Token Authentication

KhunQuant supports token-based authentication for securing the Gateway API and the Pico WebSocket channel.

Pico Channel token authentication

Pico Channel is KhunQuant's native WebSocket protocol. It supports token-based auth to restrict access to authorised clients only.

Method 1: Configuration file

Add to ~/.khunquant/config.json:

{
  "channels": {
    "pico": {
      "enabled": true,
      "token": "TOKEN"
    }
  }
}

Add the token value to ~/.khunquant/.security.yml:

channels:
  pico:
    token: "your-secure-token-here"

Method 2: Environment variable

export KHUNQUANT_TOKEN="your-secure-token-here"
khunquant start

Pico channel config options

Field	Type	Default	Description
`enabled`	`bool`	`false`	Enable the Pico channel
`token`	`SecureString`	—	Shared secret token
`expiry`	`duration`	`0` (never)	Session expiry after inactivity
`ip_allowlist`	`[]string`	any	CIDR ranges allowed to connect

Calling the Gateway API with a token

# Authorization header
curl -H "Authorization: Bearer your-secure-token-here" \
     http://localhost:18800/api/v1/portfolio

# Query parameter
curl http://localhost:18800/api/v1/portfolio?token=your-secure-token-here

Pico client configuration

When connecting from an external script or bot:

[pico_client]
url   = "ws://localhost:18800/pico"
token = "your-secure-token-here"

Generating a secure token

Use openssl to generate a cryptographically secure token:

openssl rand -hex 32

Never hardcode tokens in config.json

Store token values in .security.yml using env:// references or encrypted enc:// values. See .security.yml Reference.

Pico Channel token authentication​

Method 1: Configuration file​

Method 2: Environment variable​

Pico channel config options​

Calling the Gateway API with a token​

Pico client configuration​

Generating a secure token​