秋田预测市场 · Discord 审计

多用户共享 VPS 运行 API 是否违反 TOS 的深入争论

2026-06-10 · Kalshi · 30 条相关讨论

mags5555 2026-06-09 23:20:00

Hi, curious if members of a group could trade out of one application/server if all use their own individual api keys

Hi, curious if members of a group could trade out of one application/server if all use their own individual api keys

betaclone 2026-06-09 23:29:50

It'd be pretty tricky to pass the dev tos with that setup. Even with encryption a master admin would have access to everyone's credentials if they all live on the same server

It'd be pretty tricky to pass the dev tos with that setup. Even with encryption a master admin would have access to everyone's credentials if they all live on the same server

mags5555 2026-06-09 23:46:44

I’m assuming the alternative of having multiple users trade out of 1 api key also not ok. for context we share a pricing app that’s hosted on 1 local machine

I’m assuming the alternative of having multiple users trade out of 1 api key also not ok. for context we share a pricing app that’s hosted on 1 local machine

betaclone 2026-06-09 23:47:32

Oh yes forget tos, that is very much illegal

Oh yes forget tos, that is very much illegal

betaclone 2026-06-09 23:49:49

You can share global signals or logic or market streams, etc. But if you really want to do something like this it's best to have the individual credentials/execution layers live on separate servers owned by the acct holders

You can share global signals or logic or market streams, etc. But if you really want to do something like this it's best to have the individual credentials/execution layers live on separate servers owned by the acct holders

betaclone 2026-06-09 23:50:23

There are ways to do it above board but generally not really what people have in mind

There are ways to do it above board but generally not really what people have in mind

brunoBowser 2026-06-10 00:17:45

If you really want to be a collective like that, you likely need to start a company with your users as owners/officers - then its all under one umbrella. Not exactly a simple undertaking but it should allow you to preserve such a structure - not a lawyer though so get real advice if you do want to proceed down this path.

If you really want to be a collective like that, you likely need to start a company with your users as owners/officers - then its all under one umbrella. Not exactly a simple undertaking but it should allow you to preserve such a structure - not a lawyer though so get real advice if you do want to proceed down this path.

𝓛𝓮𝓸 2026-06-10 00:20:06

I don't see anything in https://kalshi.com/developer-agreement forbidding that? FWIW I share a VPS with others and it's fine... like we just run our different stuff separarely but it's all from the same IP and has never once caused an issue. One note is that we do sign all API requests even those that don't require it so that it counts against the account's rate limit and not the IP's rate limit.

I don't see anything in https://kalshi.com/developer-agreement forbidding that? FWIW I share a VPS with others and it's fine... like we just run our different stuff separarely but it's all from the same IP and has never once caused an issue. One note is that we do sign all API requests even those that don't require it so that it counts against the account's rate limit and not the IP's rate limit.

𝓛𝓮𝓸 2026-06-10 00:44:23

Hmm I'm just simply 100% certain that what I'm describing doesn't break the rules in any way and isn't even a grey area. We are all traders+coders who are writing code and running it using our own API keys in totally separate processes. There isn't overlap beyond being on the same physical server. Not trying to tell you how to do your thing - just trying to make it known to newcomers here that there's no need to be scared of doing something similar to save on hosting costs / ops overhead

Hmm I'm just simply 100% certain that what I'm describing doesn't break the rules in any way and isn't even a grey area. We are all traders+coders who are writing code and running it using our own API keys in totally separate processes. There isn't overlap beyond being on the same physical server. Not trying to tell you how to do your thing - just trying to make it known to newcomers here that there's no need to be scared of doing something similar to save on hosting costs / ops overhead

betaclone 2026-06-10 01:04:58

Are you 100% certain or have you just never received any kind of notice? Just because you haven't been dinged for it doesn't mean it doesn't violate the tos. Again, having different acct keys on the same VPS necessarily means one party has access to all of them which is a violation

Are you 100% certain or have you just never received any kind of notice? Just because you haven't been dinged for it doesn't mean it doesn't violate the tos. Again, having different acct keys on the same VPS necessarily means one party has access to all of them which is a violation

betaclone 2026-06-10 01:06:24

Kalshi specifically does not want people doing EXACTLY what you and the OP are describing. How diligently do they police it currently? Maybe not at all but the letter of the dev tos prohibits it

Kalshi specifically does not want people doing EXACTLY what you and the OP are describing. How diligently do they police it currently? Maybe not at all but the letter of the dev tos prohibits it

𝓛𝓮𝓸 2026-06-10 01:08:01

My read of the agreement is that using the API as someone else is prohibited, not that having the ability to go snoop (but not doing so) if I were nefarious and have root access to a shared server is prohibited In the same way that it's not prohibited/illegal for me to log into my own bank account on a shared family computer

My read of the agreement is that using the API as someone else is prohibited, not that having the ability to go snoop (but not doing so) if I were nefarious and have root access to a shared server is prohibited In the same way that it's not prohibited/illegal for me to log into my own bank account on a shared family computer

𝓛𝓮𝓸 2026-06-10 01:08:35

I'm saying that the letter, as I have read it, does not prohibit it. And nothing Kalshi has ever said would lead me to believe they don't want people doing it.

I'm saying that the letter, as I have read it, does not prohibit it. And nothing Kalshi has ever said would lead me to believe they don't want people doing it.

betaclone 2026-06-10 01:08:43

"My read" doesn't sound like 100% certain. My read, which has been backed up by mods in here, is the exact opposite

"My read" doesn't sound like 100% certain. My read, which has been backed up by mods in here, is the exact opposite

𝓛𝓮𝓸 2026-06-10 01:09:07

If you can point to a single mod message saying so I'd happily forfeit my claims!

If you can point to a single mod message saying so I'd happily forfeit my claims!

betaclone 2026-06-10 01:09:29

They don't want people building multi user platforms where users store their private credentials on a single 3rd party server. That is very explicit

They don't want people building multi user platforms where users store their private credentials on a single 3rd party server. That is very explicit

Azuul 2026-06-10 01:10:03

🤣

🤣

𝓛𝓮𝓸 2026-06-10 01:10:05

They don't want people making a frontend/app that induces users to input an API key or password, but that's very clearly not what I'm describing

They don't want people making a frontend/app that induces users to input an API key or password, but that's very clearly not what I'm describing

betaclone 2026-06-10 01:10:22

So how do the api keys get on your server?

So how do the api keys get on your server?

𝓛𝓮𝓸 2026-06-10 01:11:00

The owner of the API key sshes in and uses it in their own process when necessary

The owner of the API key sshes in and uses it in their own process when necessary