Skip to main content

Payment is authentication

There is no API key system. Every request carries cryptographic proof of payment, and that proof IS the auth credential:
  • x402 — a signed USDC transfer authorization, verified server-side before the response body is returned.
  • MPP/Tempo — a signed session token from Tempo, verified server-side against the Tempo network.
Both are bound to the specific request, so credentials cannot be replayed against a different endpoint.

Rate limits

Rate limits are per-payer (wallet address or MPP session), not per-IP:
  • Default: 60 requests/minute
  • Higher limits: available on request — reach out
The current limit for your payer is returned in the X-RateLimit-* response headers on every successful call.

What this means in practice

  • No keys to provision, rotate, or revoke
  • Burst capacity is bound to your wallet, not your IP — multiple agents sharing one wallet share one rate-limit pool
  • Lost wallet = lost auth, no recovery path. Treat the wallet like any other production secret