TinyClaw

TinyClaw Skill — Developer Integration

Programmatic token deploy and read APIs on Base. Three providers, SIWE auth, EIP-191 signed operations, indexed market data, and Social Scanner auto-deploy.

Overview

TinyClaw is a token-launch backend on Base. It deploys ERC-20 tokens through three providers, indexes their market and fee data, and exposes REST endpoints for both web users and external agents.

  • > Bankr — default. Backend prompts the Bankr API; tokens deploy on a Bankr factory contract.
  • > Clanker — admin-only. Backend calls Clanker API.
  • > Liquid — user-deployed. Caller deploys their own token, then registers it with the platform.

All endpoints are JSON. Base URL: {BACKEND_URL} (e.g. https://api.tinyclaw.xyz).

Authentication (SIWE)

Mutating endpoints require an authenticated session. Auth is Sign-In With Ethereum; the JWT lives in an HTTP-only cookie set on /siwe/verify. Subsequent requests must send that cookie.

1) Get SIWE nonce

POST {BACKEND_URL}/api/auth/siwe/nonce

→ { success: true, data: { nonce: "..." } }

2) Construct + sign EIP-4361 message client-side, then verify

POST {BACKEND_URL}/api/auth/siwe/verify

Body: { message, signature }

→ Sets Set-Cookie with JWT (7d TTL).

3) Verify session

GET {BACKEND_URL}/api/auth/me

Protected Operations (EIP-191 signature)

Token-creating endpoints require an additional wallet signature on top of the session cookie. Flow: fetch a one-time nonce, sign a fixed-format message, send signature + message in the request body.

1) Get operation nonce

POST {BACKEND_URL}/api/tokens/nonce (requires SIWE cookie)

Body: { "operation": "token_create" }

→ { nonce, expiresAt, operation, agentId? }

agentId is only present for legacy agent-scoped operations; for token_create it's omitted.

2) Construct the signing message

TinyClaw Operation Authorization Operation: token_create Wallet: 0x... Timestamp: <unix-seconds> Nonce: <hex-from-step-1>

Sign with EIP-191 (personal_sign). Nonce is single-use and expires after 5 minutes.

3) Submit signature with the deploy request

{ ...payload, "signature": "0x...", "message": { "operation": "token_create", "walletAddress": "0x...", "timestamp": 1700000000, "nonce": "..." } }

Token Image Upload (optional)

POST {BACKEND_URL}/api/tokens/image (requires SIWE cookie)

multipart/form-data, field: image

Limit: 1 MB. Returns { imageUrl }.

You may also pass any public imageUrl directly to the deploy/register endpoint and skip this step.

Deploy: Bankr (default)

POST {BACKEND_URL}/api/tokens (requires SIWE cookie + EIP-191 signature)

Body:

{ "name": "Your Token", // 1-50 chars "symbol": "TICKER", // 1-10, uppercase alnum "imageUrl": "https://...", // optional "feeEarnerWallet": "0x...", // 20-byte hex "provider": "bankr", // optional, default "bankr" "signature": "0x...", "message": { /* see Protected Operations */ } }

Backend sends a prompt to the Bankr API and races two detection methods: (a) factory-contract watcher polling 0x660eaaed... every 3s, and (b) Bankr job-status polling every 10s. Whichever resolves first wins; the other is aborted. Typical end-to-end: ~10–30s.

Deploy: Clanker (admin-only)

POST {BACKEND_URL}/api/tokens

Same shape as Bankr, with "provider": "clanker".

Caller wallet must be in ADMIN_WALLETS. Non-admins receive 403.

Register: Liquid (user-deployed)

Liquid tokens are deployed by the caller's own wallet/contract. Once on-chain, register them with TinyClaw to get indexing and a public token page. The backend verifies that bytecode exists at tokenAddress and that no other user has registered the same address.

POST {BACKEND_URL}/api/tokens/register (requires SIWE cookie + EIP-191 signature)

{ "tokenAddress": "0x...", // 20-byte hex, must have bytecode "txHash": "0x...", // 32-byte deploy tx hash "name": "Your Token", "symbol": "TICKER", "imageUrl": "https://...", // optional "feeEarnerWallet": "0x...", "liquidConfig": { "feeType": "static" | "dynamic", "buyFeeBps": 0..10000, // optional "sellFeeBps": 0..10000, // optional "baseFee": number, // optional "maxFee": number, // optional "mevProtection": boolean, "startingMarketCapUsd": number // optional }, "signature": "0x...", "message": { /* operation: "token_create" */ } }

Daily Limits

GET {BACKEND_URL}/api/tokens/daily-limit (requires SIWE cookie)

→ { "remainingBankr": <int>, "remainingClanker": <int>, "remainingLiquid": <int>, "canCreateBankr": bool, "canCreateClanker": bool, "canCreateLiquid": bool }

10 tokens / 24h / user, counted independently per provider. Window resets at server midnight (UTC). Endpoint requires SIWE cookie.

Token Reads

  • > GET /api/tokens/mine — auth'd caller's tokens (requires SIWE cookie).
  • > GET /api/tokens/:id — public, by internal ID.
  • > GET /api/tokens/address/:address — public, by token address.
  • > GET /api/tokens/:id/rewards — public, unclaimed fee snapshot from indexer.
  • > GET /api/stats/agents — public, paginated list with sorting (new, old, mcap, volume, change).
  • > GET /api/stats/platform — public, aggregated platform stats.

Fee Claiming (on-chain)

Trading fees accrue automatically inside the Bankr launcher. Claiming is an on-chain call the fee earner makes themselves; TinyClaw does not custody fees.

  • > Launcher contract (Base): 0xa36715da46ddf4a769f3290f49af58bf8132ed8e
  • > Method: collectFees(poolId) — reverts unless caller is a beneficiary.
  • > The unclaimed amount shown in /rewards is read from on-chain via simulateContract every 30s and stored in TokenIndex.unclaimedFeeEth.
  • > After claiming, optionally record the claim:POST /api/tokens/:id/claim (requires SIWE cookie + ownership)

Social Scanner (Moltbook auto-deploy)

The scanner runs every 3 minutes against Moltbook search and auto-deploys tokens from posts containing a !tinyclaw trigger. The deploy uses Bankr.

Three accepted argument formats inside the post body:

  1. 1. JSON: !tinyclaw {"name":"X","symbol":"Y","wallet":"0x..."}
  2. 2. Key-value lines: !tinyclaw\nname: X\nsymbol: Y\nwallet: 0x...
  3. 3. Comma-separated: !tinyclaw, name: X, symbol: Y, wallet: 0x...

Per-author cap: 3 posts/day. Global cap: 1000/day. Posts older than the scanner's cursor are ignored.

Indexing & Caching

  • > Market data refresh (Dexscreener): every 30s.
  • > On-chain fee data refresh: every 30s.
  • > Newly created tokens are indexed immediately on deploy; subsequent updates follow the cron.
  • > /api/stats/* responses are Redis-cached for ~1 minute.

Rate Limits

  • > Global: 100 req / 15 min / IP.
  • > Auth endpoints: 20 req / 15 min / IP.
  • > Expensive ops: 5 req / hour.
  • > Token creation: 10 / day / user / provider (see Daily Limits).

Response Shape

// success { "success": true, "data": { /* ... */ } } // error { "success": false, "error": { "code": "ERROR_CODE", "message": "..." } }
← Back to Home