docs/EXPLORER_PUBLIC_API_ACCESS.md

# Explorer public API access (decision record)

**Date:** 2026-05-23  
**Live page:** `/docs/public-api-access`

## Summary

| Surface | Auth today | Notes |
|---------|------------|-------|
| Blockscout read API (`/api/v2/*`) | None | Same-origin proxy to Blockscout |
| Public JSON (stats, bridge routes, token lists, etc.) | None | Listed in footer **Public APIs** |
| Managed RPC keys | Wallet session on `/access` | `POST /api/v1/access/api-keys` after `/api/v1/auth/wallet` |

## Decision

1. **Keep Blockscout and public JSON unauthenticated** for integrators on the public explorer domain.
2. **Managed RPC keys** remain the wallet-authenticated product on `/access` — not a Blockscout API-key layer.
3. **Future path (Option B):** nginx/API-gateway throttling with optional `X-API-Key` for higher quotas if abuse appears. Full external developer portal remains optional.

## Integrator flow

- Read-only: use footer links or `/docs/public-api-access` endpoint list.
- Higher limits / RPC: connect wallet on `/wallet`, open `/access`, create scoped keys (tier, product, expiry, quota).

## Operator

- No nginx key gate required until rate-limit policy changes.
- Support contact: `support@d-bis.org`
Ship bridge lanes, public API access doc, and WalletConnect client stack. Align CCIP catalog UX with 11-lane config-ready routes, document the no-key public API decision, and enable browser WalletConnect pairing with backend session registration and deploy-time project ID wiring. Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-23 02:21:37 -07:00			`# Explorer public API access (decision record)`

			`Date: 2026-05-23`
			Live page: `/docs/public-api-access`

			`## Summary`

			`\| Surface \| Auth today \| Notes \|`
			`\|---------\|------------\|-------\|`
			\| Blockscout read API (`/api/v2/*`) \| None \| Same-origin proxy to Blockscout \|
			`\| Public JSON (stats, bridge routes, token lists, etc.) \| None \| Listed in footer Public APIs \|`
			\| Managed RPC keys \| Wallet session on `/access` \| `POST /api/v1/access/api-keys` after `/api/v1/auth/wallet` \|

			`## Decision`

			`1. Keep Blockscout and public JSON unauthenticated for integrators on the public explorer domain.`
			2. Managed RPC keys remain the wallet-authenticated product on `/access` — not a Blockscout API-key layer.
			3. Future path (Option B): nginx/API-gateway throttling with optional `X-API-Key` for higher quotas if abuse appears. Full external developer portal remains optional.

			`## Integrator flow`

			- Read-only: use footer links or `/docs/public-api-access` endpoint list.
			- Higher limits / RPC: connect wallet on `/wallet`, open `/access`, create scoped keys (tier, product, expiry, quota).

			`## Operator`

			`- No nginx key gate required until rate-limit policy changes.`
			- Support contact: `support@d-bis.org`