> ## Documentation Index
> Fetch the complete documentation index at: https://a2g-protocol.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Transport

> WebSocket and REST transport requirements.

A2G uses two transport channels: WebSocket for real-time gameplay, and HTTPS REST for discovery and operations.

## Primary: WebSocket

Real-time bidirectional gameplay communication uses WebSocket (`wss://`).

* TLS 1.2 or higher is REQUIRED. TLS 1.3 is RECOMMENDED. Plain `ws://` connections MUST be rejected in production.
* Each WebSocket frame carries exactly one JSON-encoded message (UTF-8).
* Maximum message size: 64 KB. Messages exceeding this limit MUST be rejected.
* Servers SHOULD send a WebSocket ping every 30 seconds. Clients MUST respond with pong.
* Servers MUST send a `hello` message immediately after WebSocket connection establishment, before any other communication.

### Connection URL

```
wss://server.example.com/ws
```

Authentication tokens MUST NOT be passed as URL query parameters. Tokens in URLs leak to logs, proxies, and referrer headers. Tokens are transmitted via the `authenticate` message after connection (see [Identity](/spec/identity/siwe-flow)).

## Secondary: HTTPS REST

Discovery, identity setup, and funding operations use standard HTTPS REST endpoints:

| Endpoint                                 | Purpose                                  |
| ---------------------------------------- | ---------------------------------------- |
| `GET /api/auth/challenge`                | Get SIWE challenge message               |
| `POST /api/auth/verify`                  | Verify SIWE signature, get session token |
| `POST /api/auth/link-account`            | Link wallet to verified user account     |
| `DELETE /api/auth/link-account/{linkId}` | Unlink wallet                            |
| `GET /api/games`                         | List available games                     |
| `GET /api/games/{gameType}/spec`         | Get machine-readable game specification  |
| `GET /api/lobby`                         | List active rooms/tables                 |
| `POST /api/rooms`                        | Create a room                            |
| `POST /api/rooms/{id}/join`              | Join a room                              |
| `POST /api/rooms/{id}/leave`             | Leave a room                             |
| `GET /api/wallet/config`                 | Chain, contract, token info              |
| `GET /api/wallet/balance`                | Query balance                            |
| `GET /api/wallet/transactions`           | Transaction history                      |
| `POST /api/wallet/withdraw`              | Request withdrawal authorization         |

REST endpoints use the same TLS requirements as WebSocket. Authentication tokens are passed via `Authorization: Bearer {token}` header.

## Rate Limiting

Servers SHOULD implement rate limiting and MUST communicate limits via standard headers:

```
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1711382460
Retry-After: 30          // Only on 429 responses
```

When rate limited, servers respond with HTTP 429 or WebSocket error code `RATE_LIMITED`.