Drift
Python's Polymarket, Limitless, and Probable classes accept api_secret and passphrase constructor parameters and inject them into the credentials dict sent to the sidecar. TypeScript's ExchangeOptions (used by all TypeScript exchange classes) has no apiSecret or passphrase fields, making these credentials inaccessible to TypeScript users.
TypeScript SDK
sdks/typescript/pmxt/client.ts, lines 167–213 (ExchangeOptions):
export interface ExchangeOptions {
apiKey?: string;
privateKey?: string;
pmxtApiKey?: string;
baseUrl?: string;
autoStartServer?: boolean;
proxyAddress?: string;
signatureType?: number;
// apiSecret — missing
// passphrase — missing
}getCredentials() (lines 326–336) builds: { apiKey, privateKey, funderAddress, signatureType } — no apiSecret, no passphrase.
Python SDK
sdks/python/pmxt/_exchanges.py, lines 53–59 (Polymarket._get_credentials_dict):
def _get_credentials_dict(self) -> Optional[Dict[str, Any]]:
creds = super()._get_credentials_dict() or {}
if self.api_secret:
creds["apiSecret"] = self.api_secret # ← sent to sidecar
if self.passphrase:
creds["passphrase"] = self.passphrase # ← sent to sidecar
return creds if creds else NoneSame pattern at lines 99–105 (Limitless) and lines 207–213 (Probable).
Expected
ExchangeOptions should add apiSecret?: string and passphrase?: string. The getCredentials() method should include them in the returned object when set. The Polymarket, Limitless, and Probable TypeScript constructors should expose these fields:
export interface ExchangeOptions {
...
apiSecret?: string;
passphrase?: string;
}Impact
TypeScript users of Polymarket, Limitless, and Probable cannot pass apiSecret or passphrase credentials to the sidecar through the typed interface. If the sidecar uses these fields for authentication, TypeScript trading on these venues is broken. Python users on the same venues authenticate correctly.
Found by automated SDK cross-language drift audit
Drift
Python's
Polymarket,Limitless, andProbableclasses acceptapi_secretandpassphraseconstructor parameters and inject them into the credentials dict sent to the sidecar. TypeScript'sExchangeOptions(used by all TypeScript exchange classes) has noapiSecretorpassphrasefields, making these credentials inaccessible to TypeScript users.TypeScript SDK
sdks/typescript/pmxt/client.ts, lines 167–213 (ExchangeOptions):getCredentials()(lines 326–336) builds:{ apiKey, privateKey, funderAddress, signatureType }— noapiSecret, nopassphrase.Python SDK
sdks/python/pmxt/_exchanges.py, lines 53–59 (Polymarket._get_credentials_dict):Same pattern at lines 99–105 (
Limitless) and lines 207–213 (Probable).Expected
ExchangeOptionsshould addapiSecret?: stringandpassphrase?: string. ThegetCredentials()method should include them in the returned object when set. ThePolymarket,Limitless, andProbableTypeScript constructors should expose these fields:Impact
TypeScript users of Polymarket, Limitless, and Probable cannot pass
apiSecretorpassphrasecredentials to the sidecar through the typed interface. If the sidecar uses these fields for authentication, TypeScript trading on these venues is broken. Python users on the same venues authenticate correctly.Found by automated SDK cross-language drift audit