# Explorer public API access (decision record)

**Date:** 2026-05-23  
**Live page:** `/docs/public-api-access`

## Summary

| Surface | Auth today | Notes |
|---------|------------|-------|
| Blockscout read API (`/api/v2/*`) | None | Same-origin proxy to Blockscout |
| Public JSON (stats, bridge routes, token lists, etc.) | None | Listed in footer **Public APIs** |
| Managed RPC keys | Wallet session on `/access` | `POST /api/v1/access/api-keys` after `/api/v1/auth/wallet` |

## Decision

1. **Keep Blockscout and public JSON unauthenticated** for integrators on the public explorer domain.
2. **Managed RPC keys** remain the wallet-authenticated product on `/access` — not a Blockscout API-key layer.
3. **Future path (Option B):** nginx/API-gateway throttling with optional `X-API-Key` for higher quotas if abuse appears. Full external developer portal remains optional.

## Integrator flow

- Read-only: use footer links or `/docs/public-api-access` endpoint list.
- Higher limits / RPC: connect wallet on `/wallet`, open `/access`, create scoped keys (tier, product, expiry, quota).

## Operator

- No nginx key gate required until rate-limit policy changes.
- Support contact: `support@d-bis.org`