# Token Approval Security API > Live audit of the token approvals (allowances) a crypto wallet has granted, and the risk of the contracts it has approved to spend its tokens — powered by the public GoPlus Security data, no key, nothing stored. Token approvals are the single most common way wallets get drained: once you approve a contract to move a token, a malicious or compromised spender can take it whenever it likes. This is the allowance-hygiene layer — the data behind tools like revoke.cash. The approvals endpoint lists every token a wallet has approved, who it approved (the spender contract), how much was approved and when, and whether that spender is flagged as malicious, trusted or unverified, together with a risk summary counting the dangerous approvals to revoke. The contract endpoint profiles a single spender contract before you approve it — its name, whether it is open-source, its creator, deploy time and risk tags. The chains endpoint lists the 40-plus supported blockchains. Catch wallet-draining allowances before they cost a user everything. This is the approval / allowance-risk cut — distinct from the token-contract-security, scam-detection and on-chain APIs in the catalogue. ## Authentication All requests require your oanor API key in the `x-oanor-key` header. Get one at https://www.oanor.com/developer/keys. ```bash curl -H "x-oanor-key: oanor_live_…" "https://api.oanor.com/approvalsecurity-api/..." ``` ## Pricing - **Free** (Free) — 12,000 calls/Mo, 3 req/s - **Builder** ($10/Mo) — 170,000 calls/Mo, 10 req/s - **Pro** ($28/Mo) — 760,000 calls/Mo, 28 req/s - **Scale** ($62/Mo) — 2,700,000 calls/Mo, 65 req/s ## Endpoints ### Approvals #### `GET /v1/approvals` — A wallet token approvals with spender risk **Parameters:** - `address` (query, required, string) — Wallet address Example: `0x28c6c06298d514db089934071355e5743bf21d60` - `chain` (query, optional, string) — GoPlus chain id (default 1=Ethereum) Example: `1` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/approvalsecurity-api/v1/approvals?address=0x28c6c06298d514db089934071355e5743bf21d60&chain=1" ``` **Response:** ```json { "data": { "note": "Each spender a token is approved to can move that token. 'risky' flags malicious or doubtful spenders — revoke those.", "chain": "1", "source": "GoPlus", "tokens": [ { "balance": "958405557", "spenders": [ { "name": "TransparentUpgradeableProxyV2", "risky": false, "spender": "0x64192819ac13ef72bf6b5ae239ac672b43a9af08", "trusted": false, "doubtful": false, "malicious": false, "is_contract": true, "approved_time": "2022-08-01T09:00:46.000Z", "approved_amount": "4000", "malicious_behavior": [] } ], "token_name": "Smooth Love Potion", "token_symbol": "SLP", "spender_count": 1, "token_address": "0xcc8fa225d80b9c7d42f96e9570156c65d6caaa25", "is_open_source": true } ], "address": "0x28c6c06298d514db089934071355e5743bf21d60", "token_count": 1, "risky_approvals": 0, "total_approvals": 1 }, "meta": { "timestamp": "2026-06-12T01:42:51.344Z", "request_id": "0f76b576-9845-4f8c-8ebf-6cccdaa9414f" }, "status": "ok", "message": "Appro …(truncated, see openapi.json for full schema) ``` ### Contract #### `GET /v1/contract` — A spender contract risk profile **Parameters:** - `contract` (query, required, string) — Spender contract address Example: `0x1111111254eeb25477b68fb85ed929f73a960582` - `chain` (query, optional, string) — GoPlus chain id (default 1) Example: `1` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/approvalsecurity-api/v1/contract?contract=0x1111111254eeb25477b68fb85ed929f73a960582&chain=1" ``` **Response:** ```json { "data": { "tag": null, "name": "AggregationRouterV5", "note": "Risk profile of a spender contract — check before approving it to move your tokens.", "chain": "1", "risky": false, "source": "GoPlus", "trusted": false, "contract": "0x1111111254eeb25477b68fb85ed929f73a960582", "doubtful": false, "deployed_at": "2022-11-04T06:04:59.000Z", "is_contract": true, "is_open_source": true, "creator_address": "0xccbdbd9b0309a77fc6a56e087ff2765ff394012e", "malicious_behavior": [] }, "meta": { "timestamp": "2026-06-12T01:42:51.683Z", "request_id": "291d39b7-0057-418b-a928-c41eb5ad1d58" }, "status": "ok", "message": "Contract retrieved successfully", "success": true } ``` ### Chains #### `GET /v1/chains` — Supported blockchains **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/approvalsecurity-api/v1/chains" ``` **Response:** ```json { "data": { "count": 42, "chains": [ { "id": "1", "name": "Ethereum" }, { "id": "56", "name": "BSC" }, { "id": "42161", "name": "Arbitrum" }, { "id": "137", "name": "Polygon" }, { "id": "solana", "name": "Solana" }, { "id": "204", "name": "opBNB" }, { "id": "324", "name": "zkSync Era" }, { "id": "59144", "name": "Linea Mainnet" }, { "id": "8453", "name": "Base" }, { "id": "5000", "name": "Mantle" }, { "id": "130", "name": "Unichain" }, { "id": "48900", "name": "Zircuit Mainnet" }, { "id": "534352", "name": "Scroll" }, { "id": "10", "name": "Optimism" }, { "id": "43114", "name": "Avalanche" }, { "id": "25" …(truncated, see openapi.json for full schema) ``` ### Meta #### `GET /v1/meta` — Service metadata **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/approvalsecurity-api/v1/meta" ``` **Response:** ```json { "data": { "note": "chain is a GoPlus chain id (1=Ethereum, 56=BSC, 137=Polygon, 42161=Arbitrum). 'risky' marks malicious or doubtful spenders — the ones to revoke. A clean wallet returns an empty approvals list.", "source": "GoPlus Security (api.gopluslabs.io, live)", "service": "approvalsecurity-api", "endpoints": { "GET /v1/meta": "This document.", "GET /v1/chains": "Supported blockchains (id, name).", "GET /v1/contract": "Risk profile of a spender contract before you approve it (chain=1&contract=0x...).", "GET /v1/approvals": "Every token approval a wallet has granted, with spender risk and a risk summary (chain=1&address=0x...)." }, "description": "Live audit of the token approvals (allowances) a crypto wallet has granted and the risk of the contracts it approved to spend its tokens, from GoPlus Security. Token approvals are the #1 way wallets get drained — the allowance-hygiene cut behind tools like revoke.cash. The approvals endpoint lists every token a wallet approved, the spender contract, the amount and whether that spender is malicious, trusted or unverified, with a risk summary; the contract endpoint profiles a single spender contract before you approve it; the chains endpoint lists supported blockchains. Live, no key, nothing stored. The approval / allowance-risk cut — distinct from the token-contract-security, scam-detection and on-chain APIs.", "up …(truncated, see openapi.json for full schema) ``` --- Marketplace page: https://www.oanor.com/api/approvalsecurity-api OpenAPI spec: https://www.oanor.com/api/approvalsecurity-api/openapi.json