Skip to main content
Every request needs an API key. Generate one from your dashboard.

Sending the key

Pass your key in the X-API-Key header on every request: 
curl -H 'X-API-Key: ohlcv_live_sk_<your_key>' \
  https://api.dexploit.dev/api/v1/pairs?token_address=...
For browser-side WebSocket connections where headers aren’t easy, you can pass the key as a ?api_key= query string instead. See Streaming: WebSocket.

Key format and security

Keys look like ohlcv_<env>_sk_<48_random_chars> where <env> is live, dev, or test. Keys are hashed (SHA-256) at rest. You see the full key once at generation. Lost a key? Rotate to issue a new one — there’s no way to retrieve the original. Rotation issues a fresh key and grants the old one a 7-day grace period before it stops working.

Tiers and RPS caps

Pricing is capped requests-per-second with unlimited monthly volume — pick a tier that matches your sustained throughput.
TierPriceSustained RPS60-second burst window
Free$0201,200 reqs
Developer$50/mo1006,000 reqs
Pro$199/mo50030,000 reqs
EnterpriseCustomunlimitedunlimited
Some endpoints are tier-gated (/tokens/{mint}/smart-money, /tokens/{mint}/whales). Free callers receive HTTP 200 with tier_locked: true rather than 429 — see Quotas & errors.

Inspecting your usage

Call GET /credits at any time to see your current tier, RPS cap, requests used in the current window, and feature flags: 
curl -H 'X-API-Key: ohlcv_live_sk_<your_key>' https://api.dexploit.dev/credits

{
  "tier": "free",
  "rps_cap": 20,
  "rps_window_secs": 60,
  "current_window_used": 7,
  "current_window_remaining": 1193,
  "current_window_reset_secs": 23,
  "monthly_used": 4321,
  "monthly_used_note": "informational; no monthly cap on Dexploit",
  "tier_features": {
    "smart_money_access": false,
    "whales_access": false
  }
}

Error responses

Errors are always enveloped. The default shape carries error as a string alongside data: null: 
{
  "success": false,
  "data": null,
  "error": "Missing or invalid API key"
}
Some endpoint families instead wrap error as an object ({ code, message }) — the legacy /api/v1/* and raw /stats/* / /swaps/* families. Handle both: read error as either a string or an object. See Quotas & errors for the per-family breakdown.
StatusMeaning
401Key missing, malformed, or revoked.
429RPS cap exceeded in the current window. Retry with backoff.
Full error catalog: see Quotas & errors.