Authentication modes

Baton serves two kinds of caller — developers and autonomous agents — through three authentication modes. All three resolve to the same stable customer identity; only the funding mechanism differs.

1. x402 per-call — the lodestone

No account. You sign a USDC or EURC payment authorization and send it with the request in the X-Payment header. The wallet that signs is your identity. This is the path designed for agents with no human in the loop — see x402 wire format.

Use it when: you are an agent, or you want to make a one-off call without registering.

2. Wallet JWT

For crypto-native developers who want a session rather than a per-call signature. You request a challenge, sign it with your wallet (an EIP-191 personal_sign — not the EIP-712 signature the lodestone uses), and exchange the signature for a short-lived bearer token.

# 1. get a challenge
curl "https://api.relaystation.ai/v1/auth/challenge?wallet=0x..."
# 2. sign the returned message, then verify
curl -X POST https://api.relaystation.ai/v1/auth/verify \
  -H "Content-Type: application/json" \
  -d '{"walletAddress":"0x...","nonce":"...","signature":"0x..."}'

The verify response returns a bearer token. Send it as Authorization: Bearer <token> on subsequent calls. The token is returned in the body, not a cookie — agent-friendly.

Use it when: you have a wallet and want a session without a browser.

3. OAuth + API key

The developer path. Sign in at app.relaystation.ai with Google or GitHub, top up a prepaid balance through Stripe, and mint an API key (prefixed rs_live_). Send it as Authorization: Bearer rs_live_.... Calls debit your balance.

Use it when: you are a developer who wants a dashboard, a credit card, and reusable keys.

Which to use

An agent paying per call uses mode 1. A developer building an integration uses mode 3. A crypto-native developer who wants a funded wallet and a session uses mode 2. Whichever you pick, your customer identity and ledger are the same — you can move between modes without losing history.