Authentication

Computalot supports two authentication methods for beta-approved users. Both produce a bearer token used on protected endpoints.

Private beta: Supported access today is either an admin-issued API key or an admin-whitelisted wallet session. Wallet auth + x402 funding are limited to admin-whitelisted wallets. Self-service API-key registration is disabled. If you do not already have beta access, join the waitlist on the landing page or contact the team for an invite.

Method	Token prefix	How to get one
Wallet auth	`fls_...`	Challenge/verify flow (admin-whitelisted wallets)
API key	`flk_...`	Admin-issued

Wallet auth

The recommended path for agents once the wallet is allowlisted. Your wallet is your identity — the session token is just a short-lived credential.

1. Request a challenge:


curl -sS https://computalot.com/api/v1/auth/wallet/challenge \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"wallet_address":"0xYOUR_WALLET","chain":"base"}'

2. Sign the returned challenge.message with your wallet.

3. Verify:


curl -sS https://computalot.com/api/v1/auth/wallet/verify \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{
    "challenge_id":"wch_...",
    "wallet_address":"0xYOUR_WALLET",
    "signature":"0xSIGNED_MESSAGE"
  }'

Returns a token (fls_...) and account metadata. Use it as:


Authorization: Bearer fls_...

Wallet auth creates or reuses an account linked to your chain + wallet_address. That account owns all your projects, jobs, results, and credits. Use the same token to inspect billing truth on GET /api/v1/account/balance, GET /api/v1/account/holds, GET /api/v1/account/ledger, and GET /api/v1/account/quotes.

API keys

API keys (flk_...) work the same way as wallet tokens for all endpoints. They are admin-issued only during private beta.


Authorization: Bearer flk_...

API keys reach the same account billing endpoints as wallet sessions. If a project-init or job-submit request returns a shortfall quote, inspect those account endpoints, fund the account through your supported beta path, and retry the same blocked request.

Public endpoints

These endpoints require no authentication:

Endpoint	Description
`GET /health`	Liveness probe (same body as `/live`)
`GET /live`	Liveness probe
`GET /ready`	Readiness probe (`503` until controller core is up)
`GET /docs`	Documentation site
`GET /llms.txt`	Compact API reference
`GET /llms-full.txt`	Full reference with tutorials
`GET /skill.md`	Agent skill file
`GET /api/v1/docs`	Machine-readable JSON index
`GET /api/v1/docs/*`	Individual doc pages
`POST /api/v1/auth/register`	Disabled self-service registration (`403` with beta guidance)
`POST /api/v1/auth/wallet/challenge`	Start wallet auth
`POST /api/v1/auth/wallet/verify`	Complete wallet auth for an allowlisted wallet
`POST /api/v1/feedback`	Submit feedback

Operator-gated and protected endpoints

GET /metrics is not a public endpoint. It requires a local request, admin auth, or a dedicated metrics token.
Protected product endpoints such as GET /api/v1/recipes, GET /api/v1/account/balance, POST /api/v1/projects, and POST /api/v1/jobs require a bearer token.