# auth.md - dTAOscan API access

Reading dTAOscan is **free and keyless**. Every response is Ed25519-signed
(verify against https://dtaoscan.io/keys.json), so you can trust it without an account.

## Rate limits

Anonymous reads: **10 requests per minute per IP** on `/api/*` data endpoints.
This is a cost guard while the service is in open alpha.

## Agent registration

To register an agent for authenticated (higher-volume) access:

1. **Identity:** none required. An agent may operate anonymously (10 requests
   per minute per IP) or with a bearer key for more. There is no account, no
   OAuth flow, and no PII.
2. **Request a credential:** contact the operator (DRM3 Labs, drm3.io) to be
   issued a bearer API key. This is the `register_uri` in
   https://dtaoscan.io/.well-known/oauth-authorization-server (`agent_auth` block).
3. **Credential type:** `bearer_api_key`. Present it on every request:
   ```
   Authorization: Bearer <your-key>
   ```
4. **Revocation:** keys are revoked by the operator on request or on abuse.
5. **Metering:** anonymous is rate-limited; keyed is fair-use. Pay-per-call
   (x402 / MOR micropayments) is planned. See https://dtaoscan.io/.well-known/oauth-protected-resource
   for the protected-resource metadata.

## Discovery

- OpenAPI: https://dtaoscan.io/openapi.json
- API catalog: https://dtaoscan.io/.well-known/api-catalog
- Agent skills: https://dtaoscan.io/.well-known/agent-skills/index.json
- Plain-text overview for LLMs: https://dtaoscan.io/llms.txt
