packages/cloud-frontend/content/wallet-api.mdx
Use an Ethereum wallet to sign in, get an API key, or authenticate each request without storing a key. Supports agents and headless clients that cannot use browser OAuth or session cookies.
X-Wallet-Address, X-Timestamp, X-Wallet-Signature. Why both? SIWE is for onboarding and key issuance; wallet headers are for clients that prefer not to store a key.Onboarding (pick one):
GET /api/auth/siwe/nonce → sign message → POST /api/auth/siwe/verify → receive apiKey, user, organization. New accounts get initial free credits.POST /api/v1/topup/10|50|100 with payment; send walletAddress in body or use wallet sig headers to credit the signer. New accounts get no free credits (payment only).Authenticating requests (pick one):
X-API-Key: <key> or Authorization: Bearer <key>X-Wallet-Address + X-Timestamp + X-Wallet-SignatureAuthorization: Bearer <steward-jwt>Returns { nonce, domain, uri, chainId, version, statement }. Use these to build the EIP-4361 message. Nonce is stored in Redis (5 min TTL); 503 if Redis unavailable. Rate limit: STRICT.
Body: { message, signature } (full SIWE message string and hex signature). Server validates domain (must match app host), verifies signature, consumes nonce, finds or creates user/org, issues API key. Response: { apiKey, address, isNewAccount, user, organization }. Rate limit: STRICT.
Eliza Cloud Authentication\nTimestamp: ${timestamp}\nMethod: ${method}\nPath: ${path}Any route that uses requireAuthOrApiKey accepts wallet-header auth. If the wallet is unknown, the account is created on first valid signature.
POST /api/v1/topup/10, /50, /100 (x402 payment required):
walletAddress needed.Wallet headers (X-Wallet-Address, X-Timestamp, X-Wallet-Signature) are allowed in CORS. The proxy passes requests that have X-Wallet-Signature (or API key / Bearer token) through without requiring a browser session so wallet-auth reaches the API.