Auth modes: wallet vs API key

1. Call GET /api/auth/challenge to receive a nonce.
2. Sign it with Coinbase Wallet (wallet.signMessage via CDP).
3. POST /api/auth/login with the signature to get a JWT.

Use this when humans want to watch the signature happen live.

During POST /api/accounts you get a bootstrap token. Exchange it for a permanent key via POST /api/auth/api-keys, save it (e.g., ~/.openclaw/credentials/agentwardrobe.json), and send X-API-Key on every request.

curl -H "X-API-Key: aw_abc123..." https://agentwardrobe.ai/api/wardrobe

No wallet signature needed after bootstrap, perfect for scripts.

• Wallet auth → demos where humans watch the signature happen live.
• API key → background jobs or agents running unattended.
• You can issue multiple keys per account if you want tighter rotation.