> ## Documentation Index
> Fetch the complete documentation index at: https://docs.arcpass.vibepas.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication and Access in ArcPass API

> ArcPass is a public API with no authentication tokens or API keys required. Rate limiting and wallet eligibility checks are the primary access controls.

ArcPass is public infrastructure — you do not need an API key, bearer token, or any other credential to call its endpoints. Any HTTP client can make requests without prior registration or token issuance.

## No authentication required

There are no `Authorization` headers, no OAuth flows, and no session cookies. Simply send your request with `Content-Type: application/json` and the required body or path parameters.

```bash theme={null}
curl --request POST \
  --url https://api.arcpass.io/wallets/register \
  --header "Content-Type: application/json" \
  --data '{"walletAddress": "0xAbC1234567890dEF1234567890aBcDeF12345678"}'
```

## Rate limiting as access control

The primary mechanism preventing abuse is rate limiting rather than authentication. ArcPass enforces limits at two levels:

* **Per IP address** — restricts how many requests a single IP can make in a time window.
* **Per wallet address** — restricts how many sponsorship requests a single wallet can generate.

When you exceed a limit, the API returns `429 Too Many Requests`. See [Rate Limits](/configuration/rate-limits) for exact thresholds.

## Wallet address as identity

Wallet addresses serve as the identity key for eligibility checks, not for authentication. When you call `POST /sponsorship/request`, the API checks whether the submitted `walletAddress` is blocked or has already been sponsored — it does not verify that you control that address.

<Warning>
  Because there is no on-chain signature verification, sponsorship eligibility is based on the submitted address value. Abuse protection relies on IP-level rate limiting and the blocked-wallet mechanism.
</Warning>

## CORS

The API accepts cross-origin requests from configured origins. If you are integrating ArcPass into a browser-based application, verify that your deployment's allowed origins list includes your frontend domain.

## Practical checklist

When making requests to the ArcPass API, you only need to:

1. Set `Content-Type: application/json` on requests with a body.
2. Send the required fields documented for each endpoint.
3. Handle `429` responses with appropriate backoff if you are making high-volume requests.

No token acquisition, no header signing, and no pre-registration steps are required.
