OPIN.ART / API INTEGRATION DOCTRINE

Effective Date: 14 April 2026

Entity: MONOLITH LABS LTD (Co. No. 17154388)

ICO Registration: ZC126753

Registered Address: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ

Reference: This document constitutes the official API Documentation and Rate Limit Specification as referenced in Article 19 of the OPIN.ART Codex (Terms of Service) and forms part of the OPIN.ART Legal Framework available at https://opin.art/legal/terms.

Preamble: The Developer Covenant

The OPIN.ART Game API (the “API”) is an enterprise-grade infrastructure layer provided by MONOLITH LABS LTD (the “Company”) for authorised developers to interface with the Company’s smart contracts and routing logic. Access to the API is a privilege, not a right. It is granted strictly on a revocable basis in accordance with Article 16 of the Codex.

By generating a JWT Token or making any HTTP request to the Company’s API endpoints, you expressly and irrevocably agree to operate within the technical constraints and fair-use boundaries defined in this Doctrine, the Codex, and all other documents forming the OPIN.ART Legal Framework. Capitalised terms used but not defined in this Doctrine have the meanings given to them in Article 5A of the Codex.

Article 1. Authentication and Cryptographic Security

1.1. JWT Token Issuance. Access to the API is gated by JSON Web Tokens (JWT). Developers must cryptographically authenticate an approved wallet address to receive a valid session JWT from the Company. The Company reserves the right to refuse JWT issuance to any applicant at its sole discretion and without liability.

1.2. Token Security and Sole Responsibility. You are absolutely and solely responsible for the security of your JWT tokens and associated private keys. The Company will treat any API request bearing your valid JWT as having been explicitly authorised by you, regardless of whether that request was in fact made by you or by any third party who obtained access to your token. The Company bears no liability whatsoever for any losses arising from compromise of your JWT token.

1.3. Non-Transferability. JWT tokens are strictly personal and non-transferable. You may not share, sell, license, or expose your JWT tokens to any third party or end-user. Client-side exposure of JWT tokens or API credentials is strictly prohibited and constitutes a material breach of this Doctrine entitling the Company to immediate revocation without notice or liability.

1.4. No Impersonation. You must not use your JWT token to make API requests on behalf of, or purporting to originate from, any other developer, entity, or wallet address. Each JWT token corresponds to a single authorised developer identity and must be used solely for that developer’s own authorised integration.

Article 2. Hard Rate Limits — The Throttling Protocol

To ensure network stability, prevent infrastructure abuse, and protect the integrity of the Company’s data assets as described in Articles 36 to 38 of the Codex, the API enforces strict and non-negotiable rate limits at the Cloudflare edge layer. The following limits apply per authenticated JWT token:

2.1. Read Operations (Querying and Polling).

Maximum of twenty (20) requests per minute per JWT token. Read operations include any GET request used for fetching floor prices, verifying NFT metadata, checking wallet balances, or polling transaction statuses.

2.2. Write Operations (Minting and State Changes).

Maximum of five (5) requests per minute per JWT token. Write operations include any POST, PUT, or PATCH request used for constructing mint payloads, initiating transfers, or interacting with Program Derived Addresses (PDAs).

2.3. The 429 Protocol.

Requests exceeding these limits will be automatically rejected at the edge layer with an HTTP 429 Too Many Requests response. You are required to implement exponential backoff logic in your client architecture before retrying any rejected request. Continued hammering of the API following a 429 response will be treated as an automated circumvention attempt and will trigger immediate JWT token revocation and wallet blacklisting under Article 4 of this Doctrine, without notice and without liability to you.

2.4. Enterprise Rate Limits.

The Company may, at its sole discretion, agree to elevated rate limits for specific authorised integrations under a custom Enterprise Data Partnership agreement. Any such agreement must be in writing and signed by a duly authorised representative of MONOLITH LABS LTD. No representation made through any other channel shall constitute a binding modification of the rate limits set out in this Article.

Article 3. Absolute Prohibitions and Circumvention Rules

The Company monitors all API request patterns using advanced heuristics and automated security forensics. The following actions each constitute a material breach of this Doctrine and the Codex, and will result in enforcement action under Article 4:

3.1. Token Rotation and Sybil Attacks.

The automated generation, rotation, or cycling of multiple wallet addresses for the purpose of obtaining multiple JWT tokens to circumvent the per-token rate limits set out in Article 2. This conduct constitutes a Sybil attack and a deliberate attempt to misuse the API infrastructure.

3.2. IP Obfuscation and Distributed Request Patterns.

The use of distributed proxy networks, botnets, residential IP rotation services, VPN cycling, or any other technique to mask, distribute, or artificially diversify the apparent origin of API requests in order to evade rate limiting or security monitoring.

3.3. Unauthorised Data Harvesting.

The use of API endpoints — whether within or in excess of the stated rate limits — for the purpose of systematically extracting, copying, aggregating, or harvesting the Company’s data assets, including for the purpose of training artificial intelligence models, machine learning systems, or large language models. The API is provided exclusively for the purpose of facilitating user-driven transactions and game mechanics as described in the Preamble. Any data extraction exceeding this purpose is governed exclusively by Articles 36 to 38 of the Codex and the Commercial Tariff described in Article 4.3 of this Doctrine.

3.4. Reverse Engineering.

Any attempt to decompile, disassemble, probe, or reverse-engineer the API’s endpoint structure, authentication logic, smart contract architecture, or routing heuristics, whether directly or through automated tooling.

3.5. Malicious Payload Injection.

The transmission of malicious code, exploit payloads, wallet-drainer scripts, or any other harmful content through the API, as further described in Article 34 of the Codex. Such conduct may constitute a criminal offence under the Computer Misuse Act 1990 and will be reported to the National Cyber Security Centre (NCSC) and relevant law enforcement authorities.

Article 4. Enforcement, Blacklisting, and the Commercial Tariff

4.1. Automated Revocation.

Violation of the rate limits set out in Article 2 or commission of any prohibited act set out in Article 3 will result in the immediate and automated revocation of your JWT token at the Cloudflare edge layer, without prior notice and without liability to you. Revocation does not affect any obligations you have accrued under this Doctrine or the Codex prior to revocation.

4.2. Permanent Blacklisting.

The Company reserves the unconditional right to permanently blacklist your developer wallet address, associated IP addresses, application domain, and any associated legal entity from the entire OPIN.ART ecosystem — including both the Platform frontend and API access — as further described in Article 35 of the Codex. No compensation shall be payable to any blacklisted party.

4.3. Escalation to Commercial Tariff.

Where the Company’s security forensics determine that circumvention of API rate limits or technical access controls was conducted with the intent to systematically extract data for commercial aggregation, competitive intelligence, or AI training purposes, your conduct will be reclassified from an “API Integration” to an “Unauthorised Extraction Session” as defined in Article 38 of the Codex. This reclassification will immediately and automatically trigger the commercial licensing fee of £250,000 (Two Hundred and Fifty Thousand British Pounds) per Extraction Session as set out in Article 38 of the Codex. The parties acknowledge that this sum represents a genuine pre-estimate of the commercial value of the data accessed, in accordance with the principles established in Cavendish Square Holding BV v Makdessi [2015] UKSC 67, and is not a contractual penalty. The Company additionally reserves the right to seek a full account of profits derived from any commercial product built using unlicensed Platform data, pursuant to section 96 of the Copyright, Designs and Patents Act 1988.

4.4. Vicarious Liability.

In accordance with Article 50 of the Codex, any parent corporation, principal, or instructing party is fully liable on a joint and several basis for enforcement actions and commercial tariff liabilities triggered by the conduct of their developers, contractors, or automated systems acting on their behalf or instruction.

4.5. Reporting to Authorities.

The Company reserves the right to refer evidence of intentional security bypass, unauthorised access, or malicious payload injection to the National Cyber Security Centre (NCSC) and relevant law enforcement authorities pursuant to section 1 of the Computer Misuse Act 1990, without prior notice to you.

Article 5. Endpoint Deprecation and Technical Finality

5.1. No SLA Guarantee.

The API is provided on an “As Is” and “As Available” basis in accordance with Article 16 of the Codex. The Company provides no Service Level Agreement (SLA) regarding uptime, latency, response times, or endpoint persistence, unless explicitly agreed in a signed written Enterprise Data Partnership agreement between you and MONOLITH LABS LTD.

5.2. Right to Deprecate and Modify.

In accordance with Article 20 of the Codex, the Company reserves the absolute right to alter, deprecate, or permanently discontinue any API endpoint, upgrade or replace smart contract logic, modify authentication protocols, alter payload structures, or terminate the API service entirely, at any time and without liability to you or any third-party developer who has integrated the API. While the Company will endeavour to provide reasonable advance notice of breaking changes via its official developer communications channels, you must design your integration to fail gracefully and to handle endpoint unavailability without causing data loss or harm to your end users. The Company is not liable for any economic loss, user churn, business interruption, or broken game mechanics resulting from API updates, deprecations, or terminations, as further set out in Article 18 of the Codex.

5.3. Smart Contract Immutability.

You acknowledge that where the Company upgrades or replaces smart contracts underlying the API, previously deployed contract versions may remain accessible on-chain but will no longer be supported by the Company’s API infrastructure. The Company bears no liability for any losses arising from your continued interaction with deprecated smart contract versions following notice of upgrade.

Article 6. Data Protection and the API

Processing of personal data in connection with API access — including JWT authentication data and IP addresses — is conducted in accordance with the Data Minimisation Doctrine (Privacy & Data Protection Policy) available at https://opin.art/legal/privacy, and the Zero-Tracking Doctrine (Cookie & PECR Policy) available at https://opin.art/legal/cookies. The legal bases for such processing are set out in Article 4 of the Data Minimisation Doctrine. The Company’s ICO registration number is ZC126753.

Article 7. Relationship to the OPIN.ART Legal Framework

This Doctrine operates as a component of the OPIN.ART Legal Framework and must be read alongside:

• The Codex (Terms of Service): https://opin.art/legal/terms
• The Data Minimisation Doctrine (Privacy Policy): https://opin.art/legal/privacy
• The Zero-Tracking Doctrine (Cookie Policy): https://opin.art/legal/cookies
• The Commercial Tariff Policy: https://opin.art/legal/data-access

In the event of any conflict between this Doctrine and the Codex, the Codex shall prevail.

Article 8. Updates to This Doctrine

The Company reserves the right to update this Doctrine at any time to reflect changes in technical infrastructure, applicable law, or the Company’s rate limiting architecture. Updates will be communicated in accordance with Article 3 of the Codex. The Effective Date at the head of this document will be updated to reflect any amendments. Continued use of the API following notification of any material change constitutes your acceptance of the revised Doctrine.

Article 9. Contact and Legal Service

For authorised API access enquiries, Enterprise Data Partnership discussions, or legal correspondence:

Email: info@monolithlabs.uk

Post: MONOLITH LABS LTD, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ