`/v1/rollup` endpoints return 403 despite free-tier documentation claiming no API key is required

[jknoll]

Bug Report: /v1/rollup endpoints return 403 despite free-tier documentation claiming no API key is required

Summary

All /v1/rollup* endpoints on api-mainnet.celenium.io return HTTP 403 Forbidden with no API key supplied, contradicting the FAQ at api-plans.celenium.io which states: "Free-tier Celenium API is available at https://api-mainnet.celenium.io/. No API keys or account registration are needed."

Affected endpoints

• GET /v1/rollup (rollup leaderboard)
• GET /v1/rollup/count
• GET /v1/rollup/{id}
• GET /v1/rollup/slug/{slug}
• GET /v1/rollup/{id}/namespaces
• GET /v1/rollup/day

Not affected

• GET /v1/head — returns 200 correctly

Reproduction

curl -i "https://api-mainnet.celenium.io/v1/rollup?limit=5"
# HTTP/2 403

curl -i "https://api-mainnet.celenium.io/v1/head"
# HTTP/2 200 — works fine

Tested with: default curl UA, full Chrome UA, Referer: https://celenium.io/, no combination of headers resolves the 403.

Environment

• IP: residential fiber (Sonic Telecom, US), not a datacenter
• Date: 2026-05-07
• Server: nginx (no Cloudflare in response headers)

OpenAPI spec

The OpenAPI spec in celenium-io/celenium-api-go defines ApiKeyAuth as an optional security scheme but does not apply it to the /rollup endpoint — consistent with the free-tier claim, inconsistent with the actual behavior.

Expected behavior

GET /v1/rollup?limit=100 returns a JSON array of rollup objects without an API key.

Actual behavior

HTTP 403 Forbidden from nginx.

[aopoltorzhicky]

Good afternoon!

We have API documentation. Please do not look for information in our source code, as it may differ. The API documentation is the definitive source of information.