Gate a route. Point your agents. Never touch a private key.
The server stays stateless; the chain work is abstracted away. Price in native XST — a fiat equivalent is optional display. Everything speaks the open x402 standard.
01
The Pieces
- Server SDK — drop-in middleware (Node, Python) that turns any route into a paywalled x402 endpoint in a few lines. The server stays stateless.
- Sidecar — the self-hosted signer + policy engine. Runs in your infra, holds only capped agent keys, enforces caps / allowlists / limits, signs and settles. Your agent calls its own sidecar.
- Console — a viewing-key dashboard for balances, per-agent spend, live tx feed, receipts, and policy. Read-only by construction.
- Wallet — self-custody, standalone or as a Telegram Mini App; the consumer / agent “pay” side.
Key map
Server SDK · no keys
The middleware verifies and settles through the facilitator. It never holds a spending key and never custodies funds.
Key map
Sidecar · capped only
The signer in your infra holds only capped agent keys, bounded by your caps, allowlists, and limits.
Key map
Console · viewing key
A read-only viewing key surfaces balances, spend, and receipts. It can see, never spend.
Key map
Wallet · spending key
Only the wallet — on your device — ever holds a spending key.
02
Server
Any request without a settled payment gets a 402. The facilitator verifies and settles; the route runs only after.
server.mjs · Node / Express
import { paymentRequired } from "@stealthsend/x402";
app.use("/api/insight", paymentRequired({
facilitator: process.env.FACILITATOR,
amount: "10000", // atomic units = 0.01 XST
settleMode: "confirmed",
}));
app.get("/api/insight", (req, res) => {
// reached only after a settled payment
res.json({ ok: true, receipt: req.x402 });
});
/api/insight · 402 active · 0.01 XSTNative-XST pricing · stateless
03
Client
The agent needs zero blockchain knowledge: call a gated endpoint, get a 402, build the payment, replay with the settlement header.
agent.mjs · x402 payment flow
// 1. the call returns 402 Payment Required
const res = await fetch("https://api.example.com/insight");
if (res.status === 402) {
const body = await res.json();
const req = body.accepts[0];
// 2. build + grind + sign (XST transparent, or XSS shielded)
const header = await wallet.buildX402Payment(JSON.stringify(req), body.resource.url);
// 3. replay with the payment header — served in ~5s
return fetch("https://api.example.com/insight", {
headers: { "PAYMENT-SIGNATURE": header },
});
}
Channel · XST / XSSThe spending key never leaves the agent’s own wallet or sidecar
04
Facilitator API
The standard x402 facilitator endpoints, plus two stealthPAY extensions. The facilitator holds no spend keys and no funds at risk — it verifies and settles, it never custodies.
| Endpoint | Does | Detail |
|---|---|---|
| POST /challenge | Mint a 402 | A fresh single-use payTo and a recent anchor. Price in XST (native) or, optionally, fiat. |
| POST /verify | Advisory check | Validate a presented payment against its challenge — read-only, never broadcasts. |
| POST /settle | Broadcast + confirm | Re-verify, broadcast, and wait for the chosen finality. Idempotent. |
| GET /supported | Scheme / network | exact on stealthCORE (XST) and stealthPRIVATE (XSS). |
| POST /grind ext | Assisted feework | Grinding help for thin clients — the preimage carries no keys. |
| GET /stats · /rate ext | Telemetry | Live settlement feed and the operator-attested XST reference rate. |
Agents price and policies cap in XST. A fiat equivalent is an optional convenience from a thin
external feed — stealthPAY never operates rate infrastructure, and because it never holds
XST, its price is never our risk to carry.
05
The Stack
Rails
Feeless XST settlement
The x402 facilitator, the Node + Python server SDKs, and the self-custody wallet settle on the transparent XST rail with zero fees and ~5s finality.
Rails
Shielded XSS rail
The private (XSS) payment rail keeps amount and counterparty off the public record — same SDK, same flow, shielded channel.
Control plane
Self-hosted sidecar
The signer + policy engine runs in your infra, holding only capped agent keys and enforcing your caps and allowlists.
Control plane
Viewing-key console
A read-only dashboard for balances, per-agent spend, the live tx feed, receipts, and policy — see everything, spend nothing.
Build against the facilitator today: gate a route, point your agents, and watch the spend.
Your keys, your funds, our brain — the facilitator and SDK move bytes, never custody.
Read the x402 standard →
Build one.
Gate a route, point your agents, watch the spend. Never touch a private key.