Authentication
API keys
Every MOCA API request (except GET /v1) requires a key. Keys look like
moca_ followed by 48 hex characters and are issued by the MOCA team —
request one via museumofcryptoart.com.
Send the key with either header:
Code
Keep keys server-side
Treat your key like a password: call the MOCA API from your backend, not from browser code, or anyone reading your site's source can lift it. If a key leaks, contact the MOCA team — keys can be revoked and reissued at any time without affecting other integrators.
Error responses
Authentication failures return 401 with the standard error envelope:
Code
| Status | Code | Meaning |
|---|---|---|
401 | UNAUTHORIZED | Key missing, unknown, or revoked |
404 | NOT_FOUND | Resource doesn't exist |
429 | RATE_LIMITED | Too many requests — back off |
502 | UPSTREAM | The DeCC0s upstream is temporarily unavailable |
Rate limits
Each key may make 120 requests per minute (sliding window). Every response carries your current budget:
Code
When you exceed the limit you receive 429 with a Retry-After: 60 header.
Honour it — repeated hammering doesn't reset the window.
Cache on your side
Museum data changes slowly. Collections, rooms, and DeCC0 records are safe to cache for minutes to hours; artwork lists for at least a few minutes. A small cache typically keeps even busy integrations far under the limit.