How Kalshi Authentication Works
Kalshi uses RSA-PSS key pairs instead of simple API keys. This is more secure because:
- Your private key never leaves your machine
- Each request is signed uniquely (replay attacks are impossible)
- Even if network traffic is intercepted, the attacker can't generate new valid requests
The Authentication Flow
- Generate a key pair: Create an RSA private key and public key
- Upload the public key: Register your public key with Kalshi
- Sign requests: For each API request, compute an RSA-PSS signature over the request data using your private key
- Kalshi verifies: Kalshi checks the signature against your registered public key
Setting Up with SimpleFunctions
The CLI handles RSA-PSS complexity for you:
sf auth add-venue kalshi
This interactively walks you through:
- Generating an RSA key pair (or importing an existing one)
- Uploading the public key to Kalshi
- Securely storing the private key on your machine
- Testing the connection
After setup, every CLI command that touches Kalshi automatically signs requests. You never need to think about RSA-PSS again.
Security Notes
- Your private key is stored in your OS keychain (macOS Keychain / Linux secret-service)
- The CLI never logs or transmits your private key
- If you suspect key compromise, revoke it on Kalshi immediately and generate a new pair