> ## Documentation Index
> Fetch the complete documentation index at: https://crushrewards.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Auth & rate limits

> How requests are authenticated and rate-limited.

## Payment is authentication

There is no API key system. Every request carries cryptographic proof of payment, and that proof IS the auth credential:

* **x402** — a signed USDC transfer authorization, verified server-side before the response body is returned.
* **MPP/Tempo** — a signed session token from Tempo, verified server-side against the Tempo network.

Both are bound to the specific request, so credentials cannot be replayed against a different endpoint.

## Rate limits

Rate limits are per-payer (wallet address or MPP session), not per-IP:

* **Default:** 60 requests/minute
* **Higher limits:** available on request — [reach out](mailto:support@crushrewards.dev)

The current limit for your payer is returned in the `X-RateLimit-*` response headers on every successful call.

## What this means in practice

* No keys to provision, rotate, or revoke
* Burst capacity is bound to your wallet, not your IP — multiple agents sharing one wallet share one rate-limit pool
* Lost wallet = lost auth, no recovery path. Treat the wallet like any other production secret
