# Do Not Act Access and Rate Limits Do Not Act diagnostic endpoints require `X-API-Key`. Anonymous access is limited to public product, documentation, discovery, and health assets. ## Call This First Fast integration page: `/docs/first-integration`. Account start page: `/start`. After creating a free key, test the core dispute moat before anything else: ```bash curl -fsS https://donotact.com/v1/dispute/polymarket/580810 \ -H "X-API-Key: $DONOTACT_API_KEY" ``` Then compare it with resolution-risk: ```bash curl -fsS https://donotact.com/v1/resolution-risk/polymarket/580810 \ -H "X-API-Key: $DONOTACT_API_KEY" ``` For an action-aware Risk Gateway check, pass context explicitly: ```bash curl -fsS "https://donotact.com/v1/preflight/polymarket/580810?intent=enter&side=buy_yes¬ional_usd=25&max_slippage_bps=200&policy=conservative" \ -H "X-API-Key: $DONOTACT_API_KEY" ``` Preserve `decision`, `component_scores`, `risk_factors`, `risk_factor_bitmap`, `risk_factor_bit_index`, `blocking_reasons`, `warning_reasons`, `safe_operating_limits`, `not_advice`, and evidence gaps. `safe_operating_limits` are diagnostics, not position sizing or financial advice. Free keys can test dispute, resolution-risk and action-aware preflight diagnostics inside the monthly quota. Paid access is for recurring monitoring: watchlists, webhook-backed alerts, receipts, higher quota, account-managed keys, MCP/agent operations, and operational scale. ## Access Requests `POST /keys/request` queues a manual access review. It does not create, return, activate, bill, or authorize an API key. A successful request means only that the request was recorded for review. Minimal body: ```json { "email": "builder@example.com", "requested_tier": "free", "intended_use": "agent diagnostics integration", "accepts_terms": true } ``` `accepts_terms` must be `true`. If terms are not accepted, the endpoint fails closed. ## Public Request Throttle The public access-request route has a basic anti-abuse throttle. Repeated requests from the same normalized email and client IP are limited to 3 accepted requests per 3600 seconds. When limited, the endpoint returns HTTP `429` with `Retry-After` and a safe response body: ```json { "error": "key_request_rate_limited", "window_seconds": 3600, "limit": 3, "retry_after_seconds": 1, "support_email": "support@donotact.com", "not_advice": true } ``` Agents should respect `Retry-After` and should not retry aggressively. ## Paid Access Checkout Paid access starts from an authenticated account. Create an account at `/signup`, then open `/account` and start checkout from the API access panel. After paid checkout, Stripe redirects to a secure one-time claim page. That page verifies the Checkout Session server-side, creates the API key and entitlement automatically, and displays the key once. Only a hash is stored. If the key was not copied from the claim page, login to `/account`, create a replacement API key, and revoke any unknown active keys. Direct public payment links are disabled. Agents should not use old payment links or retry checkout outside the account console. Paid access uses the same one-time claim flow. The public paid plan is the 30 EUR/month Builder Plan and unlocks self-serve dispute intelligence, recurring watchlists, webhook alerts, receipts, higher quota, key rotation and Stripe billing from the account console. Pricing page: `/pricing`. ## Diagnostic Rate Limits Issued API keys carry their own entitlement and usage accounting. Diagnostic responses include quota headers where applicable. Free keys can call all authenticated diagnostics, including dispute lifecycle, resolution-risk and action-aware preflight, under a 1000 calls/month quota. The public paid plan is 30 EUR/month for recurring monitoring, watchlists, alert delivery, receipts, account-managed access, MCP/agent operations and higher quota. Agents must treat `401`, `403`, and `429` as access-control outcomes, not as market diagnostics. ## Boundaries Do Not Act does not expose private keys, wallets, order signing, custody, execution, order routing, or client funds. For support, contact `support@donotact.com`. --- ## Agent Discovery - llms.txt: `/llms.txt` - Full context: `/llms-full.txt` - Agent manifest: `/agent.json` - OpenAPI: `/openapi.json` - Discovery docs: `/docs/discovery`