Polymarket bot authentication and wallet setup: proxy wallets vs EOA, API key generation via SDK, sigType 2 for Gnosis Safe, key storage best practices, and the Magic-to-Privy migration.
Polymarket bot authentication and wallet setup: proxy wallets vs EOA, API key generation via SDK, sigType 2 for Gnosis Safe, key storage best practices, and the Magic-to-Privy migration.
By Harley Young, lead writer at Polymarkets.co.il. Last reviewed: May 2026.
What this chapter covers
This is chapter 6 of our 32-part series on building a Polymarket trading bot. We cover the topic in depth across the sections below. Body content for each section is being written and rolled out chapter-by-chapter; FAQ answers and references are already complete and reflect production experience from running our own trader.
Proxy wallet vs EOA: which to bot with
Generating an API key (SDK steps]
sigType 2 and POLY_FUNDER_ADDRESS (Gnosis Safe)
Key storage: .env, vault, KMS
The Magic Labs to Privy migration
Approving USDC/pUSD spending
Wallet recovery and backup
Proxy wallet vs EOA: which to bot with
This section is in active development. Want to be notified when it goes live? Contact us or watch the authors page.
Generating an API key (SDK steps]
This section is in active development. Want to be notified when it goes live? Contact us or watch the authors page.
sigType 2 and POLY_FUNDER_ADDRESS (Gnosis Safe)
This section is in active development. Want to be notified when it goes live? Contact us or watch the authors page.
Key storage: .env, vault, KMS
This section is in active development. Want to be notified when it goes live? Contact us or watch the authors page.
The Magic Labs to Privy migration
This section is in active development. Want to be notified when it goes live? Contact us or watch the authors page.
Approving USDC/pUSD spending
This section is in active development. Want to be notified when it goes live? Contact us or watch the authors page.
Wallet recovery and backup
This section is in active development. Want to be notified when it goes live? Contact us or watch the authors page.
Frequently asked questions
Do I need a separate wallet for my bot?
Strongly recommended yes. Use a fresh EOA or a fresh email-account-derived proxy wallet that holds only the capital you have allocated to the bot. If the bot key leaks, only the bot funds are at risk - your main holdings stay safe.
What is sigType 2 in Polymarkets API?
sigType 2 indicates a Gnosis Safe (proxy wallet) signature, used when you log in with email/Google and Polymarket creates the proxy for you. For sigType 2, the POLY_FUNDER_ADDRESS environment variable must be the PROXY address (the one shown in the Polymarket UI), not the underlying EOA. This is a common configuration bug.
How do I generate a Polymarket API key?
Use the SDK. In Python: ApiCreds returned by client.create_api_key() once you have authenticated with your wallet. In Node.js: similar via @polymarket/clob-client-v2 client.createApiKey(). Save the returned key/secret/passphrase to your .env (never commit to git).
Are Polymarket API keys revocable?
Yes. You can derive new keys at any time via the SDK; old keys remain valid until explicitly revoked via client.deleteApiKey(creds). Best practice is to rotate keys periodically and revoke any key that touched a compromised machine.
What changed when Polymarket migrated from Magic Labs to Privy?
Login OTP codes went from 3 digits (vulnerable to brute force, exploited in the December 2025 hack) to longer codes plus device binding via Privy. For bots, the practical change is the auth ceremony - the SDK abstracts most of it. If your bot was hard-coded to Magic Labs API endpoints (rare), update to the Privy flow.
Should I store keys in a .env file?
For a single-VPS bot - yes, with proper file permissions (chmod 600 .env, owned by the bot user). For multi-machine setups or production-grade ops - move to a secrets manager (AWS Secrets Manager, Vault, doppler.com). Never commit .env to git, ever.
الأسئلة الشائعة
Do I need a separate wallet for my bot?
Strongly recommended yes. Use a fresh EOA or a fresh email-account-derived proxy wallet that holds only the capital you have allocated to the bot. If the bot key leaks, only the bot funds are at risk - your main holdings stay safe.
What is sigType 2 in Polymarkets API?
sigType 2 indicates a Gnosis Safe (proxy wallet) signature, used when you log in with email/Google and Polymarket creates the proxy for you. For sigType 2, the POLY_FUNDER_ADDRESS environment variable must be the PROXY address (the one shown in the Polymarket UI), not the underlying EOA. This is a common configuration bug.
How do I generate a Polymarket API key?
Use the SDK. In Python: ApiCreds returned by client.create_api_key() once you have authenticated with your wallet. In Node.js: similar via @polymarket/clob-client-v2 client.createApiKey(). Save the returned key/secret/passphrase to your .env (never commit to git).
Are Polymarket API keys revocable?
Yes. You can derive new keys at any time via the SDK; old keys remain valid until explicitly revoked via client.deleteApiKey(creds). Best practice is to rotate keys periodically and revoke any key that touched a compromised machine.
What changed when Polymarket migrated from Magic Labs to Privy?
Login OTP codes went from 3 digits (vulnerable to brute force, exploited in the December 2025 hack) to longer codes plus device binding via Privy. For bots, the practical change is the auth ceremony - the SDK abstracts most of it. If your bot was hard-coded to Magic Labs API endpoints (rare), update to the Privy flow.
Should I store keys in a .env file?
For a single-VPS bot - yes, with proper file permissions (chmod 600 .env, owned by the bot user). For multi-machine setups or production-grade ops - move to a secrets manager (AWS Secrets Manager, Vault, doppler.com). Never commit .env to git, ever.
