Base URL
All API endpoints are hosted at:Authentication Flow
All endpoints follow the same authentication pattern:1
Request Nonce
Client makes a GET request to the endpoint. Server returns
X-404-Nonce and
X-404-Mechanism headers.2
Sign Challenge
Client builds payload:
CHALLENGE::${nonce}::${path}::${feature} and signs
it with the user’s wallet.3
Send Request
Client sends GET request with headers: -
X-404-Nonce: Nonce from step 1 -
X-404-Signature: Base58-encoded signature - X-404-Addr: User’s public
key - X-404-Feature: Feature name - Feature-specific headers4
Receive Token
Server verifies signature and performs feature-specific checks. Returns JWT
token if successful.
Common Headers
All authenticated requests include:Nonce received from initial request
Base58-encoded signature of the challenge payload
User’s Solana public key (base58-encoded)
Feature name:
"blacklist", "timelock", "multitoken", "activity",
"tier", "nodebt", or "age"JWT token from previous authentication (for re-authentication)
Response Format
Success Response
Error Response
Status Codes
Success - Authentication successful, JWT token returned
Unauthorized - Invalid signature, expired token, or location denied
Forbidden - User doesn’t meet requirements (e.g., exceeds max holdings)
Server Error - Feature-specific failure or location error
JWT Token Verification
For subsequent requests, clients can send the JWT token in thex-jwt header:
- Verify JWT signature
- Check expiration
- Verify token is for the correct feature
- Return
200if valid,401if invalid
Endpoints
Blacklist
Exclusion-based authentication
TimeLock
Time-based token holding verification
MultiToken
Multi-token portfolio verification
Activity
Transaction history verification
Tier
Tiered access levels
NoDebt
Negative balance verification
Age
Wallet age verification