REST API
For everything except private swap. Partial map:
GET /api/pools·GET /api/pools/:id·POST /api/poolsGET /api/pools/tvl(public, no auth)GET /api/pools/:id/zk/{commitments,merkle-root,nullifiers,kyc}POST /api/pools/:id/{deposit,withdraw,transfer}/submitGET|POST /api/pools/:id/{allowlist,balances,blocklist,compliance,members,protocols,tokens}GET|POST /api/{transfers,audit,encrypt,keys,org,wallets}GET /api/openapi— full OpenAPI 3.0 spec
Auth via Authorization: Bearer pk_live_…, org-scoped API keys (v1.0). During the v0.9 / v0.95 partner phase we issue session-scoped keys per integrator; swap-in is one header change when v1.0 lands.
Private swap isn't here because the proof needs the user's spend key in their browser. Every ZK privacy system works this way — it's by design, not an oversight.