Andamio
Andamio API
Back to home

Anatomy of an API Call

Click any line to see what it does. Two headers, three data sources, one response — this is how open credentials become apps.

anatomy
$ curl -X POST \
https://api.andamio.io/api/v2/course/student/credentials/list \
-H "X-API-Key: ant-dk_7f3a9b... " \
-H "Authorization: Bearer eyJhbGci... "
200 OK 
{
  "data": [{
    "course_id": "bafebb4c...",
    "course_title": "Andamio Pioneers",
    "is_enrolled": true,
    "enrollment_status": "completed",
    "claimed_credentials": ["d062..."],
    "modules": [{
      "slt_hash": "d062...",
      "course_module_code": "intro",
      "title": "What is Andamio?"
    }],
    "source": "merged"
  }]
}

Tap any line above to see what it does

The Endpoint

POST /api/v2/course/student/credentials/list

This endpoint lists the course credentials a student has earned.

Credentials consist of on-chain and off-chain data.

On-chain — content hashes stored on Cardano
Off-chain — course details, content, and metadata

Andamio API returns data combining both.

Your App's Identity

X-API-Key: ant-dk_7f3a9b...

The API key identifies your application, not your user. It identifies who built this app and what tier of access they have.

Andamio uses it to apply rate limits, track usage, and enforce quota — all based on your app's tier.

The ant-dk_ prefix means this is a developer key. Your app can serve thousands of users through a single key — each user is identified separately via their authorization token.

How you get one

1. Register as a developer (wallet signature + email)
2. Verify your email via magic link
3. Request an API key — shown once, store it securely
Think of it like a Stripe secret key: it's your app's credential, not your user's.

The User's Identity

Authorization: Bearer eyJhbGci...

The Andamio authorization token (a JWT) identifies the human. It's issued when a user logs in with their Cardano wallet, proving they control the private key behind their on-chain identity.

How the user gets this token

1. User connects their Cardano wallet (CIP-30)
2. Andamio checks for an Access Token — a Cardano native token that proves they're an Andamio user
3. Andamio issues a cryptographic challenge (random nonce, 5-min expiry)
4. User signs the challenge in their wallet — no transaction, just a signature
5. Andamio verifies the signature and returns a 24-hour authorization token

Inside the token

userId: "a1b2c3d4-e5f6-7890..."
cardanoBech32Addr: "addr1q..."
accessTokenAlias: "satoshi"
exp: 1741900800

This is the key insight: your app never touches the user's private key. The wallet signs a challenge, Andamio issues a token, and every subsequent request carries proof of identity without exposing secrets.

The user owns their credentials on-chain. Your app just reads them — with their permission.

The Merged Response

"source": "merged"

Every response includes a source field that tells you where the data came from.

"merged"
On-chain and off-chain data combined. The complete picture.
"chain_only"
On-chain data only. Content metadata not available in the database.
"db_only"
Off-chain data only. Draft content not yet published to the blockchain.
The blockchain is always the source of truth. If the database is behind, Andamio auto-corrects on read.

Two headers. A new kind of app.

Most APIs have one identity: yours. Andamio has two, and that changes everything.

Traditional SaaS

One API key. Your app owns the user's data. Credentials live in your database.

API Key Your DB

Raw Blockchain

User signs everything directly. No app layer. Hard to build products on top of.

Wallet Chain

Andamio

Your app has its own identity and the user keeps theirs. Credentials are on-chain. Your app reads them through Andamio API.

API Key + User JWT Merged

Ready to build?

Get your API key, explore the reference, and start building on open credentials.

Get API Key API Reference