# DoNotAct Access and Rate Limits

DoNotAct diagnostic endpoints require `X-API-Key`. Anonymous access is limited to public product, documentation, discovery, and health assets.

## Access Requests

`POST /keys/request` queues a manual access review. It does not create, return, activate, bill, or authorize an API key.

A successful request means only that the request was recorded for review.

Minimal body:

```json
{
  "email": "builder@example.com",
  "requested_tier": "free",
  "intended_use": "agent diagnostics integration",
  "accepts_terms": true
}
```

`accepts_terms` must be `true`. If terms are not accepted, the endpoint fails closed.

## Public Request Throttle

The public access-request route has a basic anti-abuse throttle. Repeated requests from the same normalized email and client IP are limited to 3 accepted requests per 3600 seconds.

When limited, the endpoint returns HTTP `429` with `Retry-After` and a safe response body:

```json
{
  "error": "key_request_rate_limited",
  "window_seconds": 3600,
  "limit": 3,
  "retry_after_seconds": 1,
  "support_email": "support@donotact.com",
  "not_advice": true
}
```

Agents should respect `Retry-After` and should not retry aggressively.

## Diagnostic Rate Limits

Issued API keys carry their own entitlement and usage accounting. Diagnostic responses include quota headers where applicable.

Agents must treat `401`, `403`, and `429` as access-control outcomes, not as market diagnostics.

## Boundaries

DoNotAct does not expose private keys, wallets, order signing, custody, execution, stake sizing, performance claims, or probability estimates.

For support, contact `support@donotact.com`.