@agentcash/router 1.9.4 → 1.10.1

package/README.md

@@ -18,6 +18,12 @@
   <a href="#install"><img alt="next.js" src="https://img.shields.io/badge/Next.js-App%20Router-111"></a>
 </p>
 
+<p align="center">
+  <a href="https://vercel.com/new/clone?repository-url=https%3A%2F%2Fgithub.com%2FMerit-Systems%2Fagentcash-router%2Ftree%2Fmain%2Fexamples%2Fvercel-deploy&project-name=agentcash-fortune-demo&repository-name=agentcash-fortune-demo&demo-title=AgentCash%20Router%20Fortune%20Demo&demo-description=Pay-per-call%20fortune%20API%20on%20x402%20and%20MPP&demo-url=https%3A%2F%2Fagentcash.dev&env=EVM_PAYEE_ADDRESS%2CCDP_API_KEY_ID%2CCDP_API_KEY_SECRET&envDescription=Wallet%20that%20receives%20payments%20%2B%20Coinbase%20Developer%20Platform%20API%20keys%20for%20the%20default%20x402%20facilitator.%20Create%20keys%20in%20the%20generous%20CDP%20free%20tier%3A%20https%3A%2F%2Fportal.cdp.coinbase.com%2Fprojects%2Fapi-keys&envLink=https%3A%2F%2Fgithub.com%2FMerit-Systems%2Fagentcash-router%2Fblob%2Fmain%2Fexamples%2Fvercel-deploy%2FREADME.md%23environment-variables">
+    <img alt="Deploy with Vercel" src="https://vercel.com/button">
+  </a>
+</p>
+
 ---
 
 ## Install
@@ -36,7 +42,7 @@ The recommended entry point reads its config from `process.env`. A copy-paste `.
 | Var | Required | Purpose |
 |-----|----------|---------|
 | `EVM_PAYEE_ADDRESS` | yes | EVM address that receives x402 and MPP payments (`0x…`, 20 bytes). Canonicalized to lowercase. The zero address is rejected. |
-| `CDP_API_KEY_ID`, `CDP_API_KEY_SECRET` | yes (EVM) | Coinbase Developer Platform credentials for the default EVM facilitator. Create an API key at https://portal.cdp.coinbase.com. T3 / `@t3-oss/env-nextjs` users must declare these in their env schema. |
+| `CDP_API_KEY_ID`, `CDP_API_KEY_SECRET` | yes (EVM) | Coinbase Developer Platform credentials for the default EVM facilitator. Create API keys in the generous CDP free tier at https://portal.cdp.coinbase.com/projects/api-keys. T3 / `@t3-oss/env-nextjs` users must declare these in their env schema. |
 
 ### Solana
 
@@ -59,7 +65,8 @@ The recommended entry point reads its config from `process.env`. A copy-paste `.
 
 | Var | Required | Purpose |
 |-----|----------|---------|
-| `BASE_URL` | yes | Origin URL (`https://api.example.com`). Load-bearing: used as the 402 realm, OpenAPI server URL, and MPP memo prefix. Must match the public domain. |
+| `BASE_URL` | yes outside Vercel | Origin URL (`https://api.example.com`). Load-bearing: used as the 402 realm, OpenAPI server URL, and MPP memo prefix. Must match the public domain. On Vercel, `createRouterFromEnv` auto-derives this from `VERCEL_PROJECT_PRODUCTION_URL`, then `VERCEL_URL`. |
+| `VERCEL_PROJECT_PRODUCTION_URL`, `VERCEL_URL` | no | Vercel system env vars used as fallbacks when `BASE_URL` is unset. Do not set these manually; Vercel provides them during builds and runtime. |
 | `KV_REST_API_URL`, `KV_REST_API_TOKEN` | no | Upstash / Vercel KV. Backs SIWX nonce, SIWX entitlement, and MPP replay. In-memory fallback is unsafe in serverless production. Providing a Kv Store is highly recommended. |
 
 ## Quick start
@@ -119,6 +126,7 @@ export const POST = router.route({ path: 'search' })
 // app/api/inbox/status/route.ts
 export const GET = router.route({ path: 'inbox/status' })
   .siwx()
+  .method('GET')
   .handler(async ({ wallet }) => getStatus(wallet));
 ```
 
@@ -305,4 +313,3 @@ const loggingPlugin: RouterPlugin = {
   },
 };
 ```
-

package/dist/index.cjs

@@ -1938,8 +1938,15 @@ function tagBareDecimalAsDollars(amount) {
 var import_types2 = require("@x402/core/types");
 async function verifyX402Payment(opts) {
   const { server, request, price, accepts, report } = opts;
-  const payload = await readPaymentPayload(request);
-  if (!payload) return null;
+  const payment = await readPaymentPayload(request);
+  if (payment.kind === "none") return null;
+  if (payment.kind === "malformed") {
+    return invalidPaymentVerification({
+      reason: "malformed_payment_header",
+      message: `X-PAYMENT header could not be decoded: ${payment.message}`
+    });
+  }
+  const payload = payment.payload;
   const requirements = await buildExpectedRequirements(server, request, price, accepts, report);
   const matching = findVerifiableRequirements(server, requirements, payload);
   const accepted = payload.x402Version === 2 ? payload.accepted : void 0;
@@ -2000,9 +2007,16 @@ function matchesStableFields(requirement, accepted) {
 }
 async function readPaymentPayload(request) {
   const paymentHeader = request.headers.get(HEADERS.X402_PAYMENT_SIGNATURE) ?? request.headers.get(HEADERS.X402_PAYMENT_LEGACY);
-  if (!paymentHeader) return null;
+  if (!paymentHeader) return { kind: "none" };
   const { decodePaymentSignatureHeader } = await import("@x402/core/http");
-  return decodePaymentSignatureHeader(paymentHeader);
+  try {
+    return { kind: "ok", payload: decodePaymentSignatureHeader(paymentHeader) };
+  } catch (err) {
+    return {
+      kind: "malformed",
+      message: err instanceof Error ? err.message : String(err)
+    };
+  }
 }
 function invalidPaymentVerification(failure) {
   return {
@@ -2177,6 +2191,21 @@ function getAllowedStrategies(allowed) {
   return allowed.map((name) => STRATEGIES[name]);
 }
 
+// src/protocols/detect.ts
+function detectProtocol(request) {
+  if (request.headers.get(HEADERS.X402_PAYMENT_SIGNATURE) ?? request.headers.get(HEADERS.X402_PAYMENT_LEGACY)) {
+    return "x402";
+  }
+  const auth = request.headers.get(HEADERS.AUTHORIZATION);
+  if (auth && auth.startsWith(AUTH_SCHEME.MPP_PAYMENT)) {
+    return "mpp";
+  }
+  if (request.headers.get(HEADERS.SIWX)) {
+    return "siwx";
+  }
+  return null;
+}
+
 // src/pipeline/flows/api-key-only.ts
 async function runApiKeyOnlyFlow(ctx) {
   if (!ctx.routeEntry.apiKeyResolver) {
@@ -2192,6 +2221,11 @@ async function runApiKeyOnlyFlow(ctx) {
 var DynamicPricing = class {
   constructor(opts) {
     this.opts = opts;
+    if (!isPositiveDecimal(opts.maxPrice)) {
+      throw new Error(
+        `route '${opts.route ?? "unknown"}': dynamic pricing requires a positive maxPrice, got '${opts.maxPrice}'`
+      );
+    }
   }
   needsBody = true;
   async quote(body) {
@@ -2205,11 +2239,8 @@ var DynamicPricing = class {
         error: err instanceof Error ? err.stack : String(err),
         body
       });
-      if (this.opts.maxPrice) {
-        this.alert("warn", `Using maxPrice ${this.opts.maxPrice} as fallback after pricing error`);
-        return this.opts.maxPrice;
-      }
-      throw err;
+      this.alert("warn", `Using maxPrice ${this.opts.maxPrice} as fallback after pricing error`);
+      return this.opts.maxPrice;
     }
     if (!isPositiveDecimal(priced)) {
       throw new HttpError(
@@ -2220,18 +2251,17 @@ var DynamicPricing = class {
     return priced;
   }
   challengeQuote(body) {
-    if (body === void 0) return Promise.resolve(this.opts.maxPrice ?? "0");
+    if (body === void 0) return Promise.resolve(this.opts.maxPrice);
     return this.quote(body);
   }
   describe() {
     return {
       mode: "dynamic",
       min: this.opts.minPrice ?? "0",
-      max: this.opts.maxPrice ?? "0"
+      max: this.opts.maxPrice
     };
   }
   cap(raw, body) {
-    if (!this.opts.maxPrice) return raw;
     let overCap;
     try {
       overCap = compareDecimals(raw, this.opts.maxPrice) > 0;
@@ -2331,6 +2361,9 @@ function selectPricing(raw, deps = {}) {
     return new FixedPricing(raw);
   }
   if (typeof raw === "function") {
+    if (!deps.maxPrice) {
+      throw new Error(`route '${deps.route ?? "unknown"}': dynamic pricing requires maxPrice`);
+    }
     return new DynamicPricing({
       fn: raw,
       maxPrice: deps.maxPrice,
@@ -3215,21 +3248,6 @@ async function createKvMppStore(kv, options) {
   });
 }
 
-// src/protocols/detect.ts
-function detectProtocol(request) {
-  if (request.headers.get(HEADERS.X402_PAYMENT_SIGNATURE) ?? request.headers.get(HEADERS.X402_PAYMENT_LEGACY)) {
-    return "x402";
-  }
-  const auth = request.headers.get(HEADERS.AUTHORIZATION);
-  if (auth && auth.startsWith(AUTH_SCHEME.MPP_PAYMENT)) {
-    return "mpp";
-  }
-  if (request.headers.get(HEADERS.SIWX)) {
-    return "siwx";
-  }
-  return null;
-}
-
 // src/protocols/mpp/siwx-mode.ts
 var import_mppx3 = require("mppx");
 async function verifyMppSiwx(request, mppx) {
@@ -3252,8 +3270,6 @@ async function runSiwxOnlyFlow(ctx) {
     if (earlyBody.ok) {
       const validateErr = await runValidate(ctx, earlyBody.data);
       if (validateErr) return validateErr;
-    } else {
-      return earlyBody.response;
     }
   }
   const siwxHeader = request.headers.get(HEADERS.SIWX);
@@ -3386,9 +3402,13 @@ async function runUnprotectedFlow(ctx) {
 
 // src/pipeline/orchestrate.ts
 function shouldSkipQueryValidation(routeEntry, request) {
-  const isPaidRoute = !!routeEntry.pricing || routeEntry.authMode === "paid";
-  if (!isPaidRoute) return false;
-  return selectIncomingStrategy(request, routeEntry.protocols) === null;
+  if (routeEntry.pricing || routeEntry.authMode === "paid") {
+    return selectIncomingStrategy(request, routeEntry.protocols) === null;
+  }
+  if (routeEntry.authMode === "siwx") {
+    return !request.headers.get(HEADERS.SIWX) && detectProtocol(request) !== "mpp";
+  }
+  return false;
 }
 function createRequestHandler(routeEntry, handler, deps) {
   return async (request) => {
@@ -3439,6 +3459,7 @@ ${issues}`
 }
 
 // src/builder.ts
+var MAX_X402_DESCRIPTION_LENGTH = 400;
 var RouteBuilder = class _RouteBuilder {
   #s;
   constructor(key, registry, deps, defaults) {
@@ -3582,6 +3603,11 @@ var RouteBuilder = class _RouteBuilder {
         `route '${this.#s.key}': price '${pricing}' must be a positive decimal string`
       );
     }
+    if (typeof pricing === "function" && next.#s.maxPrice === void 0) {
+      throw new Error(
+        `route '${this.#s.key}': dynamic pricing requires maxPrice \u2014 without it, bare probes would advertise a $0 challenge`
+      );
+    }
     if (next.#s.maxPrice !== void 0 && !isPositiveDecimal(next.#s.maxPrice)) {
       throw new Error(
         `route '${this.#s.key}': maxPrice '${next.#s.maxPrice}' must be a positive decimal string`
@@ -3950,6 +3976,11 @@ var RouteBuilder = class _RouteBuilder {
         `route '${this.#s.key}': .stream() requires .metered() \u2014 static/free/upto routes can't meter per-chunk billing.`
       );
     }
+    if (this.#s.description !== void 0 && this.#s.description.length > MAX_X402_DESCRIPTION_LENGTH && this.#s.pricing !== void 0 && this.#s.protocols.includes("x402")) {
+      throw new Error(
+        `route '${this.#s.key}': .description() is ${this.#s.description.length} chars; must be \u2264 ${MAX_X402_DESCRIPTION_LENGTH} chars \u2014 the CDP x402 facilitator rejects payments whose 402 challenge resource.description exceeds ~500 chars.`
+      );
+    }
     validateExamples(
       this.#s.key,
       this.#s.bodySchema,
@@ -4405,6 +4436,8 @@ var envShape = {
     params: { code: "invalid_base_url" },
     message: "BASE_URL must be a valid URL \u2014 the public origin used as the 402 realm, OpenAPI server URL, and MPP memo prefix. Must match the public domain."
   }).optional(),
+  VERCEL_PROJECT_PRODUCTION_URL: import_zod.z.string().optional(),
+  VERCEL_URL: import_zod.z.string().optional(),
   EVM_PAYEE_ADDRESS: import_zod.z.string().refine(isEvmAddress, {
     params: { code: "invalid_x402_payee", ...x402 },
     message: "EVM_PAYEE_ADDRESS must be a 0x-prefixed 20-byte EVM address \u2014 the wallet that receives x402 and MPP payments."
@@ -4449,7 +4482,7 @@ var EnvInputSchema = import_zod.z.object(envShape).passthrough().superRefine((en
     addIssue(
       ctx,
       { code: "missing_base_url" },
-      "BASE_URL is required \u2014 the public origin used as the 402 realm, OpenAPI server URL, and MPP memo prefix. Set it to your production domain.",
+      "BASE_URL is required \u2014 the public origin used as the 402 realm, OpenAPI server URL, and MPP memo prefix. Set it to your production domain. On Vercel, the router auto-derives it from VERCEL_PROJECT_PRODUCTION_URL or VERCEL_URL.",
       ["BASE_URL"]
     );
   }
@@ -4530,6 +4563,19 @@ function collectKvWarnings(env, kvStoreOptionProvided) {
   }
   return [];
 }
+function withHttps(host) {
+  if (!host) return void 0;
+  return host.startsWith("http://") || host.startsWith("https://") ? host : `https://${host}`;
+}
+function deriveBaseUrlEnv(env) {
+  if (env.BASE_URL) return env;
+  const vercelBaseUrl = withHttps(env.VERCEL_PROJECT_PRODUCTION_URL) ?? withHttps(env.VERCEL_URL);
+  if (!vercelBaseUrl) return env;
+  return {
+    ...env,
+    BASE_URL: vercelBaseUrl
+  };
+}
 function getConfiguredX402Accepts2(config) {
   if (config.x402?.accepts?.length) return [...config.x402.accepts];
   return [
@@ -4698,7 +4744,7 @@ function translateZodIssues(error) {
 }
 function routerConfigFromEnv(options) {
   const rawEnv = options.env ?? process.env;
-  const env = trimAll(rawEnv);
+  const env = deriveBaseUrlEnv(trimAll(rawEnv));
   const optionIssues = [];
   if (!options.title?.trim()) {
     optionIssues.push({

package/dist/index.js

@@ -1897,8 +1897,15 @@ function tagBareDecimalAsDollars(amount) {
 import { VerifyError } from "@x402/core/types";
 async function verifyX402Payment(opts) {
   const { server, request, price, accepts, report } = opts;
-  const payload = await readPaymentPayload(request);
-  if (!payload) return null;
+  const payment = await readPaymentPayload(request);
+  if (payment.kind === "none") return null;
+  if (payment.kind === "malformed") {
+    return invalidPaymentVerification({
+      reason: "malformed_payment_header",
+      message: `X-PAYMENT header could not be decoded: ${payment.message}`
+    });
+  }
+  const payload = payment.payload;
   const requirements = await buildExpectedRequirements(server, request, price, accepts, report);
   const matching = findVerifiableRequirements(server, requirements, payload);
   const accepted = payload.x402Version === 2 ? payload.accepted : void 0;
@@ -1959,9 +1966,16 @@ function matchesStableFields(requirement, accepted) {
 }
 async function readPaymentPayload(request) {
   const paymentHeader = request.headers.get(HEADERS.X402_PAYMENT_SIGNATURE) ?? request.headers.get(HEADERS.X402_PAYMENT_LEGACY);
-  if (!paymentHeader) return null;
+  if (!paymentHeader) return { kind: "none" };
   const { decodePaymentSignatureHeader } = await import("@x402/core/http");
-  return decodePaymentSignatureHeader(paymentHeader);
+  try {
+    return { kind: "ok", payload: decodePaymentSignatureHeader(paymentHeader) };
+  } catch (err) {
+    return {
+      kind: "malformed",
+      message: err instanceof Error ? err.message : String(err)
+    };
+  }
 }
 function invalidPaymentVerification(failure) {
   return {
@@ -2136,6 +2150,21 @@ function getAllowedStrategies(allowed) {
   return allowed.map((name) => STRATEGIES[name]);
 }
 
+// src/protocols/detect.ts
+function detectProtocol(request) {
+  if (request.headers.get(HEADERS.X402_PAYMENT_SIGNATURE) ?? request.headers.get(HEADERS.X402_PAYMENT_LEGACY)) {
+    return "x402";
+  }
+  const auth = request.headers.get(HEADERS.AUTHORIZATION);
+  if (auth && auth.startsWith(AUTH_SCHEME.MPP_PAYMENT)) {
+    return "mpp";
+  }
+  if (request.headers.get(HEADERS.SIWX)) {
+    return "siwx";
+  }
+  return null;
+}
+
 // src/pipeline/flows/api-key-only.ts
 async function runApiKeyOnlyFlow(ctx) {
   if (!ctx.routeEntry.apiKeyResolver) {
@@ -2151,6 +2180,11 @@ async function runApiKeyOnlyFlow(ctx) {
 var DynamicPricing = class {
   constructor(opts) {
     this.opts = opts;
+    if (!isPositiveDecimal(opts.maxPrice)) {
+      throw new Error(
+        `route '${opts.route ?? "unknown"}': dynamic pricing requires a positive maxPrice, got '${opts.maxPrice}'`
+      );
+    }
   }
   needsBody = true;
   async quote(body) {
@@ -2164,11 +2198,8 @@ var DynamicPricing = class {
         error: err instanceof Error ? err.stack : String(err),
         body
       });
-      if (this.opts.maxPrice) {
-        this.alert("warn", `Using maxPrice ${this.opts.maxPrice} as fallback after pricing error`);
-        return this.opts.maxPrice;
-      }
-      throw err;
+      this.alert("warn", `Using maxPrice ${this.opts.maxPrice} as fallback after pricing error`);
+      return this.opts.maxPrice;
     }
     if (!isPositiveDecimal(priced)) {
       throw new HttpError(
@@ -2179,18 +2210,17 @@ var DynamicPricing = class {
     return priced;
   }
   challengeQuote(body) {
-    if (body === void 0) return Promise.resolve(this.opts.maxPrice ?? "0");
+    if (body === void 0) return Promise.resolve(this.opts.maxPrice);
     return this.quote(body);
   }
   describe() {
     return {
       mode: "dynamic",
       min: this.opts.minPrice ?? "0",
-      max: this.opts.maxPrice ?? "0"
+      max: this.opts.maxPrice
     };
   }
   cap(raw, body) {
-    if (!this.opts.maxPrice) return raw;
     let overCap;
     try {
       overCap = compareDecimals(raw, this.opts.maxPrice) > 0;
@@ -2290,6 +2320,9 @@ function selectPricing(raw, deps = {}) {
     return new FixedPricing(raw);
   }
   if (typeof raw === "function") {
+    if (!deps.maxPrice) {
+      throw new Error(`route '${deps.route ?? "unknown"}': dynamic pricing requires maxPrice`);
+    }
     return new DynamicPricing({
       fn: raw,
       maxPrice: deps.maxPrice,
@@ -3174,21 +3207,6 @@ async function createKvMppStore(kv, options) {
   });
 }
 
-// src/protocols/detect.ts
-function detectProtocol(request) {
-  if (request.headers.get(HEADERS.X402_PAYMENT_SIGNATURE) ?? request.headers.get(HEADERS.X402_PAYMENT_LEGACY)) {
-    return "x402";
-  }
-  const auth = request.headers.get(HEADERS.AUTHORIZATION);
-  if (auth && auth.startsWith(AUTH_SCHEME.MPP_PAYMENT)) {
-    return "mpp";
-  }
-  if (request.headers.get(HEADERS.SIWX)) {
-    return "siwx";
-  }
-  return null;
-}
-
 // src/protocols/mpp/siwx-mode.ts
 import { Credential as Credential2 } from "mppx";
 async function verifyMppSiwx(request, mppx) {
@@ -3211,8 +3229,6 @@ async function runSiwxOnlyFlow(ctx) {
     if (earlyBody.ok) {
       const validateErr = await runValidate(ctx, earlyBody.data);
       if (validateErr) return validateErr;
-    } else {
-      return earlyBody.response;
     }
   }
   const siwxHeader = request.headers.get(HEADERS.SIWX);
@@ -3345,9 +3361,13 @@ async function runUnprotectedFlow(ctx) {
 
 // src/pipeline/orchestrate.ts
 function shouldSkipQueryValidation(routeEntry, request) {
-  const isPaidRoute = !!routeEntry.pricing || routeEntry.authMode === "paid";
-  if (!isPaidRoute) return false;
-  return selectIncomingStrategy(request, routeEntry.protocols) === null;
+  if (routeEntry.pricing || routeEntry.authMode === "paid") {
+    return selectIncomingStrategy(request, routeEntry.protocols) === null;
+  }
+  if (routeEntry.authMode === "siwx") {
+    return !request.headers.get(HEADERS.SIWX) && detectProtocol(request) !== "mpp";
+  }
+  return false;
 }
 function createRequestHandler(routeEntry, handler, deps) {
   return async (request) => {
@@ -3398,6 +3418,7 @@ ${issues}`
 }
 
 // src/builder.ts
+var MAX_X402_DESCRIPTION_LENGTH = 400;
 var RouteBuilder = class _RouteBuilder {
   #s;
   constructor(key, registry, deps, defaults) {
@@ -3541,6 +3562,11 @@ var RouteBuilder = class _RouteBuilder {
         `route '${this.#s.key}': price '${pricing}' must be a positive decimal string`
       );
     }
+    if (typeof pricing === "function" && next.#s.maxPrice === void 0) {
+      throw new Error(
+        `route '${this.#s.key}': dynamic pricing requires maxPrice \u2014 without it, bare probes would advertise a $0 challenge`
+      );
+    }
     if (next.#s.maxPrice !== void 0 && !isPositiveDecimal(next.#s.maxPrice)) {
       throw new Error(
         `route '${this.#s.key}': maxPrice '${next.#s.maxPrice}' must be a positive decimal string`
@@ -3909,6 +3935,11 @@ var RouteBuilder = class _RouteBuilder {
         `route '${this.#s.key}': .stream() requires .metered() \u2014 static/free/upto routes can't meter per-chunk billing.`
       );
     }
+    if (this.#s.description !== void 0 && this.#s.description.length > MAX_X402_DESCRIPTION_LENGTH && this.#s.pricing !== void 0 && this.#s.protocols.includes("x402")) {
+      throw new Error(
+        `route '${this.#s.key}': .description() is ${this.#s.description.length} chars; must be \u2264 ${MAX_X402_DESCRIPTION_LENGTH} chars \u2014 the CDP x402 facilitator rejects payments whose 402 challenge resource.description exceeds ~500 chars.`
+      );
+    }
     validateExamples(
       this.#s.key,
       this.#s.bodySchema,
@@ -4364,6 +4395,8 @@ var envShape = {
     params: { code: "invalid_base_url" },
     message: "BASE_URL must be a valid URL \u2014 the public origin used as the 402 realm, OpenAPI server URL, and MPP memo prefix. Must match the public domain."
   }).optional(),
+  VERCEL_PROJECT_PRODUCTION_URL: z.string().optional(),
+  VERCEL_URL: z.string().optional(),
   EVM_PAYEE_ADDRESS: z.string().refine(isEvmAddress, {
     params: { code: "invalid_x402_payee", ...x402 },
     message: "EVM_PAYEE_ADDRESS must be a 0x-prefixed 20-byte EVM address \u2014 the wallet that receives x402 and MPP payments."
@@ -4408,7 +4441,7 @@ var EnvInputSchema = z.object(envShape).passthrough().superRefine((env, ctx) =>
     addIssue(
       ctx,
       { code: "missing_base_url" },
-      "BASE_URL is required \u2014 the public origin used as the 402 realm, OpenAPI server URL, and MPP memo prefix. Set it to your production domain.",
+      "BASE_URL is required \u2014 the public origin used as the 402 realm, OpenAPI server URL, and MPP memo prefix. Set it to your production domain. On Vercel, the router auto-derives it from VERCEL_PROJECT_PRODUCTION_URL or VERCEL_URL.",
       ["BASE_URL"]
     );
   }
@@ -4489,6 +4522,19 @@ function collectKvWarnings(env, kvStoreOptionProvided) {
   }
   return [];
 }
+function withHttps(host) {
+  if (!host) return void 0;
+  return host.startsWith("http://") || host.startsWith("https://") ? host : `https://${host}`;
+}
+function deriveBaseUrlEnv(env) {
+  if (env.BASE_URL) return env;
+  const vercelBaseUrl = withHttps(env.VERCEL_PROJECT_PRODUCTION_URL) ?? withHttps(env.VERCEL_URL);
+  if (!vercelBaseUrl) return env;
+  return {
+    ...env,
+    BASE_URL: vercelBaseUrl
+  };
+}
 function getConfiguredX402Accepts2(config) {
   if (config.x402?.accepts?.length) return [...config.x402.accepts];
   return [
@@ -4657,7 +4703,7 @@ function translateZodIssues(error) {
 }
 function routerConfigFromEnv(options) {
   const rawEnv = options.env ?? process.env;
-  const env = trimAll(rawEnv);
+  const env = deriveBaseUrlEnv(trimAll(rawEnv));
   const optionIssues = [];
   if (!options.title?.trim()) {
     optionIssues.push({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentcash/router",
-  "version": "1.9.4",
+  "version": "1.10.1",
   "description": "Unified route builder for Next.js App Router APIs with x402, MPP, SIWX, and API key auth",
   "type": "module",
   "exports": {