Authentication
Bearer tokens for protected endpoints; no auth required on the free Discovery endpoints.
Bearer tokens
Every protected request carries:
Authorization: Bearer <token>
Tokens are minted by:
POST /subscribe— after a successful x402 / MPP paymentPOST /auth— after a successful wallet-signature recovery
Bearer-gated endpoints
POST /sms/sendGET /sms/receiveGET /sms/messagesGET /numberPOST /voice/dialGET /voice/presence/<phone>(WS)GET /voice/stream/<call_id>(WS)
Public endpoints (no auth)
GET /availabilityPOST /waitlistPOST /demoPOST /auth/noncePOST /auth(signature replaces auth)
Token rotation on recovery
A successful POST /auth revokes every
existing token for the wallet, then issues a single fresh one.
Multi-agent setups must re-auth in lockstep.
What's NOT auth
- API keys, OAuth, JWT, session cookies — none of those.
- Headers other than
Authorization— see Payment for theX-PAYMENTheader on subscribe.