API Reference

REST API

Audit contracts, verify reports, and query MCP tools. All responses are JSON. All errors follow a single shape.

Base URL

https://walletguard.ai

All endpoints are served from the production domain. There is no versioned base path for v1 routes; pagination and forward-compat versioning are handled per-endpoint.

Authentication

Three ways to authenticate. Most endpoints accept more than one.

Session

Logged-in users, web UI

GitHub OAuth or Google OAuth via Auth.js. Session cookie is set automatically after sign-in.

Use for: Browser flows, the audit UI, reports history, admin pages.

API Key

Developers, integrations, CI/CD

Create a key in Settings. Send Authorization: Bearer wg_live_xxxxx on any API route. Keys are tied to your account and quota.

Use for: Developer integrations, CI pipelines, GitHub Actions, programmatic access. Quota and rate limits apply per key.

x402 Payment

AI agents, automated tools

Sign a USDC transferWithAuthorization (EIP-3009) on Base and send the proof in the X-PAYMENT header.

Use for: Pay-per-request endpoints under /api/x402/*. No account required.

Service Token (internal)

Internal services only

Send Authorization: Bearer {GESTALT_SERVICE_TOKEN value}. This is a server-side environment variable, not available to external users. Bypasses user quotas.

Use for: Internal CI, server-to-server calls. Not for external developers. Use API keys instead.

Error Responses

Every error returns JSON in the same shape. HTTP status codes follow standard conventions.

application/json

{
  "error": "Unauthorized",
  "code": "UNAUTHORIZED",
  "details": { /* optional, endpoint-specific */ }
}

400Bad input

401Not authenticated

403Forbidden

404Not found

422Validation failed

429Rate limited

500Server error

402Payment required (x402)

Rate Limits

x402 endpoints5 req / min / IP

Enforced on the x402 endpoints via Upstash sliding windows.

Session endpoints1 / month (free)

Free tier: 1 audit per month. Additional audits available at $29 each. See /pricing for current rates.

API Keyper-key limits

Each API key has configurable rate limits (default: 100 req/min, 2000 req/day). Fresh audit limits apply per key. Manage keys in Settings.

Service token (internal)internal only

Service tokens bypass user-facing quotas. Internal only, not available to external developers.

Audit Endpoints

Every endpoint you can call. Follow the link for request and response shapes.

POST/api/audit

Start an audit for a verified contract by chain id and address.

Session

GET/api/audit/:id

Fetch a completed audit report.

Public (once generated)

GET/api/audit/:id/stream

SSE stream of live audit progress and the final report.

Public (once generated)

POST/api/v1/audit/source

Source-direct audit. Submit Solidity source instead of an address.

Session / Bearer

POST/api/x402/audit/standard

$29 USDC pay-per-request full audit. No account required.

x402 payment

POST/api/verify

Verify the EIP-712 signature on a WalletGuard report.

Public

GET/POST/mcp

MCP tool discovery and execution.

Public (GET) / Session / Bearer

Authentication

Three ways to authenticate. Most endpoints accept more than one.

Session

Logged-in users, web UI

GitHub OAuth or Google OAuth via Auth.js. Session cookie is set automatically after sign-in.

Use for: Browser flows, the audit UI, reports history, admin pages.

API Key

Developers, integrations, CI/CD

Create a key in Settings. Send Authorization: Bearer wg_live_xxxxx on any API route. Keys are tied to your account and quota.

Use for: Developer integrations, CI pipelines, GitHub Actions, programmatic access. Quota and rate limits apply per key.

x402 Payment

AI agents, automated tools

Sign a USDC transferWithAuthorization (EIP-3009) on Base and send the proof in the X-PAYMENT header.

Use for: Pay-per-request endpoints under /api/x402/*. No account required.

Service Token (internal)

Internal services only

Send Authorization: Bearer {GESTALT_SERVICE_TOKEN value}. This is a server-side environment variable, not available to external users. Bypasses user quotas.

Use for: Internal CI, server-to-server calls. Not for external developers. Use API keys instead.

Error Responses

Every error returns JSON in the same shape. HTTP status codes follow standard conventions.

application/json

{
  "error": "Unauthorized",
  "code": "UNAUTHORIZED",
  "details": { /* optional, endpoint-specific */ }
}

400Bad input

401Not authenticated

403Forbidden

404Not found

422Validation failed

429Rate limited

500Server error

402Payment required (x402)

Rate Limits

x402 endpoints5 req / min / IP

Enforced on the x402 endpoints via Upstash sliding windows.

Session endpoints1 / month (free)

Free tier: 1 audit per month. Additional audits available at $29 each. See /pricing for current rates.

API Keyper-key limits

Each API key has configurable rate limits (default: 100 req/min, 2000 req/day). Fresh audit limits apply per key. Manage keys in Settings.

Service token (internal)internal only

Service tokens bypass user-facing quotas. Internal only, not available to external developers.