Skip to main content
The Prime REST API provides programmatic access to Kraken’s Prime brokerage services. Use it to manage Prime API users and their keys, and to drive the settlement lifecycle for Prime trading activity. For trade execution and live exposure data, pair Prime REST with the Prime WebSocket API (real-time) or the Prime FIX API (session-based, deterministic ordering).
Access to Prime requires onboarding. Contact prime_trading@kraken.com or your Account Manager to begin.

Connection

https://api.kraken.com/0

Authentication

Prime REST uses the same HMAC-SHA512 signature scheme as the Spot REST API. See the Spot REST authentication guide for the exact request signing flow — the algorithm, headers, and nonce handling are identical. The API key permissions, however, are scoped to Prime resources.

Typical workflow

1

Create an API user

Call CreatePrimeApiUser with either a Viewer (read-only) or Trader (read + trade) role.
2

Generate an API key

Call CreatePrimeApiUserKey to issue credentials for the user. The API secret is returned once at creation time — store it securely; it cannot be retrieved later.
3

Trade

Execute trades over Prime WebSocket or Prime FIX using the issued credentials. Trades book against your Prime credit line.
4

Snapshot a settlement batch

At the end of a trading period, call CreatePrimeSettlementBatch to capture all unsettled trades into a batch. Each batch contains legs representing the net position per asset.
5

Settle each leg

For each leg in the batch, call SettlePrimeSettlementBatchAsset to initiate the transfer. Track progress via GetPrimeSettlementBatch.

Endpoint groups

API Users

Create, list, get, and update Prime API users. Manage user roles.

API User Keys

Issue, list, update, and delete API keys for a Prime user.

Settlement

Snapshot trades into batches and settle each leg.

Roles

RoleAccess
ViewerRead-only — query orders, balances, and exposure
TraderRead + trade — submit and amend orders, in addition to all Viewer permissions
The role is set at user creation and can be changed via UpdatePrimeApiUserRoles.

Key lifecycle

API keys are tied to an API user, not directly to a Prime account. A user may have multiple keys; revoking a key does not affect other keys for the same user.
  • CreatePrimeApiUserKey — issues a key pair; the secret is returned once and never persisted server-side.
  • UpdatePrimeApiUserKey — rotate the IP allow-list or other key metadata.
  • DeletePrimeApiUserKey — immediate revocation; subsequent requests signed with the deleted key fail authentication.

Prime WebSocket

Real-time order entry, executions, exposure, and balance streaming.

Prime FIX

Session-based order entry with deterministic ordering and replay.

Spot REST authentication

HMAC-SHA512 signing flow shared with Prime REST.

Choose your protocol

REST vs WebSocket vs FIX trade-offs.