Setup
Connecting Your Account
Link your exchange and configure API keys.
AgentNash trades on prediction markets through exchange APIs. You need to connect at least one exchange and an AI API key to start trading. This page covers everything you need to know about credentials for each supported exchange, the AI models that power the trading pipeline, and how every secret is protected end-to-end.
Kalshi
What is Kalshi?
Kalshi is a CFTC-regulated (Commodity Futures Trading Commission) prediction market exchange based in the United States. It is the first federally regulated exchange dedicated to event contracts. Users trade binary contracts on real-world events — economics, politics, weather, sports, and more. Each contract pays out $1.00 if the event occurs and $0.00 if it does not. Kalshi operates with US dollar balances and standard KYC (Know Your Customer) verification.
Creating a Kalshi Account
- Visit kalshi.com and click Sign Up.
- Complete the registration form with your email, name, and password.
- Verify your identity — Kalshi requires government-issued ID and may ask for proof of address. This is a regulatory requirement (CFTC).
- Fund your account via bank transfer, wire, or debit card.
- Once your account is funded and verified, you can generate API credentials.
Generating API Credentials
Kalshi uses a two-part authentication system: an API Key (public identifier) and an EC Private Key (cryptographic signing key). Together, they allow AgentNash to authenticate requests to the Kalshi API on your behalf.
Navigate to API Settings
Log in to kalshi.com → click your profile icon (top right) → Settings → API Keys. This page manages all your API credentials.
Generate a New Key Pair
Click 'Generate New API Key'. Kalshi will create both an API Key and a Private Key. Both are shown only once — copy them immediately.
Save the Private Key File
The private key downloads as a .pem file. Keep this file safe. If you lose it, you must revoke the key and generate a new pair. The private key starts with '-----BEGIN EC PRIVATE KEY-----' and ends with '-----END EC PRIVATE KEY-----'.
Enter Credentials in AgentNash
Go to AgentNash → Settings → Exchanges → Kalshi. Paste your API Key into the 'API Key' field. Paste the entire PEM content (including the BEGIN/END lines) into the 'Private Key' field.
Test the Connection
Click 'Test & Save'. AgentNash performs a read-only balance check against the Kalshi API. If successful, you'll see your current balance. If it fails, check the troubleshooting section below.
What These Credentials Can and Cannot Do
Understanding the scope of API credentials is critical for security. Kalshi API keys are scoped to trading and read operations only.
| Permission | Allowed? |
|---|---|
| Read account balance | Yes |
| Read open positions | Yes |
| Read trade history | Yes |
| Place orders (buy/sell) | Yes |
| Cancel open orders | Yes |
| Read market data | Yes |
| Withdraw funds | No — requires web login + 2FA |
| Change account settings | No |
| Change password or email | No |
| Access bank/payment info | No |
| Generate new API keys | No |
| Revoke other API keys | No |
Kalshi API keys cannot withdraw funds or access your bank information. Even if credentials were compromised, an attacker could only place trades — they cannot move money out of your Kalshi account. You can revoke a compromised key instantly from kalshi.com.
PEM Format Explained
The private key uses PEM (Privacy-Enhanced Mail) format, which is an encoded representation of the key wrapped in header/footer lines, used for cryptographic signature authentication. When you paste it into AgentNash, include the full content — the header, the encoded body, and the footer. Do not add extra whitespace or line breaks.
Security: How Credentials Are Stored
AgentNash encrypts all exchange credentials using bank-grade authenticated encryption before storing them in the database. This is the same encryption standard used by banks and government agencies.
- At rest: Credentials are encrypted in the database. The raw API key and private key are never stored in plain text.
- In transit: All API calls between AgentNash and Kalshi use HTTPS (TLS 1.2+).
- In the UI: After saving, only a masked preview is shown. The full key is never displayed again.
- Decryption: Keys are accessed securely only when needed — when the bot service needs to authenticate a request to Kalshi.
Never share your Kalshi private key with anyone. If you suspect your credentials have been compromised, immediately revoke the API key from kalshi.com and use the Nuke All button in AgentNash to delete all stored credentials.
Kalshi Troubleshooting
| Error | Cause | Fix |
|---|---|---|
| Connection failed | Invalid API key format | Verify the key matches the format shown on your Kalshi API settings page |
| 401 Unauthorized | Key revoked or expired | Generate a new key pair from kalshi.com → Settings → API Keys |
| Invalid PEM | Malformed private key | Ensure you pasted the full PEM including BEGIN/END lines with no extra whitespace |
| Signature mismatch | Key pair mismatch | The API key and private key must be from the same generation. Regenerate both. |
| Insufficient balance | Connection works, low balance | Not an error — your connection is valid. Deposit funds on kalshi.com to trade. |
| Rate limited (429) | Too many API calls | Kalshi rate-limits API access. AgentNash handles this automatically with backoff. |
| Network timeout | Connectivity issue | Check your internet connection and try again. |
Polymarket
What is Polymarket?
Polymarket is a decentralized prediction market built on the Polygon blockchain. Unlike Kalshi, which is a centralized US-regulated exchange, Polymarket operates as a non-custodial platform where trading happens through smart contracts. Users trade binary outcome tokens (YES/NO) using USDC (a US dollar stablecoin). Markets are created by the community and resolved through the UMA Optimistic Oracle, a decentralized dispute resolution system.
Polymarket is accessible globally (with some jurisdictions restricted) and does not require traditional KYC for basic trading. It typically has higher volume and more diverse market categories than Kalshi, including global politics, crypto events, and pop culture.
Creating a Polymarket Account
AgentNash connects to Polymarket through a MetaMask browser wallet. This is the recommended and supported account type.
- Install the MetaMask browser extension from metamask.io and create a wallet (or import an existing one).
- Visit polymarket.com and click Log in or Sign up.
- Select MetaMask as the connection method. Approve the connection prompt in your MetaMask extension.
- Polymarket creates a smart contract wallet tied to your MetaMask address. This wallet handles all on-chain trading operations.
- Deposit USDC into your Polymarket account to begin trading.
Understanding Wallet Architecture
When you connect MetaMask, Polymarket creates a smart contract wallet that wraps your MetaMask address. Understanding this structure helps clarify what credentials AgentNash needs:
- MetaMask wallet: Your external Ethereum address — the owner key. This is the private key AgentNash needs to sign orders.
- Smart contract wallet: A wallet created by Polymarket. It executes trades on-chain and holds your positions. You interact with it through your MetaMask key.
- Key distinction: The private key you export from MetaMask signs trade orders on Polymarket. It cannot withdraw funds from Polymarket — withdrawals require a separate web login flow.
Exporting Your Private Key from MetaMask
AgentNash needs your MetaMask account's private key to sign orders on Polymarket on your behalf.
Open MetaMask
Click the MetaMask extension icon in your browser toolbar.
Select the correct account
Make sure you have selected the same account you used to connect to Polymarket.
Open Account Details
Click the three-dot menu (⋮) next to the account name → select 'Account details'.
Show Private Key
Click 'Show private key'. MetaMask will ask you to enter your MetaMask password to confirm.
Copy the Key
The private key is a 66-character hexadecimal string starting with '0x'. Copy it immediately. Do NOT screenshot it or save it in an unencrypted file.
Your private key controls the ability to sign orders on Polymarket. Never share it with anyone. Never paste it into any website other than AgentNash. AgentNash will never ask for your MetaMask seed phrase — only the account private key.
Finding Your Deposit Address
AgentNash also needs your Polymarket Deposit Address to identify your wallet for balance checks and position queries.
- Log in to polymarket.com with MetaMask.
- Navigate to Settings (click your profile icon → Settings, or go directly to
polymarket.com/settings). - Look for the Deposit Address section. This is a
0xaddress, 42 characters long. - Copy the full address. This is not the same as your MetaMask address — it is the Polymarket-specific deposit address shown on the settings page.
Entering Credentials in AgentNash
Navigate to Exchanges
In AgentNash, go to Settings → Exchanges → click 'Connect' on Polymarket.
Complete MFA Verification
The connection modal requires two-factor authentication first. Enter the 6-digit code from your authenticator app. If you haven't set up 2FA yet, you'll be guided through enrollment.
Enter Private Key
Paste your MetaMask private key (the 0x... hex string) into the 'Private Key' field. It must start with 0x.
Enter Deposit Address
Paste your Polymarket deposit address (also 0x... format, 42 characters) into the 'Deposit Address' field. Find this at polymarket.com/settings under 'Deposit Address'.
Test & Save
Click 'Test & Save'. AgentNash validates the key format and saves your encrypted credentials. Your connection status updates immediately.
What Polymarket Credentials Can and Cannot Do
| Permission | Allowed? |
|---|---|
| Place orders (buy/sell) | Yes |
| Cancel open orders | Yes |
| Read positions and balance | Yes |
| Read market data | Yes — no auth needed |
| Withdraw USDC from Polymarket | No — requires web login |
| Access external wallets or other crypto | No — scoped to Polymarket CLOB operations |
| Move funds to other addresses | No — limited to Polymarket exchange operations |
| Change account settings | No |
| Access other DeFi protocols | No |
Your credentials are tightly scoped. AgentNash can place and cancel orders on Polymarket's CLOB, but it cannot withdraw funds, access other wallets, or interact with any blockchain protocol outside Polymarket's exchange contracts. Even in a worst-case scenario, no one can move money out of your Polymarket account using these credentials alone.
Order Signing
Polymarket uses cryptographic wallet signing for MetaMask-connected accounts. Orders are signed through your smart contract wallet — your MetaMask key is the owner, and the wallet executes trades on-chain using cryptographic signatures.
AgentNash auto-detects the correct signing method from your deposit address. You do not need to configure this manually.
Security: How Polymarket Credentials Are Stored
Identical to Kalshi credentials, Polymarket keys are encrypted with bank-grade encryption at rest in the database. The private key is never stored in plain text. Additionally:
- Key-derived credentials: Some operations derive temporary credentials from your private key as needed. These credentials are accessed securely when needed and cleared when the bot stops.
- No seed phrases: AgentNash never asks for or stores your MetaMask seed phrase. Only the account private key is needed.
- Masked display: After saving, the UI shows only
0x1a2b...ef01— the full key is never displayed again.
Polymarket Troubleshooting
| Error | Cause | Fix |
|---|---|---|
| Private key must start with 0x | Invalid key format | Ensure the key starts with 0x and is 66 characters total (0x + 64 hex chars). Re-export from MetaMask if needed. |
| Balance: 0 USDC | Empty account or wrong deposit address | Verify the deposit address matches your polymarket.com/settings page. Deposit USDC if the account is empty. |
| Signature rejected | Wrong signature type | Usually means the auto-detection chose the wrong type. Verify you are using the MetaMask account that is connected to Polymarket. |
| API key generation failed | Derived key error | Try re-entering your private key. The key may have been corrupted during copy/paste. |
| CLOB order rejected | Insufficient allowance | Your wallet may need to approve USDC spending on the CLOB contract. This usually happens automatically on first trade via the web UI. |
| Network error | Polygon RPC issue | Polymarket uses the Polygon network. Temporary RPC outages can cause connection failures. Usually resolves within minutes. |
| Enable 2FA first | MFA not configured | You must set up two-factor authentication in Settings → Security before connecting any exchange. |
AI API Keys
The Council strategy requires API access to multiple AI models from different providers. Rather than configuring separate API keys for each, AgentNash uses OpenRouter as a unified routing layer that provides access to all models through a single API key.
OpenRouter (Primary — Required)
OpenRouter is an API aggregator that routes requests to multiple AI providers (Anthropic, Google, xAI, DeepSeek, OpenAI, and others) through a single endpoint. One OpenRouter API key gives AgentNash access to all models used in the Council debate.
Getting an OpenRouter API Key
Create an Account
Visit openrouter.ai and sign up with Google, GitHub, or email.
Add Credits
Go to openrouter.ai/credits and add funds. $5-10 is enough for hundreds of debate cycles. OpenRouter uses pay-as-you-go pricing.
Generate an API Key
Navigate to openrouter.ai/keys → click 'Create Key'. Give it a descriptive name like 'AgentNash'. Copy the key immediately — it is shown only once.
Enter in AgentNash
Go to AgentNash → Settings → API Keys → OpenRouter. Paste the key and save.
Cost Expectations
Each full Council debate (6 AI agents analyzing one market) costs approximately $0.02 – $0.08 depending on market complexity and response lengths. The high-confidence near-expiry fast-track (single model) costs roughly $0.015 per analysis.
| Usage Pattern | Daily Cost Estimate | Monthly Estimate |
|---|---|---|
| Light (10-20 markets/day) | $0.20 – $1.00 | $6 – $30 |
| Moderate (50-100 markets/day) | $1.00 – $5.00 | $30 – $150 |
| Heavy (200+ markets/day) | $4.00 – $15.00 | $120 – $450 |
AgentNash tracks AI spending in real-time. The daily AI budget (default: $10/day) prevents runaway costs. When the budget is exhausted, analysis pauses until the next calendar day. You can adjust this limit in Settings → Safeguards.
Optional: Direct Provider Keys
For advanced users who already have direct API accounts with individual providers, AgentNash also supports:
- Claude API Key (Anthropic) — Direct access to Claude models, bypassing OpenRouter. Enter at Settings → API Keys → Anthropic.
- OpenAI API Key — Direct access to GPT/o4-mini models. Enter at Settings → API Keys → OpenAI.
These are optional. If provided, AgentNash may use them as fallbacks when OpenRouter is unavailable. For most users, the OpenRouter key alone is sufficient.
Credential Security Summary
Every credential you enter into AgentNash — exchange keys, private keys, API tokens — is protected with the same encryption standard trusted by banks and government agencies. Your secrets are never stored in plain text, never logged, and never leave the server unencrypted.
| Aspect | Implementation |
|---|---|
| Encryption algorithm | Bank-grade authenticated encryption |
| Storage | Encrypted in the database — raw values never written in plain text |
| UI display | Masked after save (first/last 4 characters only) |
| In-transit | HTTPS / TLS 1.2+ for all API calls |
| Decryption | On-demand only when bot needs to authenticate |
| Deletion | Nuke All permanently deletes all credentials instantly |
| Access logging | All credential access is logged with timestamps |
| MFA requirement | Two-factor authentication required before any credential change |
Changing or adding exchange credentials always requires two-factor authentication. When you click Connect on any exchange, AgentNash prompts for your authenticator code before the credential form appears. If you have not enrolled in 2FA, the modal guides you through setup first. This ensures that even if someone accesses your AgentNash session, they cannot modify exchange connections without your authenticator device.