> ## Documentation Index
> Fetch the complete documentation index at: https://agents.laso.finance/llms.txt
> Use this file to discover all available pages before exploring further.

# Get auth credentials

> Free endpoint. Returns an ID token, refresh token, and user ID for the calling wallet. Use the ID token as a Bearer token to call Laso Finance APIs.

Prove wallet ownership by sending a `SIGN-IN-WITH-X` header: a base64-encoded CAIP-122 signed message. Build it with `@x402/extensions/sign-in-with-x` (e.g. `wrapFetchWithSIWx` handles the round-trip automatically). Works for any EVM (Base, eip155:8453) or Solana mainnet wallet.

For ID-token refresh use `POST /auth` with `grant_type=refresh_token`.



## OpenAPI

````yaml /api-reference/openapi.json get /auth
openapi: 3.1.0
info:
  title: Laso Finance x402 API
  version: 1.0.0
  description: >-
    Payment-gated API for Laso Finance. All paywalled routes use the x402
    protocol — the caller includes a USDC payment header on Base (eip155:8453)
    or Solana (solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp) and the server verifies
    payment before processing. Free routes require no payment header.


    ## Getting started


    To set up a wallet for making x402 payments, choose a provider:


    - **Locus** (default): https://paywithlocus.com/SKILL.md

    - **Sponge**: https://wallet.paysponge.com/skill.md — automatic x402 service
    discovery

    - **Ampersend**: https://www.ampersend.ai/getting-started.md — self-custody
    on Base with dual-approval spending limits. Laso Finance is a default skill,
    so no manual endpoint registration is needed.


    ## How x402 works


    1. Call a paywalled endpoint without a payment header → receive a `402
    Payment Required` response containing payment details (price, recipient
    address, network).

    2. Construct an x402 payment header using the details from the 402 response.

    3. Replay the request with the payment header → the server verifies payment
    and processes the request.


    ## Authentication flow


    `GET /auth` is free: callers prove wallet ownership by sending a
    `SIGN-IN-WITH-X` header (CAIP-122 wallet signature). Paywalled routes
    (`/get-card`, `/order-gift-card`, `/get-push-to-card`, `/order-intl-card`)
    also return fresh auth credentials in their responses, so a payment is never
    required just to obtain a token.


    Most routes return auth credentials (`id_token`, `refresh_token`,
    `expires_in`). Use the `id_token` as a Bearer token to call authenticated
    Laso Finance endpoints like `/get-card-data`. When the `id_token` expires,
    use `POST /auth` with `grant_type: refresh_token` to get a new one.


    ## Important notes


    The `/get-card` USA prepaid card endpoint is U.S. only — issued in USD,
    usable at U.S.-based merchants only, and physical goods must ship to a U.S.
    address. For non-U.S. merchants or non-USD currencies, use `GET
    /order-intl-card` instead (international prepaid card, admin-fulfilled
    within 24 hours). All cards are intended for the caller's own use.


    For step-by-step instructions, read https://laso.finance/SKILL.md
servers:
  - url: https://laso.finance
    description: Production
security: []
paths:
  /auth:
    get:
      summary: Get auth credentials
      description: >-
        Free endpoint. Returns an ID token, refresh token, and user ID for the
        calling wallet. Use the ID token as a Bearer token to call Laso Finance
        APIs.


        Prove wallet ownership by sending a `SIGN-IN-WITH-X` header: a
        base64-encoded CAIP-122 signed message. Build it with
        `@x402/extensions/sign-in-with-x` (e.g. `wrapFetchWithSIWx` handles the
        round-trip automatically). Works for any EVM (Base, eip155:8453) or
        Solana mainnet wallet.


        For ID-token refresh use `POST /auth` with `grant_type=refresh_token`.
      operationId: getAuth
      parameters:
        - name: SIGN-IN-WITH-X
          in: header
          required: true
          schema:
            type: string
          description: Base64-encoded CAIP-122 signed message proving wallet ownership.
      responses:
        '200':
          description: Auth credentials and user ID
          content:
            application/json:
              schema:
                type: object
                properties:
                  auth:
                    $ref: '#/components/schemas/AuthCredentials'
                  callable_base_url:
                    type: string
                    example: https://us-central1-kyc-ts.cloudfunctions.net
                  user_id:
                    type: string
                    description: The user's ID (lowercase wallet address)
        '402':
          description: >-
            No valid payment or SIGN-IN-WITH-X proof was presented. All SIWX
            failures (missing or malformed header, invalid or expired signature,
            reused nonce, domain mismatch) return 402 per the x402 protocol. The
            response body is an empty JSON object; a fresh challenge (new nonce,
            payment options, SIWX info) is base64-encoded in the
            `PAYMENT-REQUIRED` response header. Sign the new challenge and
            retry. x402 client libraries such as `wrapFetchWithSIWx` handle this
            automatically.
          content:
            application/json:
              schema:
                type: object
                example: {}
components:
  schemas:
    AuthCredentials:
      type: object
      properties:
        id_token:
          type: string
          description: ID token — use as Bearer token for Laso Finance APIs
        refresh_token:
          type: string
          description: >-
            Use with POST /auth (grant_type=refresh_token) to get a new id_token
            when it expires
        expires_in:
          type: string
          description: Token lifetime in seconds

````