feat: replace API key auth with optional affiliate address tracking

[NeOMakinG]

Description

Replaces API key authentication with optional affiliate address tracking across the Public API and Swap Widget packages. Partners can now attribute swaps by passing an Arbitrum address via the X-Affiliate-Address header — no API key required. The API is now fully public.

Breaking change: The apiKey prop has been removed from SwapWidgetProps and ApiClientConfig. Consumers using the deprecated apiKey prop must switch to affiliateAddress (or remove the prop entirely — the widget works without it).

Key changes:

• Public API: Removed STATIC_API_KEYS, apiKeyAuth/optionalApiKeyAuth middleware, PartnerConfig type. New affiliateAddress middleware validates optional EVM addresses (/^0x[0-9a-fA-F]{40}$/), returns 400 for invalid format, passes through silently when missing. affiliateAddress is echoed in quote/rates responses when provided.
• Widget: Replaced apiKey prop with affiliateAddress on SwapWidgetProps. Removed apiKey from ApiClientConfig and all x-api-key header logic. Client sends X-Affiliate-Address header when affiliateAddress is provided. Updated README and demo app.
• OpenAPI docs: Removed apiKeyAuth security scheme and security annotations from swap endpoints. Registered X-Affiliate-Address as an OpenAPI header parameter on /v1/swap/rates and /v1/swap/quote. Added affiliateAddress to response schemas. Removed stale auth config from Scalar docs UI.
• Smoke tests: Removed auth-gate tests (401 checks). Added tests verifying endpoints work without authentication. Updated rate tests to use X-Affiliate-Address instead of X-API-Key.

What stays the same:

• affiliateBps remains hardcoded at DEFAULT_AFFILIATE_BPS = '60' — only attribution changes, not fee rates
• All existing swap/quote/rate logic is untouched
• Anonymous usage (no affiliate address) continues to work exactly as before

Issue (if applicable)

closes #11958

Risk

Low risk. This PR removes authentication barriers (API keys) and adds optional address tracking. No on-chain transaction changes. No fee calculation changes. The affiliate address is purely metadata for attribution.

What protocols, transaction types, wallets or contract interactions might be affected by this PR?

None. This only affects the Public API authentication layer and Widget configuration. No on-chain interactions are modified.

Testing

Engineering

1. Build and start the public API:

   yarn workspace @shapeshiftoss/public-api build:bundle && yarn workspace @shapeshiftoss/public-api start:prod

2. Anonymous usage (no affiliate address):

   # Should return 200 with rates, no affiliateAddress field in response
   curl "http://localhost:3001/v1/swap/rates?sellAssetId=eip155:1/slip44:60&buyAssetId=eip155:1/erc20:0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48&sellAmountCryptoBaseUnit=1000000000000000000"

3. With valid affiliate address:

   # Should return 200 with affiliateAddress echoed in response
   curl -H "X-Affiliate-Address: 0x1234567890abcdef1234567890abcdef12345678" \
     "http://localhost:3001/v1/swap/rates?sellAssetId=eip155:1/slip44:60&buyAssetId=eip155:1/erc20:0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48&sellAmountCryptoBaseUnit=1000000000000000000"

4. With invalid affiliate address:

   # Should return 400 with INVALID_AFFILIATE_ADDRESS error
   curl -H "X-Affiliate-Address: not-an-address" \
     "http://localhost:3001/v1/swap/rates?sellAssetId=eip155:1/slip44:60&buyAssetId=eip155:1/erc20:0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48&sellAmountCryptoBaseUnit=1000000000000000000"

5. Verify docs UI: Open http://localhost:3001/docs — no Authentication section should appear, and swap endpoints should show X-Affiliate-Address as an optional header parameter.

6. Widget demo: Run yarn dev in packages/swap-widget — confirm demo uses affiliateAddress prop and network requests include X-Affiliate-Address header.

7. Type check: yarn type-check passes

8. Lint: yarn lint passes with 0 errors

Operations

• 🏁 My feature is behind a flag and doesn't require operations testing (yet)

This is an API/SDK change only. No user-facing UI changes in the main web app. Widget consumers will opt-in by updating their props.

Screenshots (if applicable)

N/A — no UI changes in the main web application.

Summary by CodeRabbit

Release Notes

• New Features

  • Added optional affiliate address tracking via X-Affiliate-Address header for API requests
  • Quote and rate API responses now include affiliate address field

• Breaking Changes

  • Removed API key authentication requirement for API endpoints
  • Swap widget prop renamed from apiKey to affiliateAddress

• Documentation

  • Updated API documentation and README with affiliate address tracking guidance

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Replace API key-based authentication with optional Arbitrum affiliate address tracking via X-Affiliate-Address header. Remove STATIC_API_KEYS and apiKeyAuth middleware. Introduce affiliateAddress middleware validating EVM addresses. Update response schemas and widget prop from apiKey to affiliateAddress.

Changes

Cohort / File(s)	Summary
Public API Auth & Config packages/public-api/src/config.ts, packages/public-api/src/middleware/auth.ts, packages/public-api/src/types.ts	Removed STATIC_API_KEYS constant and apiKeyAuth/optionalApiKeyAuth middleware. Introduced affiliateAddress middleware that validates X-Affiliate-Address header against EVM address regex, attaching validated address to request context. Replaced PartnerConfig type with AffiliateInfo containing affiliateAddress field.
Public API Routes & Documentation packages/public-api/src/index.ts, packages/public-api/src/routes/rates.ts, packages/public-api/src/routes/quote.ts, packages/public-api/src/docs/openapi.ts, packages/public-api/src/routes/docs.ts	Updated swap/rates/quote routes to use affiliateAddress middleware instead of apiKeyAuth. Added affiliateAddress field to QuoteResponse and RateResponse. Removed apiKeyAuth security scheme from OpenAPI docs and added X-Affiliate-Address header documentation. Removed API key configuration from API reference UI setup.
Standalone Server packages/public-api/src/server-standalone.ts	Replaced API key authentication with affiliate address validation. Updated middleware application, health/startup messages, and mock endpoint comments to reflect affiliate-based tracking instead of API key auth.
Public API Tests packages/public-api/tests/test-config.ts, packages/public-api/tests/smoke-tests.ts	Replaced TEST_API_KEY export with TEST_AFFILIATE_ADDRESS constant using a sample Arbitrum address. Updated smoke tests to use X-Affiliate-Address header instead of X-API-Key, with corresponding test assertion updates and 30-second timeout additions.
Swap Widget Types & Components packages/swap-widget/src/types/index.ts, packages/swap-widget/src/api/client.ts, packages/swap-widget/src/components/SwapWidget.tsx, packages/swap-widget/src/demo/App.tsx	Replaced apiKey prop with affiliateAddress in SwapWidgetProps. Updated API client to send x-affiliate-address header instead of x-api-key. Modified widget component to pass affiliateAddress to API client creation. Updated demo app to use sample affiliate address instead of test API key.
Swap Widget Documentation packages/swap-widget/README.md	Updated Quick Start example, props table, and examples to replace apiKey references with affiliateAddress. Renamed API Key section to Affiliate Address with guidance explaining optional affiliate tracking without registration requirement.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• feat: swap widget #11630 — Main PR updating the public-api and swap-widget packages to replace API-key authentication with affiliate address flow, including the same config/middleware/widget type changes.
• feat(public-api): normalize transaction data format with discriminated union #11738 — Modifies public API types and response schemas (QuoteResponse, RateResponse) in shared packages/public-api files.

Suggested reviewers

• NeOMakinG
• gomesalexandre

Poem

🐰 No more keys locked in a static sight,
Just addresses gleaming, open and bright,
Affiliate rewards flow free and clear,
No registration needed, come one and all near!
Authentication melts into the EVM air. 🔗✨

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/affiliate-address-tracking

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[0xApotheosis]

Does exactly what it says on the box.
Confirmed all API endpoints still work and that the widget still works too.

I also removed backwards compatibility with the API key and updated the widget accordingly. Let's do this in one atomic update as we currently have no external consumers (except maybe @BitHighlander!).