Authenticate and connect to the DALP API

Create an API key, configure the DALP TypeScript SDK, and choose the right API, CLI, or OpenAPI path for authenticated integration.

The DALP API is the programmatic entry point for organisation-scoped asset operations. Start here when you need a machine client that can authenticate, call the OpenAPI REST surface, and then route to the right API page for asset lifecycle, compliance, wallet, settlement, monitoring, webhook, or error-handling work.

API keys are organisation credentials. They inherit the creating user's DALP permissions, carry a read or read-write scope, and authenticate REST requests with X-Api-Key. Use one key per organisation or environment so reporting jobs, settlement automation, and asset operations do not share the same blast radius.

Choose the right API path

If you need to	Start with	Then read
Make your first authenticated REST call	Create an API key and generate a TypeScript client below.	SDK integration and API reference
Keep organisations, systems, and environments separated	Create one key for the active organisation.	Organisation and system scope
Send calls on behalf of a participant or execution wallet	Configure the shared headers only on routes that support them.	Request headers and smart wallets
Automate asset lifecycle operations	Use a read-write key and verify the target token workflow first.	Token lifecycle, token holders and transfers, and external tokens
Wire compliance, documents, monitoring, or webhooks	Keep the key scope narrow and route each job to the matching reference page.	Compliance modules, KYC document uploads, API monitoring, and webhook endpoints

Prerequisites

Before creating an API key:

Have a running DALP instance, either hosted or local.
Sign in to the platform UI with an account that belongs to the target organisation.
Select the organisation that should own the API key. The key stores that organisation context.
Confirm your account has the role permissions needed for the operations you plan to call. A read-only key can call safe HTTP methods. Mutations require a read-write key.

API key authentication skips interactive wallet verification. Browser session authentication still requires wallet verification on write operations that ask for it.

API integration model

Rendering diagram...

Create an API key

Step 1: Navigate to API Keys page

Click your profile avatar in the top right corner
Select API Keys from the dropdown menu

API Keys page

Step 2: Generate a new key

Click Create API Key
Enter a descriptive name (e.g., "Production Integration", "CI/CD Pipeline")
(Optional) Set an expiry date - keys without expiry remain valid until manually revoked
Click Create

Step 3: Copy and secure your key

The platform displays your API key once. Copy it immediately and store it securely (environment variable, secret manager, password vault).

Key format: sm_dalp_xxxxxxxxxxxxxxxx

Important: If you lose the key, you cannot recover it. Revoke the old key and create a new one.

Step 4: Review key settings

Your API key has:

Permissions: Inherits your user role permissions (check with systemAccessManagerRolesList())
Organization scope: Locked to the organization active when you created the key
Access scope: Choose read-write for integrations that create or update DALP resources. Choose read for reporting jobs that only call safe HTTP methods (GET, HEAD, or OPTIONS). Read-only keys cannot use write methods such as POST, PUT, PATCH, or DELETE.
REST API access: API keys authenticate REST requests. They are not accepted on /api/rpc. Use REST endpoints for API-key based integrations.
Metadata: Stores organizationId and access scope for session context

Managing API keys

From the API Keys page you can:

View active keys - Name, expiry date
Delete keys - Permanently revoke access (cannot be undone)

Configure the SDK

The recommended TypeScript path is the @settlemint/dalp-sdk package. It uses the DALP API contract directly, sends authenticated calls to /api/v2, and adds the API key as the x-api-key request header.

npm install @settlemint/dalp-sdk dnum zod

Or with Bun:

bun add @settlemint/dalp-sdk dnum zod

The SDK requires zod >= 4.0.0. The examples below also use dnum for token amounts, so install both packages explicitly with the SDK.

Create a client

import { createDalpClient } from "@settlemint/dalp-sdk";

const dalp = createDalpClient({
  url: "https://your-platform.example.com",
  apiKey: process.env.DALP_API_KEY,
});

Use the deployment origin as url. Do not append /api; the SDK normalises the base URL and calls the current REST API under /api/v2.

For multi-organisation setups, pass the active organisation explicitly when the integration must pin every request to one organisation:

const dalp = createDalpClient({
  url: "https://your-platform.example.com",
  apiKey: process.env.DALP_API_KEY,
  organizationId: "org_xxx",
});

Test your connection

Verify authentication with a safe read before running mutations:

const tokens = await dalp.token.list({ query: {} });

console.log("Token count:", tokens.data.length);

If the call succeeds, the API key is accepted and the client can reach the DALP API. If it fails with UNAUTHORIZED, check the key value and expiry. If it fails with FORBIDDEN, check the user's role and the key scope.

When to use the OpenAPI specification

Use the SDK for TypeScript services. Use the OpenAPI specification when you need to generate a client in another language, import the API into a gateway, or inspect the REST contract directly.

curl https://your-platform.example.com/api/v2/spec.json \
  -H "X-Api-Key: sm_dalp_xxxxxxxxxxxxxxxx"

The current API specification is served at /api/v2/spec.json. Legacy integrations can still inspect /api/v1/spec.json where required. The interactive reference for the current REST API is available under /api/v2 on the DALP deployment.

Common errors

For complete error handling guidance, see the Error handling guide.

Quick fixes:

401 Unauthorized - API key is invalid or expired. Check the key includes the sm_dalp_ prefix and is enabled in the API Keys page.
403 Forbidden - Your user account lacks permissions. See Platform setup for role management.
404 Not Found - Check that url is the DALP deployment origin without an added /api suffix and that the deployment is running.

Authentication header formats

DALP accepts API keys in following header format:

X-Api-Key (recommended):

X-Api-Key: sm_dalp_xxxxxxxxxxxxxxxx

Wallet verification for write operations

When authenticating with an API key, wallet verification is not required. You can omit the walletVerification field entirely:

import { from as dnumFrom } from "dnum";

// API key auth: no walletVerification needed
await dalp.token.mint({
  params: { tokenAddress: "0xABCD..." },
  body: {
    recipients: ["0x1234..."],
    amounts: [dnumFrom("1000", 18)],
  },
});

When authenticating with a session cookie (browser-based), write operations still require wallet verification:

// Session-based auth: walletVerification required
await dalp.token.mint({
  params: { tokenAddress: "0xABCD..." },
  body: {
    recipients: ["0x1234..."],
    amounts: [dnumFrom("1000", 18)],
    walletVerification: {
      verificationType: "PINCODE",
      secretVerificationCode: "123456", // Your 6-digit PINCODE
    },
  },
});

Why the difference? API keys are scoped, rate-limited credentials designed for machine-to-machine use. The key is the authorization factor, so an interactive second challenge is unnecessary. Session-based authentication still requires wallet verification as a second factor to prevent unauthorized transactions from a compromised session.

CLI and AI agent integration

The CLI follows the same authentication model. dalp login opens the browser device flow, creates a read-write API key for the CLI, and stores the credential locally. Use dalp logout when you need to revoke that CLI key and clear the local credential.

For scripts and AI agents, prefer CLI commands that return structured output:

dalp login --url https://your-platform.example.com
dalp whoami --format json
dalp auth org-list --format json

Use the CLI when an operator or agent needs a supported command surface. Use the SDK when your application needs direct TypeScript calls. Use OpenAPI when another language or gateway needs the REST contract. For MCP and skill-file setup, see AI agent integration.

API architecture

The DALP API is built on oRPC, which provides:

Type-safe client generation - Auto-generated TypeScript clients with full IntelliSense support
Automatic OpenAPI documentation - Explore endpoints, schemas, and examples at /api/v2 for the current API version
Schema validation - Requests and responses validated against Zod schemas
Custom serializers - BigInt, BigDecimal, and Timestamp types serialized correctly over JSON
Transaction headers - Blockchain mutations return X-Transaction-Hash in response headers for easy tracking
Streaming support - Long-running operations return progress updates via server-sent events

All endpoints follow RESTful conventions with POST for mutations, GET for queries, and standardized error codes (401 for auth failures, 403 for permission denials, 404 for missing resources).

Next steps

Now that your client is configured:

Review organization and system scope to keep API keys, organizations, systems, and environments separated
Review the token lifecycle to understand operation flows
Set up roles to grant yourself system and token permissions
Choose an asset guide and deploy your first token:
- Bonds
- Deposits
- Equities
- Funds
- Stablecoins

For API reference documentation and OpenAPI spec, see API reference.

Getting started