x402 API Monetization Starter Kit

Charge per API call in USDC — with a receipt your buyer can verify.

A runnable, deploy-ready kit that puts an x402 paywall and a tamper-evident receipt in front of any endpoint. The packages are free MIT — this sells you the wired-up assembly and the afternoon you'd spend integrating them.

one-time $39 See how it works

Runs free on testnet out of the box · Base mainnet via Coinbase CDP · no token · npx-runnable demo

npm run verify — offline, no wallet

verify-before-act:
  genuine        → verified=true    received bytes match the attested hash AND signer — safe to act
  tampered byte  → verified=false   HASH MISMATCH — do not act
  forged signer  → verified=false   bad recover — do not act

  ✓ Act on genuine. Refuse tampered + forged. This is verify-before-act.

Payment rails move the money. ForeSeal proves the bytes.

x402, Payman, Skyfire and the rest all sign the payment or the identity. None signs the data response — so an agent can pay perfectly and still act on tampered bytes. This kit closes that gap.

x402

"Did money move?"

USDC settles per call. The payment is proven — but not what was delivered.

identity rails

"Who is paying?"

KYA/agent identity proves the payer. Still nothing about the bytes returned.

ForeSeal

"Are these the exact bytes?"

An EIP-712 receipt over the response body. The buyer verifies offline, before acting.

What's in the kit

src/server.ts
A gateway that turns any upstream URL into a paid, attested endpoint with one trustMiddleware({…}) call.
src/verify-before-act.ts
An offline sign→verify demo (no wallet, no network) — accepts genuine bytes, refuses tampered + forged.
src/example-upstream.ts
A self-contained example API so it boots standalone. Swap in your own by changing one line.
README.md + DEPLOY.md
Wrap your own API, set your payout, go live on Base mainnet, deploy to Render / Railway / Fly.
LICENSE.md
Commercial, single-purchaser. The npm dependencies keep their own MIT licenses.
verified, end-to-end
Tested on Base Sepolia and Base mainnet (USDC, Coinbase CDP facilitator).

Three steps

Wrap your endpoint

app.use("/price", trustMiddleware({ upstream: "https://your-api.example.com/data", price: { perCallUsdc: "0.01" }, payTo: "0xYourWallet", attestation: "delivery", }));

The rail does the rest

GET → 402 payment required→ pay USDC → 200→ X-BYTE-Attestation receipt

Unpaid calls get a 402 with USDC terms. On payment, your bytes return stamped with an EIP-712 receipt over the exact response.

The buyer verifies before acting

const v = await verifyFromGatewayResponse( body, header, ARBITRUM_SEPOLIA, gatewayAttester); if (!v.verified) throw new Error("refuse: " + v.reason); // …safe to act on body.

What the receipt proves — and doesn't

PROVES

The bytes are authentic and unaltered, signed by the attester you pinned. Tamper-evident, signer-pinned, recomputable.

DOESN'T

That the data is correct. That's provenance, not truth — "these are genuinely the bytes the seller signed," not "this number is right."

Questions

Aren't the packages free?

Yes — @foreseal/gate and @payperbyte/sdk are MIT on npm. You can wire them yourself. This kit is the assembly, a working example, and the walkthrough — it sells you the afternoon, not the libraries.

Does it work on real Base mainnet?

Yes. It defaults to Base Sepolia (free testnet) so it runs out of the box; flip to Base mainnet with Coinbase CDP keys (one config change). Both are verified end-to-end and documented in the README.

Do I need a token or an account?

No token. USDC + the open x402 protocol. No platform signup to run it.

What stack?

TypeScript + Express, run with tsx. Node 20.6+. Solana isn't covered — it's EVM/USDC (Base by default, any eip155: chain).

What's the license?

Commercial, single-purchaser for the kit's own code. The npm dependencies keep their own MIT licenses.

Ship a paid, verifiable API today.

Wired up, deploy-ready, honest about what it proves. npx @foreseal/demo to see it first.