Authentication & quotas
Access tiers
| Tier | Credits | Expiry | Card required |
|---|---|---|---|
| Anonymous | 100 / session | Session | No |
| Sandbox | 2,000 / month | 60 days | No |
| Pay-as-you-go | Metered, $0.05/credit | — | Yes |
| Strategic Partnership | Custom | Custom | Custom |
Authentication patterns
API key (X-API-Key)
Server-to-server integrations. Recommended for backend integrations. Issue a long-lived key per integration via the portal at app2.mworks.com; rotate by minting a new key and revoking the old one.
GET /v2/markets HTTP/1.1
Host: api2.mworks.com
X-API-Key: mwk_live_...Bearer JWT (Supabase OAuth)
Portal and PLG flows. JWTs are obtained via the in-app sign-in flow at
app2.mworks.com and forwarded as
Authorization: Bearer <jwt>. JWTs expire with the user
session — they are not long-lived secrets.
GET /v2/billing/credits HTTP/1.1
Host: api2.mworks.com
Authorization: Bearer eyJ...Anonymous access
Unauthenticated requests are allowed up to 100 credits per session (tracked by IP + a server-side session token). Anonymous requests are subject to stricter rate limits and cannot access historical-data endpoints.
Sandbox tier
New accounts receive 2,000 sandbox credits on signup — no card required, no waitlist. Sandbox credits expire after 60 days and do not auto-renew. Get a sandbox key at app2.mworks.com and verify it with the public health endpoint:
curl https://api2.mworks.com/v2/health \
-H "X-API-Key: $MW_API_KEY"Rate limits
| Tier | Limit |
|---|---|
| Anonymous | 5 req/min |
| Sandbox | 10 req/min |
| Production / Pay-as-you-go | 100 req/min |
| Enterprise | 1,000 req/min |
Rate-limit responses return HTTP 429 with a
Retry-After header.
Error codes
| Code | HTTP | Meaning |
|---|---|---|
UNAUTHORIZED | 401 | Missing or invalid auth |
FORBIDDEN | 403 | Valid auth, insufficient permissions |
QUOTA_EXCEEDED | 402 | Credit balance at zero — hard stop |
RATE_LIMITED | 429 | Too many requests |