Authentication

All protected MPP endpoints (/agent/*) use wallet-based authentication. No API keys or OAuth tokens - you sign a message with your EVM private key.

Auth Headers

Every request to a protected endpoint must include these headers:

Header	Description
`X-Wallet-Address`	Your EVM wallet address (`0x...`)
`X-Signature`	EIP-191 signature of the message below
`X-Timestamp`	Unix timestamp in milliseconds
`X-Nonce`	A unique UUID per request

Message Format

The signed message is a colon-separated string:

{wallet}:{timestamp}:{nonce}

Example:

0x5B6C...a3F2:1711500000000:550e8400-e29b-41d4-a716-446655440000

Generating Auth Headers

Using viem:

TypeScript
1import { privateKeyToAccount } from "viem/accounts";
2import { randomUUID } from "crypto";
3
4const account = privateKeyToAccount("0xYOUR_PRIVATE_KEY");
5
6const getAuthHeaders = async () => {
7  const nonce = randomUUID();
8  const timestamp = String(Date.now());
9  const message = `${account.address}:${timestamp}:${nonce}`;
10  const signature = await account.signMessage({ message });
11
12  return {
13    "X-Wallet-Address": account.address,
14    "X-Signature": signature,
15    "X-Timestamp": timestamp,
16    "X-Nonce": nonce,
17  };
18};

Validation Rules

Timestamp must be within 60 seconds of the server's clock
Nonce must be unique - each nonce can only be used once
Signature is verified using EIP-191 personal_sign via the wallet address

If any check fails, the endpoint returns 401.

Public Endpoints

These endpoints do not require authentication:

Endpoint	Description
`GET /agent/balance/:address`	Check token balances on-chain
`GET /agent/chains`	List supported chains & tokens
`GET /health`	Gateway health check