DappScore API Documentation

📖Introduction

All API responses are JSON. Successful responses follow a consistent envelope format. Paginated endpoints include a pagination object.

Success Response
{
  "success": true,
  "data": { /* response payload */ },
  "message": "Optional human-readable message"
}

Error Response
{
  "success": false,
  "error": "Human-readable error description",
  "details": { /* optional extra context */ }
}

Paginated Response
{
  "data": [ /* array of items */ ],
  "pagination": {
    "page": 1,
    "limit": 20,
    "total": 450,
    "pages": 23
  }
}

🔐Authentication

Different endpoint groups use different authentication methods. Public endpoints require no auth. All others use one of the schemes below.

Method	Header	Used For
None	—	Projects, Users, Stats, Scam patterns (read-only public data)
User ID	`x-user-id: <wallet-address>`	Alerts, Webhooks, API Keys (user-scoped actions)
API Key	`Authorization: Bearer sk_test_...`	Sale data writes and scoped programmatic access

⚠️ API keys are only shown once at creation. Store them securely — they cannot be retrieved again. Use /api-keys/:id/rotate to issue a new key if lost.

⚡Errors & Rate Limits

HTTP Status	Meaning
`200`	Success
`400`	Bad Request — missing or invalid parameters
`401`	Unauthorized — missing or invalid auth header
`403`	Forbidden — insufficient permissions
`404`	Not Found — resource does not exist
`429`	Rate Limited — slow down requests
`500`	Internal Server Error

ℹ️ The Firebase Functions backend caches many read endpoints. Cache TTLs are noted per endpoint with a cached Xs badge.

🌐Base URLs

Environment	Base URL	Notes
Production	`https://dappscore.io/api/v1`	Served via Firebase Hosting → Cloud Function rewrite
Express (Local Dev)	`http://localhost:3001/api`	Direct Express server, no `/v1` prefix

ℹ️ All endpoint paths below use /api/v1/... (Production). For local Express dev, strip /v1 — e.g. /api/v1/projects → /api/projects.

🏗️Projects

Read-only endpoints for browsing, searching, and retrieving DApp/project data including trust scores, votes, and trust history.

GET /api/v1/projects cached 30s No Auth

Search and filter the full project index. Supports full-text search, category/chain filtering, trust level filtering, and sorting.

Query Parameters

Param	Type	Default	Description
query	string	—	Full-text search across project name, description, address
category	string	—	Filter by category (e.g. `defi`, `nft`, `gaming`)
chain	string	—	Filter by chain (e.g. `ethereum`, `polygon`, `solana`)
trustLevel	0–5	—	Filter by minimum trust level (0 = unrated, 5 = highest trust)
status	string	—	Filter by project status
sortBy	string	—	`trustScore` \| `votes` \| `newest` \| `endingSoon`
page	integer	1	Page number
limit	integer	20	Results per page (1–100)

Example Request
GET /api/v1/projects?query=uniswap&chain=ethereum&sortBy=trustScore&limit=10

Example Response
{
  "data": [
    {
      "id": "0xabc...123",
      "name": "Uniswap V3",
      "chain": "ethereum",
      "category": "defi",
      "trustScore": 94,
      "trustLevel": 5,
      "votes": 12480,
      "status": "active"
    }
  ],
  "pagination": { "page": 1, "limit": 10, "total": 842, "pages": 85 }
}

GET /api/v1/projects/:id cached 60s No Auth

Fetch full detail for a single project by contract address or project ID.

Path Parameters

Param	Type	Description
id	string	Contract address or project ID

Example Response
{
  "data": {
    "id": "0xabc...123",
    "name": "Uniswap V3",
    "description": "Decentralized exchange protocol",
    "chain": "ethereum",
    "category": "defi",
    "contractAddress": "0xabc...123",
    "trustScore": 94,
    "trustLevel": 5,
    "votes": 12480,
    "positiveVotes": 11800,
    "negativeVotes": 680,
    "verified": true,
    "scamFlag": false,
    "website": "https://uniswap.org",
    "twitter": "@Uniswap",
    "createdAt": "2024-01-15T10:30:00Z"
  }
}

GET /api/v1/projects/trending cached 60s No Auth

Returns projects with the highest vote velocity in the given timeframe.

Query Parameters

Param	Type	Default	Description
timeframe	string	24h	`24h` or `7d`
limit	integer	10	Max results (up to 50)

GET /api/v1/projects/similar/:address cached 300s No Auth

Returns projects similar to the given contract address based on category, chain, and trust profile.

Path Parameters

Param	Type	Description
address	string	EVM contract address

GET /api/v1/projects/:id/votes No Auth

Paginated list of all votes cast for this project.

Query Parameters

Param	Type	Default	Description
page	integer	1	Page number
limit	integer	50	Results per page

GET /api/v1/projects/:id/trust-history cached 120s No Auth

Returns the full chronological history of trust level changes for a project. Useful for charting trust progression over time.

Example Response
{
  "data": [
    {
      "timestamp": "2024-03-01T00:00:00Z",
      "trustLevel": 3,
      "trustScore": 61,
      "reason": "Community vote threshold reached"
    }
  ]
}

GET /api/v1/projects/:id/sale cached 60s No Auth

Returns current token sale/IDO data for a project if it exists.

Example Response
{
  "raised": 450000,
  "goal": 1000000,
  "currency": "USDC",
  "tokenPrice": 0.05,
  "startDate": 1711929600,
  "endDate": 1714521600,
  "minContribution": 100,
  "maxContribution": 5000,
  "saleContract": "0xdef...456",
  "network": "ethereum",
  "updatedAt": 1710237600
}

POST /api/v1/projects/:id/sale API Key (sale:write)

Create or update token sale data for a project. Requires an API key with sale:write permission scoped to this project.

Request Body (JSON)

Field	Type	Required	Description
raised	number	required	Amount raised so far in `currency` units
goal	number	required	Fundraising goal in `currency` units
currency	string	required	Currency symbol (e.g. `USDC`, `ETH`)
tokenPrice	number	required	Token price in `currency` units
startDate	integer	required	Sale start as a Unix timestamp (seconds)
endDate	integer	required	Sale end as a Unix timestamp (seconds) — must be after `startDate`
minContribution	number	optional	Minimum contribution amount
maxContribution	number	optional	Maximum contribution amount
saleContract	string	optional	Sale contract address
network	string	optional	Blockchain network (default: mainnet)

Example Request
POST /api/v1/projects/0xabc...123/sale
Authorization: Bearer sk_live_...

{
  "raised": 250000,
  "goal": 1000000,
  "currency": "USDC",
  "tokenPrice": 0.05,
  "startDate": 1711929600,
  "endDate": 1714521600
}

Example Response
{
  "ok": true,
  "data": {
    "raised": 250000,
    "goal": 1000000,
    "currency": "USDC",
    "tokenPrice": 0.05,
    "startDate": 1711929600,
    "endDate": 1714521600,
    "updatedAt": 1710237600
  }
}

ℹ️ updatedAt is set automatically to the current Unix timestamp on every write. currency is normalised to uppercase (e.g. "usdc" → "USDC"). The endpoint is idempotent — calling POST again overwrites the existing sale document.

👤Users

User profile, voting history, earnings, reputation, referrals, and leaderboards. All addresses are EVM-compatible (checksummed hex).

GET /api/v1/users/:address cached 30s No Auth

Returns the full public profile for a wallet address.

Example Response
{
  "data": {
    "address": "0xUser...abc",
    "reputation": 2840,
    "reputationLevel": "Gold",
    "totalVotes": 312,
    "accuracyRate": 0.847,
    "totalEarnings": "1420.50",
    "joinedAt": "2023-08-10T14:22:00Z"
  }
}

GET /api/v1/users/:address/votes No Auth

Paginated list of all votes cast by this user.

Query Parameters

Param	Type	Default	Description
page	integer	1	Page number
limit	integer	50	Results per page

GET /api/v1/users/:address/accuracy cached 60s No Auth

Returns detailed voting accuracy statistics — how often the user's votes aligned with the final trust outcome.

Example Response
{
  "data": {
    "address": "0xUser...abc",
    "totalVotes": 312,
    "correctVotes": 264,
    "accuracyRate": 0.847,
    "scamsCaught": 18,
    "falsePositives": 4
  }
}

GET /api/v1/users/:address/earnings cached 60s No Auth

Returns the full earnings history for this user including $SCORE rewards, insurance payouts, and referral bonuses.

GET /api/v1/users/:address/reputation cached 60s No Auth

Returns a breakdown of the user's reputation score including earned from votes, bonuses, penalties, and current tier.

GET /api/v1/users/:address/referrals cached 120s No Auth

Returns the user's affiliate referral stats — number of referrals, total bonus earnings, and referred user list.

GET /api/v1/users/leaderboard/:type cached 120s No Auth

Returns the top users ranked by the given metric.

Path Parameters

Param	Values	Description
type	`reputation` \| `scamHunters` \| `accuracy` \| `earnings`	Leaderboard category

Query Parameters

Param	Type	Default	Description
limit	integer	100	Max results (up to 200)

📊Stats

Platform-wide aggregated statistics for the dashboard, charts, and token metrics. All stats endpoints are public and cached.

GET /api/v1/stats/global cached 60s No Auth

Returns overall platform statistics: total projects, votes, users, and scam reports.

Example Response
{
  "data": {
    "totalProjects": 8420,
    "totalVotes": 2140000,
    "totalUsers": 94200,
    "scamsDetected": 1240,
    "totalInsurancePaid": "842000.00",
    "activeProjects": 6100
  }
}

GET /api/v1/stats/daily cached 300s No Auth

Returns day-by-day activity data suitable for time-series charts.

Query Parameters

Param	Type	Default	Description
days	integer	30	Number of days of history (max 365)

GET /api/v1/stats/token cached 120s No Auth

Returns $SCORE token metrics including price, market cap, circulating supply, staking stats, and 24h change.

GET /api/v1/stats/insurance cached 120s No Auth

Returns current insurance pool balance, total claims paid, pending claims, and coverage statistics.

GET /api/v1/stats/predictions cached 120s No Auth

Returns prediction market stats: total markets, volume, open positions, and resolution accuracy.

GET /api/v1/stats/bounties cached 120s No Auth

Returns bounty program stats: open bounties, total rewards paid, and top earners.

🔍Scam Detection

Automated on-chain contract analysis for rug-pull patterns, honeypot detection, malicious tokenomics, and suspicious ownership structures. Supports EVM, Solana, and Starknet.

⚠️ Analysis results are probabilistic. Always combine automated analysis with community signals before making financial decisions.

GET /api/v1/scam/patterns cached 3600s No Auth

Returns the full catalogue of known scam patterns used by the analysis engine. Useful for building UI explanations.

Example Response
{
  "data": {
    "patterns": [
      {
        "id": "HONEYPOT_TRANSFER_RESTRICTION",
        "name": "Honeypot — Transfer Restriction",
        "severity": "critical",
        "description": "Contract prevents token sells via blacklist or transfer block"
      },
      {
        "id": "OWNERSHIP_NOT_RENOUNCED",
        "name": "Ownership Not Renounced",
        "severity": "medium",
        "description": "Owner retains admin powers (mint, pause, blacklist)"
      }
    ]
  }
}

POST /api/v1/scam/analyze No Auth

Performs a full risk analysis on a contract address. Returns a numeric risk score, categorical risk level, and list of triggered pattern flags.

Request Body (JSON)

Field	Type	Required	Description
contractAddress	string	required	Contract or token address to analyze
network	string	optional	`mainnet` \| `solana` \| `starknet` \| `polygon` \| `arbitrum` \| `optimism` \| `base` (default: `mainnet`)

Example Response
{
  "success": true,
  "data": {
    "address": "0xabc...123",
    "network": "mainnet",
    "riskScore": 78,
    "riskLevel": "high",
    "flags": [
      {
        "id": "HIGH_TAX",
        "name": "Excessive Tax",
        "severity": "high",
        "description": "Buy/sell tax exceeds 15%"
      }
    ],
    "analyzedAt": "2024-03-12T10:15:00Z"
  }
}

Risk Levels: low (0–25) · medium (26–50) · high (51–75) · critical (76–100) · unknown

POST /api/v1/scam/tokenomics No Auth

Deep-dives into token holder distribution to identify whale concentration, team wallet sizes, and exchange ratios.

Request Body (JSON)

Field	Type	Required	Description
tokenAddress	string	required	Token contract address
network	string	optional	`mainnet` \| `solana` (default: `mainnet`)

POST /api/v1/scam/batch No Auth

Analyze up to 10 contracts in a single request.

Request Body (JSON)

Field	Type	Required	Description
addresses	string[]	required	Array of contract addresses (max 10)
network	string	optional	Network for all addresses (default: `mainnet`)

Example Response
{
  "success": true,
  "data": {
    "analyzed": 3,
    "results": {
      "0xabc...1": { "riskScore": 12, "riskLevel": "low", "flags": [] },
      "0xabc...2": { "riskScore": 91, "riskLevel": "critical", "flags": [/* ... */] },
      "0xabc...3": { "riskScore": 44, "riskLevel": "medium", "flags": [/* ... */] }
    }
  }
}

POST /api/v1/scam/report No Auth

Submit a community scam report for a contract. Reports are reviewed by the admin team and can trigger trust level changes.

Request Body (JSON)

Field	Type	Required	Description
contractAddress	string	required	Address to report
reason	string	required	Description of the scam (10–2000 characters)
network	string	optional	Chain the contract is on
projectId	string	optional	Associated project ID if known
evidence	string[]	optional	URLs to supporting evidence (max 10)
reporter	string	optional	Reporter wallet address

🐋Whale Tracking

Monitor large token holders, track significant on-chain transfers, and receive alerts when whales move funds. Powered by Moralis and Alchemy.

GET /api/v1/whales/:tokenAddress cached 120s No Auth

Returns the top token holders (whales) for a given token.

Query Parameters

Param	Type	Default	Description
network	string	mainnet	Blockchain network
limit	integer	20	Number of whales to return (max 100)

Example Response
{
  "success": true,
  "data": {
    "tokenAddress": "0xabc...123",
    "network": "mainnet",
    "whaleCount": 20,
    "whales": [
      {
        "address": "0xWhale...1",
        "balance": "4200000",
        "percentage": 4.2,
        "label": "Binance Hot Wallet",
        "type": "exchange"
      }
    ]
  }
}

GET /api/v1/whales/:tokenAddress/transactions cached 60s No Auth

Returns recent large transfers for a token within the given time window.

Query Parameters

Param	Type	Default	Description
network	string	mainnet	Blockchain network
hours	integer	24	Lookback window in hours (max 168 = 7 days)

GET /api/v1/whales/:tokenAddress/analysis cached 3600s No Auth

Returns aggregated whale activity analysis including buy/sell pressure, net flow, and trend classification.

Example Response
{
  "data": {
    "tokenAddress": "0xabc...123",
    "network": "mainnet",
    "last24h": {
      "buyVolume": "1200000",
      "sellVolume": "800000",
      "netFlow": "400000",
      "transactions": 42
    },
    "trend": "accumulating",
    "analyzedAt": "2024-03-12T10:00:00Z"
  }
}

GET /api/v1/whales/:tokenAddress/alerts No Auth

Returns large transfer events above a USD threshold for a given token.

Query Parameters

Param	Type	Default	Description
network	string	mainnet	Blockchain network
threshold	number	100000	Minimum USD value to include (default $100k)

GET /api/v1/whales/wallet/:address cached 60s No Auth

Returns wallet info, ETH balance, and any human-readable label assigned to the address (exchange, team, fund, etc).

POST /api/v1/whales/track No Auth

Add a token to the whale tracking list so that whale transfers trigger platform alerts.

Request Body (JSON)

Field	Type	Required	Description
tokenAddress	string	required	Token contract address
symbol	string	required	Token symbol (e.g. `SCORE`)
priceUsd	number	optional	Current token price in USD
network	string	optional	Blockchain network (default: `mainnet`)

POST /api/v1/whales/price No Auth

Update the USD price for a tracked token to keep USD-threshold alerts accurate.

Request Body (JSON)

Field	Type	Required	Description
tokenAddress	string	required	Token contract address
priceUsd	number	required	Current price in USD

POST /api/v1/whales/wallet/label No Auth

Assign a human-readable label to a wallet address for display purposes in whale lists.

Request Body (JSON)

Field	Type	Required	Description
address	string	required	Wallet address
label	string	required	Human-readable label (e.g. `Binance Hot Wallet`)
type	string	optional	`whale` \| `exchange` \| `team` \| `fund` \| `bot` \| `other`
notes	string	optional	Additional notes

🔔Alerts

User-scoped notification management. Alerts are generated automatically by platform events (trust changes, scam flags, whale activity). All endpoints require the x-user-id header.

GET /api/v1/alerts x-user-id

Returns the authenticated user's alert feed, optionally filtered by type or read status.

Query Parameters

Param	Type	Default	Description
unreadOnly	boolean	false	If `true`, only return unread alerts
type	string	—	Filter by alert type
limit	integer	20	Max results (up to 100)
offset	integer	0	Pagination offset

Example Response
{
  "success": true,
  "data": {
    "alerts": [
      {
        "id": "alert_abc123",
        "type": "scam_flagged",
        "title": "Project flagged as scam",
        "body": "ProjectX has been flagged by the community",
        "severity": "high",
        "read": false,
        "createdAt": "2024-03-12T09:00:00Z"
      }
    ],
    "total": 12,
    "hasMore": false
  }
}

GET /api/v1/alerts/unread-count x-user-id

Returns the number of unread alerts. Lightweight endpoint for badge indicators.

Example Response
{ "success": true, "data": { "count": 5 } }

GET /api/v1/alerts/preferences x-user-id

Returns the user's current alert delivery preferences. Defaults are applied if not previously set.

PUT /api/v1/alerts/preferences x-user-id

Update which alert types and delivery channels the user subscribes to.

Request Body (JSON) — all fields optional

Field	Type	Description
enableEmail	boolean	Receive email notifications
enableTelegram	boolean	Receive Telegram notifications
enableWebhook	boolean	Deliver to registered webhook
enablePush	boolean	Browser push notifications
trustChangeAlerts	boolean	Alert on trust level changes
scamFlagAlerts	boolean	Alert when project is flagged as scam
whaleActivityAlerts	boolean	Alert on large whale movements
voteThresholdAlerts	boolean	Alert when vote thresholds are crossed
marketAlerts	boolean	Alert on prediction market events
minSeverity	string	Minimum severity: `low` \| `medium` \| `high` \| `critical`
telegramChatId	string	Telegram chat ID for delivery
webhookUrl	string	Webhook URL override
emailAddress	string	Email address for notifications

POST /api/v1/alerts/:alertId/read x-user-id

Mark a specific alert as read.

POST /api/v1/alerts/read-all x-user-id

Mark all of the user's alerts as read in one call.

Example Response
{ "success": true, "data": { "count": 12 }, "message": "12 alerts marked as read" }

DELETE /api/v1/alerts/:alertId x-user-id

Permanently delete a single alert from the user's feed.

🔗Webhooks

Register external HTTPS endpoints to receive real-time event payloads. Each webhook is secured with an HMAC-SHA256 signature in the X-DappScore-Signature header.

ℹ️ Webhook secrets are only returned once at registration or rotation. Verify payloads by computing HMAC-SHA256(secret, rawBody) and comparing with the header value.

Supported Event Types

project.trust_changed project.scam_flagged project.created vote.cast whale.activity alert.triggered market.resolved bounty.completed all

GET /api/v1/webhooks x-user-id

Returns all registered webhooks for the authenticated user.

POST /api/v1/webhooks/register x-user-id

Register a new webhook URL. The secret in the response is shown only once.

Request Body (JSON)

Field	Type	Required	Description
url	string	required	HTTPS endpoint URL to deliver events to
events	string[]	optional	Event types to subscribe to (default: `["all"]`)

Example Response
{
  "success": true,
  "data": {
    "id": "wh_abc123",
    "url": "https://yourapp.com/hooks/dappscore",
    "secret": "whsec_xxxxxxxxxxxx",
    "events": ["project.trust_changed", "project.scam_flagged"],
    "message": "Webhook registered. Save the secret — it will not be shown again."
  }
}

PUT /api/v1/webhooks/:id x-user-id

Update a webhook's URL, subscribed events, or active status.

Request Body (JSON) — all optional

Field	Type	Description
url	string	New endpoint URL
events	string[]	New event subscription list
active	boolean	Enable or disable the webhook

DELETE /api/v1/webhooks/:id x-user-id

Permanently delete a webhook and stop all future event deliveries.

POST /api/v1/webhooks/:id/test x-user-id

Sends a test payload to the webhook URL and reports the HTTP status received.

Example Response
{ "success": true, "data": { "statusCode": 200 }, "message": "Test delivery successful" }

GET /api/v1/webhooks/:id/logs x-user-id

Returns the last 50 delivery attempt logs for the webhook, including status codes, timestamps, and failure reasons.

POST /api/v1/webhooks/:id/rotate-secret x-user-id

Generates a new signing secret for the webhook. The old secret is immediately invalidated.

⚠️ Update your signature verification logic with the new secret before rotating, or incoming webhook events will fail signature checks.

🗝️API Keys

Manage programmatic API keys for machine-to-machine access. Keys carry scoped permissions and are associated with a user wallet. Maximum 10 keys per user.

ℹ️ You can create and manage API keys from the Dashboard → API Keys tab without writing any code. Use the API endpoints below for scripting or CI/CD pipelines.

⚠️ The raw API key (sk_test_...) is only shown once — at creation or rotation. It is stored hashed and cannot be retrieved. Treat it like a password.

Available Permissions

Permission	Description
`sale:write`	Create and update token sale data for scoped projects
`webhooks:manage`	Register, update, and delete webhooks programmatically
`data:read`	Read access to project and analytics data

POST /api/v1/api-keys x-user-id

Create a new API key. The full key value is returned only in this response.

Request Body (JSON)

Field	Type	Required	Description
name	string	required	Human-readable label (1–100 chars)
projectId	string	optional	Scope key to a specific project ID
permissions	string[]	required	Non-empty array of permission grants (e.g. `["sale:write"]`)

Example Response
{
  "id": "key_abc123",
  "key": "sk_test_a1b2c3d4e5f6g7h8i9j0...",
  "keyPrefix": "sk_test_a1b2c3",
  "name": "My Sale Integration",
  "projectId": "0xabc...123",
  "permissions": ["sale:write"],
  "active": true,
  "usageCount": 0,
  "createdAt": "2024-03-12T10:00:00Z",
  "_warning": "Save this key now — it will not be shown again."
}

GET /api/v1/api-keys x-user-id

Lists all API keys for the user. Raw key values are never returned — only prefixes.

GET /api/v1/api-keys/:keyId x-user-id

Returns metadata for a specific API key including usage count and last used timestamp.

PATCH /api/v1/api-keys/:keyId x-user-id

Rename an API key. Only the label can be changed — permissions and project scoping are immutable.

Request Body (JSON)

Field	Type	Required	Description
name	string	required	New label for the key

DELETE /api/v1/api-keys/:keyId x-user-id

Immediately and permanently revoke an API key. Any requests made with this key will return 401 after revocation.

POST /api/v1/api-keys/:keyId/rotate x-user-id

Issues a new key value and immediately revokes the old one. The new raw key is returned only in this response.

🖼️Share Cards

Generate dynamic PNG images for sharing project trust cards, user stat cards, and leaderboards on social media. All endpoints return a image/png binary stream.

GET /api/share/project/:id No Auth

Generates a shareable PNG card for a project showing its trust score, vote count, and category.

ℹ️ Share endpoints are on the Express backend only (/api/share/* — no /v1). Content-Type: image/png.

GET /api/share/user/:address No Auth

Generates a PNG stat card for a user showing reputation, accuracy rate, and total earnings.

GET /api/share/leaderboard No Auth

Generates a PNG leaderboard snapshot card.

Query Parameters

Param	Type	Default	Description
type	string	reputation	Leaderboard type: `reputation` \| `scamHunters` \| `accuracy` \| `earnings`

GET /api/share/prediction/:marketId No Auth

Generates a PNG card for a prediction market showing current odds, volume, and resolution status.

📥Incoming Webhooks

Endpoints for receiving events from third-party indexing services. These are called by Alchemy and The Graph/Notifi — not by end users.

POST /api/v1/webhooks/incoming/alchemy Alchemy Signing Key

Receives Alchemy Activity webhook events for whale transaction detection. The payload signature is verified using the ALCHEMY_SIGNING_KEY environment variable.

POST /api/v1/webhooks/incoming/graph Subgraph Secret

Receives subgraph / Notifi webhook events (e.g. new votes, trust threshold crossings). Requests must include a valid SUBGRAPH_WEBHOOK_SECRET header.