Developer DocsOverview

Developer Overview

The DegensQuest API is a REST + GraphQL + WebSocket API that powers the Telegram Mini App, app.degensquest.xyz, and third-party integrations.

PropertyValue
Base URLhttps://api.degensquest.xyz/api/v1
Response formatJSON
VersioningURI-based (/v1)
AuthJWT Bearer token
Rate limit120 requests per minute per IP (authenticated); 30/min unauthenticated
Status pagehttps://status.degensquest.xyz

Authentication

The API supports two authentication methods:

1. Telegram OAuth (Mini App)

Used by the Telegram Mini App. Pass initData from window.Telegram.WebApp.initData to the /auth/telegram endpoint. Returns a short-lived accessToken (15 minutes) and sets a long-lived refreshToken in an httpOnly cookie.

2. Wallet Auth (SIWE)

Used by app.degensquest.xyz and external integrations. Complete the nonce → SIWE sign → verify flow. Returns the same token format.

All authenticated endpoints require:

Authorization: Bearer <accessToken>

Quick Start (TypeScript)

const API = 'https://api.degensquest.xyz/api/v1';
 
// Step 1: Authenticate with Telegram initData (inside Telegram Mini App)
const authRes = await fetch(`${API}/auth/telegram`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ initData: window.Telegram.WebApp.initData }),
});
const { accessToken } = await authRes.json();
 
// Step 2: Fetch your profile
const profileRes = await fetch(`${API}/users/me`, {
  headers: { Authorization: `Bearer ${accessToken}` },
});
const user = await profileRes.json();
console.log(`Hello ${user.displayName}, level ${user.level}`);
 
// Step 3: Check economy balance
const balanceRes = await fetch(`${API}/economy/balance`, {
  headers: { Authorization: `Bearer ${accessToken}` },
});
const { degen, qbot } = await balanceRes.json();
console.log(`$DEGEN: ${degen} | QUEST: ${qbot}`);

Token Refresh

Access tokens expire after 15 minutes. Refresh silently using the httpOnly cookie:

const refreshRes = await fetch(`${API}/auth/refresh`, {
  method: 'POST',
  credentials: 'include', // sends the httpOnly refresh cookie
});
const { accessToken } = await refreshRes.json();

Resource Groups

GroupDescriptionAuth Required
/authLogin, SIWE, refresh, logoutNo (to obtain token)
/usersProfiles, stats, achievementsPartial (public profiles are open)
/guildsGuild list, detail, membersNo (read); Yes (write)
/gamesActive games, history, leaderboardsNo (read)
/economyBalance, $DEGEN ledger, QUEST dataYes
/questsActive quests, progress, completionsNo (list); Yes (progress)
/leaderboardsGlobal, guild, and per-game rankingsNo
/marketplaceListings, bids, purchases, NFTsYes
/notificationsUser notification streamYes
/adminAdmin-only endpoints (RBAC protected)Yes + admin role

Full endpoint documentation: API Reference

WebSocket Events

Real-time game events are delivered via WebSocket at:

wss://api.degensquest.xyz/ws

Connecting

const ws = new WebSocket('wss://api.degensquest.xyz/ws');
 
ws.onopen = () => {
  ws.send(JSON.stringify({
    type: 'auth',
    token: accessToken,
  }));
};
 
ws.onmessage = (event) => {
  const msg = JSON.parse(event.data);
  console.log(msg.type, msg.payload);
};

Event Types

Event TypeDescription
game.round_startA new game round has begun
game.round_endRound ended with scores
game.player_joinedA player joined a game lobby
game.player_leftA player left or was eliminated
game.endedGame over — final leaderboard
raid.attackA raid attack was registered
raid.boss_hpUpdated boss HP bar
economy.balance_updateYour $DEGEN balance changed
quest.completedA quest was completed
notificationGeneral notification event

Webhooks

Guild integrations can subscribe to webhooks for bot-free automation:

POST /guilds/:slug/webhooks
{
  "url": "https://your-server.example.com/webhook",
  "events": ["game.ended", "raid.boss_hp", "quest.completed"],
  "secret": "your_hmac_secret"
}

Webhook payloads are signed with HMAC-SHA256. Verify with:

const signature = req.headers['x-degensquest-signature'];
const expected = crypto
  .createHmac('sha256', webhookSecret)
  .update(JSON.stringify(req.body))
  .digest('hex');
const valid = crypto.timingSafeEqual(
  Buffer.from(signature),
  Buffer.from(`sha256=${expected}`)
);

TypeScript SDK

A first-party TypeScript SDK is under development:

# Coming soon
npm install @quest/sdk

The SDK will wrap all REST endpoints with typed methods, handle token refresh automatically, and provide typed WebSocket event handlers. Track progress in the DegensQuest GitHub repository.

API Key (Server-to-Server)

For server-side integrations that don’t act as a specific user, request an API key from developers@degensquest.xyz. Server API keys bypass the per-IP rate limit and are not tied to a user session. They have restricted scope (read-only by default) and require HMAC request signing.

Battle PassAPI Reference