Execution modes
Payload mode keeps every signature in your hands. Delegated mode trades a small amount of custody for convenience — never withdrawal capability.
| Payload mode | Delegated mode | |
|---|---|---|
| Default | Yes — every new agent starts here | Opt-in, requires submitting credentials |
| Who signs | You, with your own wallet | Meridian, in-process, using sealed-box decrypted credentials |
| Credential storage | None required | Sealed-box encrypted, scoped to order:place + order:cancel |
| Response on approval | Unsigned EIP-712 payload | venue_order_id — already submitted |
Payload mode
POST /v1/orders/intent returns an unsigned order containing the EIP-712 domain, types, and message struct — with the builder code already attached. Sign it with your agent's wallet and forward it to POST /v1/orders/submit-signed. Meridian validates the signature format before forwarding it to the venue; it never sees your private key.
Delegated mode
Submit venue API credentials via POST /v1/agents/{id}/creds. Meridian encrypts them with a NaCl sealed box before storage — decryption happens only in-process, at the moment of order submission, and the plaintext never appears in logs or error responses.
await client.agents.submitCredentials(agentId, {
api_key: "...",
api_secret: "...",
scopes: ["order:place", "order:cancel"],
});withdraw, transfer, or balance_modify scopes are rejected outright with a 400. Meridian is structurally incapable of holding withdrawal capability, in either mode.Kill switch
POST /v1/agents/{id}/kill cancels every open order for that agent, concurrently, within a 5-second SLA. In delegated mode it also deletes the decryptable credential material from storage — irreversibly. Orders that don't confirm cancellation within the deadline are marked failed and flagged for review rather than left in an unknown state.
See the API reference for the full request/response shape of every endpoint mentioned here.