The opening explorer now requires authentication

For many years now, Lichess has been offering the best opening explorer in the world:

• 7.5 Billion games indexed
• 3 Million OTB master games
• 50 plies max depth
• unlimited use for everyone

Not only on our own website, but also through API endpoints to let everyone build amazing new tools on top of it.

This is our mission: to give everyone access to the best chess tools.

We also like to make everything accessible without an account, as much as it is possible.
Again we're not here to accumulate signups, but to provide for chess players, account or not.
And for many years, we've been able to give access to the opening explorer without authentication.

But then came the DDoS attacks. Some unknown entity, doesn't matter who or why, is very much intent on taking the explorer down, using millions of residential IPs, and billions of randomized requests.
It's been going for a couple weeks, and we've been fighting it. You may have noticed that at some points the explorer was being slow, or even unavailable. We've used all our usual tools to fend it off, but it wasn't enough.

The explorer is a very easy target for DDoS, because requests are extremely cheap to send, but very expensive for us to reply to. Because we index billions of games, each explorer request causes reads in a dataset of several terabytes. It's slow, even for the beast of a server we've installed the explorer on.

So, yeah. Our usual methods of counter-DDoS were not enough to protect something as vulnerable as the opening explorer. And we had to resort to something we've never done before: disallowing anonymous requests.
Anti-DDoS is usually mostly based on IP addresses, but that stops working when the attackers have access to millions of them. By forcing authentication, we can move the rate-limiting to the Lichess user layer. It's a lot harder to make Lichess users than to get random IPs, so that stops the attack completely.

From now on, the explorer is fast and stable for all authenticated players.

What does it mean for you?

If you use the explorer on the website, then all you need is to be logged in with your account.
If you use the mobile app, make sure to upgrade to the latest version.
If you use the explorer through the API, you now need to add an oauth token to each explorer request.

FAQ

Will the explorer remain free to use?
Yes. Donations are appreciated, but they don't grant any advantage, and free users always get the same best tools.

Are there new restrictions or limits, other than being logged in?
No. The access is still virtually unlimited. More precisely, you can send 25 requests per minute, which should be plenty enough.
The max depth remains 50 plies.

Why not use Cloudflare or another third-party proxy?
To effectively protect a service as expensive to run as the opening explorer is, we would need to set the detection threshold very low. Many players would find themselves loading third-party code, and solving captchas. We don't want that. Also we don't want commercial third-parties between chess players and us.

What about the endgame database?
We may have to do the same thing for it at some point. We'll see. For now it continues serving anonymous requests.