api-key>' \
  --data '
{
  "token": "<string>"
}
'
{
  "address": "<string>",
  "token": "<string>"
}
Registers an Expo push token for the calling wallet so the notifications consumer can deliver a push to that device when a matching event (resting fill, liquidation, TP/SL trigger) lands. Signed: the token is bound to the master wallet resolved from X-API-Key; the body cannot register a token under another address. The signed REQUEST_PATH is /v1/api-meta/notifications/tokens verbatim. Registering a device also enrolls the wallet as a notifications subscriber (the same opt-in as the first GET /v1/api-meta/notifications), so the stored inbox starts accumulating rows too. Idempotent — re-registering a known token is a no-op upsert. Up to 20 devices per wallet.

Authorizations

X-API-Key
string
header
required

Hex-encoded Ed25519 public key (64 chars). The public key IS the API key — register it via POST /createApiKey. Required on every authenticated request, both read-only and signed.

X-Timestamp
string
header
required

Unix time in nanoseconds as a decimal string (e.g. "1713825891591000000"). Millisecond or second epochs are rejected with 401 Unauthorized. Must be within ±30,000 ms (MaxTimestampDriftMs, the drift window stays configured in milliseconds) of server wall-clock, or the request is rejected with 401 Unauthorized. Required on all mutating / credential-creating endpoints. This same value must appear as the ct field in the ordersign typed canonical payload (single-order endpoints) or in each element's ct field (batch endpoints).

X-Signature
string
header
required

Lowercase hex-encoded Ed25519 signature (128 chars).

Single-order endpoints (placeOrder, cancelOrder, modifyOrder, and other non-batch mutating routes) sign over the ordersign typed canonical payload — a compact, key-sorted JSON object built from parsed request fields using engine-native integer values:

placeOrder:   {"ad":"0x…","ai":N,[,"c":"…"],"ct":N,"g":N,"m":N,"op":1,"p":N,"q":N,"r":0|1,"s":N,"t":N,"v":1}
cancelOrder: {"ad":"0x…","ai":N,[,"c":"…"],"ct":N,[,"id":"…"],"m":N,"op":2,"v":1}
modifyOrder: {"ad":"0x…","ai":N,[,"c":"…"],"ct":N,[,"id":"…"],"m":N,"op":3,"p":N,"q":N,"v":1}

ct must equal the X-Timestamp header value. Keys in brackets are conditional (omitted when empty). op values: 1=place, 2=cancel, 3=modify. See the ordersign package for field definitions and reference signing code.

Other signed routes (e.g. createApiKey, tokens, userPreferences) still use the legacy scheme: signing_message = X-Timestamp + ACTION + canonicalJSON(body), where ACTION is the camelCase final path segment.

Batch endpoints (batchPlaceOrders, batchCancelOrders) do NOT use this header. They authenticate with per-element typed ordersign signatures embedded in the request body (see the global auth description and the per-field signature descriptions on OrderRequest / CancelOrderRequest).

Read endpoints are authenticated by ?address= (and optionally X-API-Key) only — no signature is required. canonicalJSON(body) is the JSON body with object keys sorted lexicographically at every level and no whitespace; the server canonicalizes the received body before verifying, so only the bytes signed over must be canonical. Required on all mutating / credential-creating endpoints.

Body

application/json
token
string
required

Expo push token for the device, e.g. ExponentPushToken[xxxxxxxxxxxxxxxxxxxxxx] (the legacy ExpoPushToken[...] spelling is also accepted). Validated for shape only; liveness surfaces later as an Expo DeviceNotRegistered receipt.

Maximum string length: 256
platform
enum<string>

Optional device platform hint. Informational only.

Available options:
ios,
android,
web

Response

Token registered (or already present).

address
string
required

20-byte EVM address as hex: optional 0x or 0X prefix and exactly 40 hexadecimal digits. API responses normalize to lowercase af after 0x.

Pattern: ^(0x|0X)?[0-9a-fA-F]{40}$
token
string
required

The registered Expo push token (echoed back).