> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dexploit.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API keys, request headers, and per-tier RPS caps. Phase 1.2a: no monthly cap.

Every request needs an API key. Generate one from your [dashboard](https://www.dexploit.dev/dashboard).

## Sending the key

Pass your key in the `X-API-Key` header on every request:

<CodeGroup>
  ```bash curl theme={null}
  curl -H 'X-API-Key: ohlcv_live_sk_<your_key>' \
    https://api.dexploit.dev/api/v1/pairs?token_address=...
  ```

  ```typescript TypeScript theme={null}
  const res = await fetch('https://api.dexploit.dev/api/v1/pairs?token_address=...', {
    headers: { 'X-API-Key': 'ohlcv_live_sk_<your_key>' }
  });
  ```
</CodeGroup>

For browser-side WebSocket connections where headers aren't easy, you can pass the key as a `?api_key=` query string instead. See [Streaming: WebSocket](/streaming/websocket).

## Key format and security

Keys look like `ohlcv_<env>_sk_<48_random_chars>` where `<env>` is `live`, `dev`, or `test`.

Keys are hashed (SHA-256) at rest. You see the full key once at generation. Lost a key? **Rotate** to issue a new one — there's no way to retrieve the original. Rotation issues a fresh key and grants the old one a 7-day grace period before it stops working.

## Tiers and RPS caps

Pricing is capped requests-per-second with unlimited monthly volume — pick a tier that matches your sustained throughput.

| Tier       | Price    | Sustained RPS | 60-second burst window |
| ---------- | -------- | ------------- | ---------------------- |
| Free       | \$0      | 20            | 1,200 reqs             |
| Developer  | \$50/mo  | 100           | 6,000 reqs             |
| Pro        | \$199/mo | 500           | 30,000 reqs            |
| Enterprise | Custom   | unlimited     | unlimited              |

Some endpoints are tier-gated (`/tokens/{mint}/smart-money`, `/tokens/{mint}/whales`). Free callers receive HTTP 200 with `tier_locked: true` rather than 429 — see [Quotas & errors](/concepts/quotas-errors#tier-locked-features).

## Inspecting your usage

Call `GET /credits` at any time to see your current tier, RPS cap, requests used in the current window, and feature flags:

```bash theme={null}
curl -H 'X-API-Key: ohlcv_live_sk_<your_key>' https://api.dexploit.dev/credits
```

```json theme={null}
{
  "tier": "free",
  "rps_cap": 20,
  "rps_window_secs": 60,
  "current_window_used": 7,
  "current_window_remaining": 1193,
  "current_window_reset_secs": 23,
  "monthly_used": 4321,
  "monthly_used_note": "informational; no monthly cap on Dexploit",
  "tier_features": {
    "smart_money_access": false,
    "whales_access": false
  }
}
```

## Error responses

Errors are always enveloped. The default shape carries `error` as a **string** alongside `data: null`:

```json theme={null}
{
  "success": false,
  "data": null,
  "error": "Missing or invalid API key"
}
```

Some endpoint families instead wrap `error` as an **object** (`{ code, message }`) — the legacy `/api/v1/*` and raw `/stats/*` / `/swaps/*` families. Handle both: read `error` as either a string or an object. See [Quotas & errors](/concepts/quotas-errors#response-envelope) for the per-family breakdown.

| Status | Meaning                                                     |
| ------ | ----------------------------------------------------------- |
| 401    | Key missing, malformed, or revoked.                         |
| 429    | RPS cap exceeded in the current window. Retry with backoff. |

Full error catalog: see [Quotas & errors](/concepts/quotas-errors#error-codes).