Skip to main content

Architecture

All API requests pass through a gateway that validates credentials before forwarding to backend services. The gateway delegates authentication and quota checking to an internal auth & billing service, ensuring every request is verified in a single hop. When authentication fails, the gateway returns an error directly (401 Unauthorized, or 402 Payment Required when x402 is enabled) without hitting the backend.

Three Authentication Methods

ChainStream supports three credential types, evaluated in this order:
PriorityMethodHeaderBest For
1Wallet Signature (SIWX)Authorization: SIWX <token>AI agents with on-chain wallets (x402 subscribers)
2API KeyX-API-KEY: <key>Applications, scripts, CLI, MCP Server
3JWT Bearer TokenAuthorization: Bearer <jwt>Dashboard apps using OAuth 2.0 Client Credentials
If no valid credentials are found and x402 is enabled, the gateway returns HTTP 402 Payment Required with a pointer to /x402/purchase. This allows AI agents to auto-purchase a subscription.
The simplest authentication method. Create an API Key in the Dashboard and pass it in the X-API-KEY header.

Get an API Key

1

Login to Dashboard

Visit ChainStream Dashboard and login
2

Go to Applications

Find “Applications” in the sidebar
3

Create New App

Click “Create New App” to generate your API Key

Use the API Key

curl https://api.chainstream.io/v2/token/sol/So11111111111111111111111111111111111111112 \
  -H "X-API-KEY: your_api_key"

How It Works

  1. The gateway extracts the X-API-KEY header
  2. The auth service validates the key against the database
  3. On success, the request is forwarded with the associated organization and permission context
  4. The key must be active and not expired
Keep your API Key secure. Never commit it to code repositories. If compromised, revoke it immediately in the Dashboard.

Method 2: JWT Bearer Token (OAuth 2.0)

For applications that use the OAuth 2.0 Client Credentials flow. Exchange your Client ID and Client Secret for a JWT access token.

Generate Access Token

curl -X POST "https://dex.asia.auth.chainstream.io/oauth/token" \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET",
    "audience": "https://api.dex.chainstream.io",
    "grant_type": "client_credentials"
  }'

Use the Token

curl https://api.chainstream.io/v2/token/sol/So11111111111111111111111111111111111111112 \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

How It Works

  1. The gateway extracts the Authorization: Bearer <jwt> header
  2. The auth service validates the JWT signature, issuer, and audience
  3. The client_id claim is resolved to an organization for quota tracking

Token Details

  • Validity: 24 hours by default
  • Algorithm: RS256
  • Issuer: https://dex.asia.auth.chainstream.io/
  • Audience: https://api.dex.chainstream.io

Scope Permissions

Certain endpoints require specific scopes:
ScopeDescriptionApplicable Endpoints
webhook.readWebhook read accessQuery Webhook configuration
webhook.writeWebhook write accessCreate/modify/delete Webhooks
kyt.readKYT read accessQuery risk assessment results
kyt.writeKYT write accessSubmit transactions/addresses for risk assessment
const response = await auth0Client.oauth.clientCredentialsGrant({
  audience: 'https://api.dex.chainstream.io',
  scope: 'webhook.read webhook.write kyt.read kyt.write'
});
If no scope is specified, the token can access all general API endpoints. Scope is only required for Webhook and KYT endpoints.

Method 3: Wallet Signature (SIWX)

For AI agents with on-chain wallets that have purchased a subscription via x402 payment. Uses the Sign-In with X (SIWX) standard (EIP-4361 for EVM, equivalent for Solana).

How It Works

  1. The agent constructs a standard sign-in message with domain, address, nonce, and expiration
  2. The agent signs the message with their wallet private key
  3. The signed token is sent as Authorization: SIWX base64(message).signature
  4. The auth service verifies the signature and checks for a valid x402 subscription
  5. If a valid, non-expired subscription exists, authentication succeeds

Token Format

Authorization: SIWX base64(message).signature
The message follows the EIP-4361 format: 
api.chainstream.io wants you to sign in with your Ethereum account:
0xYourWalletAddress

Sign in to ChainStream API

URI: https://api.chainstream.io
Version: 1
Chain ID: 8453
Nonce: abc123
Issued At: 2026-03-26T10:00:00Z
Expiration Time: 2026-03-27T10:00:00Z

Supported Chains

ChainAddress FormatSignature Type
EVM (Base, Ethereum)0x prefixed, 40 hex charsEIP-191 personal_sign
SolanaBase58 encoded, 32-44 charsEd25519

SDK Usage

const cs = new ChainStreamClient({
  auth: {
    type: "siwx",
    address: "0xYourWalletAddress",
    signMessage: async (message: string) => {
      return await wallet.signMessage(message);
    },
  },
});
SIWX authentication requires an active x402 subscription. If the subscription has expired, the request will be rejected. See x402 Payment for purchasing a subscription.

WebSocket Authentication

WebSocket connections use the same three authentication methods. The gateway:
  1. Detects WebSocket upgrade requests
  2. Validates credentials before allowing the handshake
  3. Tracks the session for usage metering
  4. Reports usage metrics (bytes transferred, duration) on disconnect
WebSocket tokens can also be passed as a query parameter: 
wss://realtime-dex.chainstream.io/connection/websocket?token=YOUR_ACCESS_TOKEN

Authentication Priority

When multiple credentials are present in a single request, they are evaluated in this order:
  1. SIWX — if Authorization header starts with SIWX and x402 is configured
  2. API Key — if X-API-KEY header is present
  3. JWT Bearer — if Authorization header starts with Bearer
  4. 402 Payment Required — if no credentials match and x402 is enabled
The first successful match wins. Subsequent methods are not evaluated.

API Endpoints

ServiceURL
Mainnet APIhttps://api.chainstream.io/
WebSocketwss://realtime-dex.chainstream.io/connection/websocket
Auth Service (OAuth)https://dex.asia.auth.chainstream.io/
x402 Pricinghttps://api.chainstream.io/x402/pricing
x402 Purchasehttps://api.chainstream.io/x402/purchase

Choosing an Auth Method

API Key

Best for: Applications, scripts, CLI, MCP ServerSimplest setup. Create in Dashboard, pass as header. No token refresh needed.

JWT Bearer

Best for: Dashboard apps, server-to-serverStandard OAuth 2.0 flow. Supports scoped permissions. 24h token TTL.

SIWX Wallet

Best for: AI agents with on-chain walletsWallet-native auth via x402 subscription. No API key management needed.

FAQ

API Key is recommended for most use cases. It’s the simplest to set up and works with all ChainStream products (SDK, CLI, MCP Server). Use JWT if you need OAuth 2.0 integration with scoped permissions. Use SIWX if you’re building an AI agent with its own wallet and want to pay via x402.
For JWT: generate a new token using your Client ID and Client Secret. For SIWX: sign a new message with a future expiration time. API Keys do not expire unless you set an expiration date in the Dashboard.
Only one method is evaluated per request. If you send both X-API-KEY and Authorization: Bearer, the API Key takes priority (SIWX > API Key > JWT).
When no valid credentials are found and x402 is enabled, the gateway returns HTTP 402 with instructions to purchase a subscription at /x402/purchase. This enables AI agents to auto-purchase access. See x402 Payment.
API Key: Delete the App in the Dashboard. The key is invalidated immediately. JWT: Revoke the Client ID/Secret in the Dashboard. SIWX: The subscription expires naturally; there is no manual revocation.