# Glacier21 Dashboard. Full Documentation

Generated: 2026-05-15T19:53:38.295Z

The Glacier21 dashboard is the user-facing console for the Glacier21 API
(https://app-api.glacier21.com). It exposes every operation an account holder can perform
against their plan: minting API keys, searching wallets, watching usage,
and managing billing.

This document is the canonical agent-readable reference. Humans should use
https://dashboard.glacier21.com directly.

## Identity & Authentication

- **Issuer**: https://app-api.glacier21.com (`iss` = `glacier21-dashboard`, `aud` = `glacier21-api`)
- **Token format**: JWT (HS256). Claims: `sub` (numeric user id),
  `iss`, `aud`, `iat`, `nbf`, `exp`. Lifetime: 24 hours.
- **Header**: `Authorization: Bearer <token>`
- **Get a token**: `POST https://app-api.glacier21.com/auth/login` with `{"email","password"}`.
- **Register**: `POST https://app-api.glacier21.com/auth/register` with `{"email","password"}`.
  Returns a token immediately. Wallet search and additional API key
  creation unlock only after the email is verified.
- **Verify email**: `POST https://app-api.glacier21.com/auth/verify` with
  `{"token":"<from welcome email>"}`. Single-use, 24-hour TTL. On
  success a 10-request trial AWS API Gateway key is provisioned for
  the account. (The legacy `POST /auth/verify/{token}` path-parameter
  variant is still accepted but deprecated; the body variant is
  preferred because it doesn't appear in proxy / LB access logs.)
- **Resend verification**: `POST https://app-api.glacier21.com/auth/resend-verification`
  (per-user 2-minute cooldown, per-IP 10/hour).
- **Whoami**: `GET https://app-api.glacier21.com/auth/me` returns the `User` object.
- **Logout**: `POST https://app-api.glacier21.com/auth/logout`. JWTs are stateless,
  so this 200s and the agent should drop its bearer locally. Listed
  as `revocation_endpoint` in the OAuth metadata.

Verification + reset tokens are stored as **HMAC-SHA256 digests at
rest** (TOKEN_HASH_PEPPER), so a database leak doesn't yield account
takeover. AWS API key values are stored Fernet-encrypted at rest and
returned to the user exactly once on creation; subsequent reads (e.g.
in /api-keys/ list) only reveal the last 8 characters.

`X-API-Key` is the auth header for the wallet *Lambda* at
`api.glacier21.com/v1/wallet` (which is what your minted API key
unlocks), NOT for the dashboard auth/billing/wallet routes documented
here. Those all use Bearer JWT.

### Scopes

- `read:account`: Read profile, plan, and verification status.
- `read:usage`: Read usage stats, history, and daily breakdowns.
- `write:keys`: Create, revoke, reactivate, and delete API keys.
- `search:wallet`: Run wallet searches against the on-platform endpoint.
- `write:billing`: Create checkout sessions, manage subscription, cancel.
- `read:referrals`: Read referral code, stats, and referred-user list.

## Capabilities

### register_account

- **Title**: Register a new Glacier21 account
- **HTTP**: `POST https://app-api.glacier21.com/auth/register`
- **Auth**: Public


Self-serve signup for autonomous agents. Creates a brand-new account with the supplied email and password. Returns `{access_token, token_type}` — extract `access_token` and pass it as `Authorization: Bearer <token>` on every subsequent authenticated tool call. The token is valid for 24 hours. IMPORTANT: the trial 10 wallet lookups unlock only after the email is verified. Verify by hitting `POST /auth/verify` with the `token` from the welcome email; agents that can't read email should hand off to the human at this step.

### login

- **Title**: Sign in and get a Bearer token
- **HTTP**: `POST https://app-api.glacier21.com/auth/login`
- **Auth**: Public


Exchange an email and password for a 24-hour Bearer JWT. Returns `{access_token, token_type}`. Pass `access_token` in the `Authorization: Bearer <token>` header on every authenticated tool call.

### verify_email

- **Title**: Verify the account's email with a token
- **HTTP**: `POST https://app-api.glacier21.com/auth/verify`
- **Auth**: Public


Confirm the email address on a freshly-registered account using the verification token from the welcome email. Required before wallet search and AWS-backed API key issuance unlock. Body: `{token}`.

### logout

- **Title**: Discard the current Bearer token
- **HTTP**: `POST https://app-api.glacier21.com/auth/logout`
- **Auth**: Bearer JWT


Acknowledges that the agent will drop the bearer token on its end. JWTs are stateless, so there's no server session to delete; this exists so the OAuth `revocation_endpoint` advertised in `/.well-known/oauth-authorization-server` resolves to a real URL.

### search_wallet

- **Title**: Search a wallet address
- **HTTP**: `POST https://app-api.glacier21.com/wallet/search`
- **Auth**: Bearer JWT
- **Payment**: $0.05 USD (per-call)

Look up identity, social handles, owned assets, sanctions exposure, and other off-chain signals for any blockchain wallet address.

### get_usage_stats

- **Title**: Get current usage and quota
- **HTTP**: `GET https://app-api.glacier21.com/usage/stats`
- **Auth**: Bearer JWT


Returns requests made this period, monthly limit (including referral bonuses), and billing-period dates.

### list_api_keys

- **Title**: List API keys
- **HTTP**: `GET https://app-api.glacier21.com/api-keys/`
- **Auth**: Bearer JWT


Return every API key on the account with active/revoked status and usage timestamps.

### create_api_key

- **Title**: Create an API key
- **HTTP**: `POST https://app-api.glacier21.com/api-keys/`
- **Auth**: Bearer JWT


Mint a new AWS-API-Gateway-backed key. The full key value is returned exactly once.

### revoke_api_key

- **Title**: Revoke an API key
- **HTTP**: `DELETE https://app-api.glacier21.com/api-keys/{id}`
- **Auth**: Bearer JWT


Disable an API key in AWS API Gateway and mark it inactive on the account.

### list_plans

- **Title**: List subscription plans
- **HTTP**: `GET https://app-api.glacier21.com/plans`
- **Auth**: Public


Returns the public catalog of plans (Free, Frost, Iceberg, Avalanche) with pricing and request quotas.

### subscribe_to_plan

- **Title**: Subscribe to a paid plan
- **HTTP**: `POST https://app-api.glacier21.com/billing/create-checkout-session`
- **Auth**: Bearer JWT
- **Payment**: $499 USD (subscription, per month)

Creates a Stripe Checkout session for the chosen plan and returns a hosted checkout URL the agent can complete with a card-on-file or x402 / MPP payment. Self-serve tiers: Frost ($499/mo, 10K lookups/mo) and Iceberg ($2,499/mo, 300K lookups/mo). Avalanche is enterprise-only; call list_plans for the contact path.

### get_subscription

- **Title**: Get current subscription
- **HTTP**: `GET https://app-api.glacier21.com/billing/subscription`
- **Auth**: Bearer JWT


Returns the active Stripe subscription, plan tier, status, and renewal date.

### cancel_subscription

- **Title**: Cancel subscription
- **HTTP**: `POST https://app-api.glacier21.com/billing/cancel`
- **Auth**: Bearer JWT


Cancels the subscription at period end. Access remains until the current period closes.


## Plans

The platform has four plan tiers:

- **Free**: 10 trial requests, no credit card.
- **Frost**: $499 / month, 10,000 lookups / month, 10K/day cap.
- **Iceberg**: $2,499 / month, 300,000 lookups / month, 10K/day cap.
- **Avalanche**: Enterprise. Contact sales (custom volume + dedicated support).

Get the live catalog from `GET https://app-api.glacier21.com/plans`.

## Programmatic purchase

Three rails are exposed for agents:

1. **Stripe Checkout** (recommended for a human in the loop).
   `POST https://app-api.glacier21.com/billing/create-checkout-session` with
   `{"plan":"frost"|"iceberg"}` returns `{"checkout_url":...}`. Avalanche
   is rejected here — call `POST https://app-api.glacier21.com/billing/enterprise-inquiry`
   instead to flag a sales contact.
2. **x402** (machine-only, USDC on Base).
   `POST https://dashboard.glacier21.com/api/x402/subscribe` returns HTTP 402 with
   payment requirements; settle the payment with the listed facilitator and
   resubmit with the receipt in `X-PAYMENT`.
3. **MPP** (Machine Payment Protocol).
   Every payable operation in `openapi.json` carries an `x-payment-info`
   extension MPP middleware can detect and complete automatically.

## Discovery surface

| File | Purpose |
| --- | --- |
| `/robots.txt` | Crawl rules + Content-Signal directives |
| `/sitemap.xml` | Public surfaces |
| `/llms.txt` | Agent-friendly index |
| `/llms-full.txt` | This file |
| `/openapi.json` | OpenAPI 3.1 with `x-payment-info` extensions |
| `/.well-known/security.txt` | Vulnerability reporting |
| `/.well-known/api-catalog` | RFC 9727 linkset |
| `/.well-known/oauth-authorization-server` | RFC 8414 metadata |
| `/.well-known/openid-configuration` | OIDC alias of the above |
| `/.well-known/oauth-protected-resource` | RFC 9728 metadata |
| `/.well-known/http-message-signatures-directory` | Web Bot Auth keys |
| `/.well-known/mcp/server-card.json` | MCP server card (SEP-2127) |
| `/api/mcp` | **Live MCP endpoint** (Streamable HTTP transport, POST + JSON-RPC 2.0, protocol 2025-06-18). Forward an `Authorization: Bearer` header for any tool that needs auth. |
| `/.well-known/agent-skills/index.json` | Agent Skills v0.2.0 |
| `/.well-known/acp.json` | Agentic Commerce Protocol |

## Errors

The backend returns FastAPI `{"detail": "..."}` envelopes. Common codes:

- **401**: Missing/invalid token. Re-auth.
- **403**: Email not verified, or insufficient privileges.
- **429**: Plan limit exhausted. Subscribe to a higher plan or wait for
  the period to roll over.
- **402**: Returned by /api/x402/subscribe when no payment is attached;
  the body contains x402 payment requirements.

## Contact

Email **ren@glacier21.com** for support, security disclosure, or
enterprise inquiry.