Begin 2FA setup
Generates a fresh TOTP secret (stored pending) plus ten one-time backup codes and returns them ONCE. Render otpauthUri as a QR code, then call …/totp/confirm to activate. Refused with 409 totp_already_configured if 2FA is already active. Rate-limited 10/min/wallet.
Authorizations
Partner / integrator key — format ps_live_<keyId>_<secret>. Issued by PredictStreet ops via the admin panel; never self-service. Never ship to a browser. multi_wallet partners must additionally send X-User-Wallet: 0x<40-hex> on every authenticated request to declare the acting wallet. See the API keys guide for scope taxonomy, partner kinds, rate limits, and rotation procedure.
Headers
Required for multi_wallet partners on every authenticated request; ignored for single_wallet. Declares the acting end-user wallet for this request — drives KYC checks, balances/positions/orders attribution, rate-limit buckets, and audit. Lower-cased server-side. Missing on a multi_wallet key → 401 api_key_user_wallet_required; malformed → 401 api_key_user_wallet_invalid. The on-chain CTFExchange/Vault contracts still verify EIP-712 signer ↔ vault binding, so loosening API-layer attribution is safe by construction.
^0x[a-fA-F0-9]{40}$"0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb3"
Response
Secret, provisioning URI and backup codes — shown once.
otpauth:// provisioning URI — render as a QR code.
"otpauth://totp/PredictStreet:0x1234…?secret=JBSWY3DPEHPK3PXP&issuer=PredictStreet"
Base32 secret for manual entry. Shown ONCE.
"JBSWY3DPEHPK3PXP"
Ten single-use backup codes (16 hex chars each). Shown ONCE — store securely; each authorises exactly one withdrawal if the authenticator is lost.