> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kraken.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Prime REST

> Programmatic access to Kraken Prime — API-user management, key lifecycle, and settlement

The Prime REST API provides programmatic access to Kraken's Prime brokerage
services. Use it to manage Prime API users and their keys, and to drive
the settlement lifecycle for Prime trading activity.

For trade execution and live exposure data, pair Prime REST with the
[Prime WebSocket API](/institutional/api-reference/prime-websocket/authentication) (real-time)
or the [Prime FIX API](/institutional/api-reference/prime-fix/logon)
(session-based, deterministic ordering).

<Note>
  Access to Prime requires onboarding. Contact
  [prime\_trading@kraken.com](mailto:prime_trading@kraken.com) or your Account
  Manager to begin.
</Note>

## Connection

```text theme={null}
https://api.kraken.com/0
```

## Authentication

Prime REST uses the same HMAC-SHA512 signature scheme as the Spot REST API.
See the [Spot REST authentication
guide](/exchange/guides/rest/authentication) for the exact request signing
flow — the algorithm, headers, and nonce handling are identical. The API
key permissions, however, are scoped to Prime resources.

## Typical workflow

<Steps>
  <Step title="Create an API user">
    Call [`CreatePrimeApiUser`](/api-reference/api-users/create-prime-api-user)
    with either a `Viewer` (read-only) or `Trader` (read + trade) role.
  </Step>

  <Step title="Generate an API key">
    Call [`CreatePrimeApiUserKey`](/api-reference/api-user-keys/create-prime-api-user-key)
    to issue credentials for the user. **The API secret is returned once
    at creation time** — store it securely; it cannot be retrieved later.
  </Step>

  <Step title="Trade">
    Execute trades over Prime WebSocket or Prime FIX using the issued
    credentials. Trades book against your Prime credit line.
  </Step>

  <Step title="Snapshot a settlement batch">
    At the end of a trading period, call
    [`CreatePrimeSettlementBatch`](/api-reference/settlement/create-prime-settlement-batch)
    to capture all unsettled trades into a batch. Each batch contains legs
    representing the net position per asset, and `trade_ids` listing the
    trade IDs included in the snapshot.
  </Step>

  <Step title="Settle each leg">
    For each leg in the batch, call
    [`SettlePrimeSettlementBatchAsset`](/api-reference/settlement/settle-prime-settlement-batch-asset)
    to initiate the transfer. Track progress and retrieve `trade_ids` via
    [`GetPrimeSettlementBatch`](/api-reference/settlement/get-prime-settlement-batch).
  </Step>
</Steps>

## Endpoint groups

<CardGroup cols={3}>
  <Card title="API Users" icon="user-gear" href="/api-reference/api-users/create-prime-api-user">
    Create, list, get, and update Prime API users. Manage user roles.
  </Card>

  <Card title="API User Keys" icon="key" href="/api-reference/api-user-keys/create-prime-api-user-key">
    Issue, list, update, and delete API keys for a Prime user.
  </Card>

  <Card title="Settlement" icon="handshake" href="/api-reference/settlement/create-prime-settlement-batch">
    Snapshot trades into batches and settle each leg.
  </Card>
</CardGroup>

## Roles

| Role     | Access                                                                          |
| :------- | :------------------------------------------------------------------------------ |
| `Viewer` | Read-only — query orders, balances, and exposure                                |
| `Trader` | Read + trade — submit and amend orders, in addition to all `Viewer` permissions |

The role is set at user creation and can be changed via
[`UpdatePrimeApiUserRoles`](/api-reference/api-users/update-prime-api-user-roles).

## Key lifecycle

API keys are tied to an API user, not directly to a Prime account. A user
may have multiple keys; revoking a key does not affect other keys for the
same user.

* **`CreatePrimeApiUserKey`** — issues a key pair; the secret is returned
  once and never persisted server-side.
* **`UpdatePrimeApiUserKey`** — rotate the IP allow-list or other key
  metadata.
* **`DeletePrimeApiUserKey`** — immediate revocation; subsequent requests
  signed with the deleted key fail authentication.

## Related

<CardGroup cols={2}>
  <Card title="Prime WebSocket" icon="bolt" href="/institutional/api-reference/prime-websocket">
    Real-time order entry, executions, exposure, and balance streaming.
  </Card>

  <Card title="Prime FIX" icon="terminal" href="/institutional/api-reference/prime-fix">
    Session-based order entry with deterministic ordering and replay.
  </Card>

  <Card title="Spot REST authentication" icon="key" href="/exchange/guides/rest/authentication">
    HMAC-SHA512 signing flow shared with Prime REST.
  </Card>

  <Card title="Choose your protocol" icon="code-compare" href="/exchange/guides/general/api-comparison">
    REST vs WebSocket vs FIX trade-offs.
  </Card>
</CardGroup>
