@agentvisa/widget 0.2.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 AgentVisa
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,123 @@
+# @agentvisa/widget
+
+Lightweight JavaScript/TypeScript widget for **AgentVisa** verification.
+
+Drop-in verification for websites that need to confirm a real human has approved an AI agent's action.
+
+## Features
+
+- Works with both **Basic** and **Pro** tiers
+- Unified response shape for all plans
+- Zero runtime dependencies
+- < 5KB gzipped
+- TypeScript support
+
+## Installation
+
+```bash
+npm install @agentvisa/widget
+```
+
+Or via CDN:
+
+```html
+<script src="https://cdn.agentvisa.ai/widget.js"></script>
+```
+
+## Usage
+
+### Basic Usage (Recommended)
+
+```ts
+import { AgentVisa } from "@agentvisa/widget";
+
+const result = await AgentVisa.verify({
+  widgetId: "widget_abc123",
+  plan: "basic"
+});
+
+console.log(result.valid);     // true | false
+console.log(result.reason);    // "ok" | "expired" | "invalid" ...
+console.log(result.plan);      // "basic" | "pro"
+```
+
+### Instance Usage
+
+```ts
+const visa = new AgentVisa({
+  widgetId: "widget_abc123",
+  plan: "pro"
+});
+
+const result = await visa.verify();
+```
+
+### Browser (UMD)
+
+```html
+<script src="https://cdn.agentvisa.ai/widget.js"></script>
+<script>
+  const result = await AgentVisa.verify({
+    widgetId: "widget_abc123",
+    plan: "basic"
+  });
+</script>
+```
+
+## Response Shape
+
+The widget always returns the unified response:
+
+```json
+{
+  "valid": true,
+  "reason": "ok",
+  "plan": "basic",
+  "widget_id": "widget_abc123",
+  "human_name": null,
+  "email": null,
+  "phone": null,
+  "verified_at": null,
+  "expires_at": null
+}
+```
+
+## Configuration
+
+| Option       | Type               | Default                  | Description                     |
+|--------------|--------------------|--------------------------|---------------------------------|
+| `widgetId`   | `string`           | **required**             | Your AgentVisa widget ID        |
+| `plan`       | `"basic" \| "pro"` | `"basic"`                | Verification tier               |
+| `apiBaseUrl` | `string`           | `"https://api.agentvisa.ai"` | Backend API base URL        |
+
+## Development
+
+```bash
+npm install
+npm run build
+```
+
+Build output is in `dist/`:
+
+- `widget.js` — UMD bundle (browser)
+- `widget.esm.js` — ESM bundle
+- `index.d.ts` — TypeScript definitions
+
+## Examples
+
+See the `examples/` folder:
+
+- `basic.html` — Basic tier demo
+- `pro.html` — Pro tier demo with richer data
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md).
+
+## Security
+
+See [SECURITY.md](SECURITY.md).
+
+## License
+
+MIT © [AgentVisa](https://agentvisa.ai)

package/dist/core.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Shared server-side verification logic.
+ * Used by Express and Next.js middleware — no framework deps here.
+ */
+export declare const DEFAULT_API_BASE = "https://api.agentvisa.ai";
+export interface AgentVisaConfig {
+    /** Your widget ID from the AgentVisa dashboard */
+    widgetId: string;
+    /** Your widget API key — keep server-side only, never expose to the browser */
+    apiKey: string;
+    /** Override API base URL (e.g. for staging) */
+    apiBaseUrl?: string;
+    /**
+     * What to do when verification fails or token is missing.
+     * "block" (default) — return 401 and stop the request.
+     * "passthrough" — attach result to request and continue; let your
+     *   handler decide. Useful for soft-gating or analytics.
+     */
+    onUnverified?: "block" | "passthrough";
+}
+export interface VerifyResult {
+    valid: boolean;
+    reason: string;
+    plan?: string;
+    widget_id?: string;
+    human_name?: string | null;
+    verified_at?: string | null;
+    expires_at?: string | null;
+    five_factor?: string;
+    age_over_18?: string;
+    age_over_21?: string;
+    multiple_agents_authorized?: string;
+    verifications_today?: number;
+}
+/**
+ * Call /v1/verify with a TemporaryToken.
+ * Returns the full API response or a synthetic error result on network failure.
+ */
+export declare function callVerify(temporaryToken: string, config: Required<AgentVisaConfig>): Promise<VerifyResult>;
+export declare function resolveConfig(config: AgentVisaConfig): Required<AgentVisaConfig>;
+//# sourceMappingURL=core.d.ts.map

package/dist/core.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"core.d.ts","sourceRoot":"","sources":["../src/core.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,eAAO,MAAM,gBAAgB,6BAA6B,CAAC;AAE3D,MAAM,WAAW,eAAe;IAC9B,kDAAkD;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,+EAA+E;IAC/E,MAAM,EAAE,MAAM,CAAC;IACf,+CAA+C;IAC/C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,OAAO,GAAG,aAAa,CAAC;CACxC;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAE3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;GAGG;AACH,wBAAsB,UAAU,CAC9B,cAAc,EAAE,MAAM,EACtB,MAAM,EAAE,QAAQ,CAAC,eAAe,CAAC,GAChC,OAAO,CAAC,YAAY,CAAC,CAcvB;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,eAAe,GAAG,QAAQ,CAAC,eAAe,CAAC,CAMhF"}

package/dist/core.js

@@ -0,0 +1,33 @@
+/**
+ * Shared server-side verification logic.
+ * Used by Express and Next.js middleware — no framework deps here.
+ */
+export const DEFAULT_API_BASE = "https://api.agentvisa.ai";
+/**
+ * Call /v1/verify with a TemporaryToken.
+ * Returns the full API response or a synthetic error result on network failure.
+ */
+export async function callVerify(temporaryToken, config) {
+    try {
+        const url = `${config.apiBaseUrl}/v1/verify?token=${encodeURIComponent(temporaryToken)}&widget_id=${encodeURIComponent(config.widgetId)}`;
+        const response = await fetch(url, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "X-Widget-Api-Key": config.apiKey,
+            },
+        });
+        return await response.json();
+    }
+    catch {
+        return { valid: false, reason: "network_error" };
+    }
+}
+export function resolveConfig(config) {
+    return {
+        apiBaseUrl: DEFAULT_API_BASE,
+        onUnverified: "block",
+        ...config,
+    };
+}
+//# sourceMappingURL=core.js.map

package/dist/core.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"core.js","sourceRoot":"","sources":["../src/core.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,CAAC,MAAM,gBAAgB,GAAG,0BAA0B,CAAC;AAkC3D;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,cAAsB,EACtB,MAAiC;IAEjC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,UAAU,oBAAoB,kBAAkB,CAAC,cAAc,CAAC,cAAc,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1I,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,kBAAkB,EAAE,MAAM,CAAC,MAAM;aAClC;SACF,CAAC,CAAC;QACH,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAkB,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACnD,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAuB;IACnD,OAAO;QACL,UAAU,EAAE,gBAAgB;QAC5B,YAAY,EAAE,OAAO;QACrB,GAAG,MAAM;KACV,CAAC;AACJ,CAAC"}

package/dist/express/index.d.ts

@@ -0,0 +1,37 @@
+/**
+ * AgentVisa Express middleware
+ *
+ * Usage:
+ *   import { agentVisa } from "@agentvisa/widget/express";
+ *
+ *   app.use(agentVisa({
+ *     widgetId: process.env.AV_WIDGET_ID!,
+ *     apiKey:   process.env.AV_API_KEY!,
+ *   }));
+ *
+ * Or protect specific routes only:
+ *   app.get("/premium", agentVisa({ widgetId, apiKey }), handler);
+ *
+ * On success, req.agentVisa is populated:
+ *   req.agentVisa.verified  — boolean
+ *   req.agentVisa.result    — full VerifyResult (if verified)
+ *   req.agentVisa.reason    — failure reason (if not verified + passthrough mode)
+ */
+import { AgentVisaConfig, VerifyResult } from "../core.js";
+export type { AgentVisaConfig, VerifyResult };
+interface Req {
+    headers: Record<string, string | string[] | undefined>;
+    agentVisa?: {
+        verified: boolean;
+        result?: VerifyResult;
+        reason?: string;
+    };
+}
+interface Res {
+    status(code: number): Res;
+    json(body: unknown): void;
+    setHeader(name: string, value: string): void;
+}
+type NextFn = (err?: unknown) => void;
+export declare function agentVisa(config: AgentVisaConfig): (req: Req, res: Res, next: NextFn) => Promise<void>;
+//# sourceMappingURL=index.d.ts.map

package/dist/express/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/express/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,eAAe,EAAE,YAAY,EAA6B,MAAM,YAAY,CAAC;AAEtF,YAAY,EAAE,eAAe,EAAE,YAAY,EAAE,CAAC;AAI9C,UAAU,GAAG;IACX,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;IACvD,SAAS,CAAC,EAAE;QACV,QAAQ,EAAE,OAAO,CAAC;QAClB,MAAM,CAAC,EAAE,YAAY,CAAC;QACtB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;CACH;AAED,UAAU,GAAG;IACX,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,GAAG,CAAC;IAC1B,IAAI,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,CAAC;IAC1B,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9C;AAED,KAAK,MAAM,GAAG,CAAC,GAAG,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;AAEtC,wBAAgB,SAAS,CAAC,MAAM,EAAE,eAAe,IAI7C,KAAK,GAAG,EACR,KAAK,GAAG,EACR,MAAM,MAAM,KACX,OAAO,CAAC,IAAI,CAAC,CA2CjB"}

package/dist/express/index.js

@@ -0,0 +1,62 @@
+/**
+ * AgentVisa Express middleware
+ *
+ * Usage:
+ *   import { agentVisa } from "@agentvisa/widget/express";
+ *
+ *   app.use(agentVisa({
+ *     widgetId: process.env.AV_WIDGET_ID!,
+ *     apiKey:   process.env.AV_API_KEY!,
+ *   }));
+ *
+ * Or protect specific routes only:
+ *   app.get("/premium", agentVisa({ widgetId, apiKey }), handler);
+ *
+ * On success, req.agentVisa is populated:
+ *   req.agentVisa.verified  — boolean
+ *   req.agentVisa.result    — full VerifyResult (if verified)
+ *   req.agentVisa.reason    — failure reason (if not verified + passthrough mode)
+ */
+import { callVerify, resolveConfig } from "../core.js";
+export function agentVisa(config) {
+    const resolved = resolveConfig(config);
+    return async function agentVisaMiddleware(req, res, next) {
+        const rawToken = req.headers["x-agentvisa-token"];
+        const token = Array.isArray(rawToken) ? rawToken[0] : rawToken;
+        // ── No token present ────────────────────────────────────────────────────
+        if (!token) {
+            if (resolved.onUnverified === "passthrough") {
+                req.agentVisa = { verified: false, reason: "no_token" };
+                return next();
+            }
+            res.setHeader("X-AgentVisa-Required", resolved.widgetId);
+            res.status(401).json({
+                error: "agentvisa_required",
+                message: "This endpoint requires an AgentVisa verification token. " +
+                    "Call POST /v1/token/assert with your api/token and this widget_id " +
+                    "to get a TemporaryToken, then retry with X-AgentVisa-Token: <token>.",
+                widget_id: resolved.widgetId,
+            });
+            return;
+        }
+        // ── Token present — verify it ───────────────────────────────────────────
+        const result = await callVerify(token, resolved);
+        if (!result.valid) {
+            if (resolved.onUnverified === "passthrough") {
+                req.agentVisa = { verified: false, reason: result.reason, result };
+                return next();
+            }
+            res.setHeader("X-AgentVisa-Required", resolved.widgetId);
+            res.status(401).json({
+                error: "agentvisa_verification_failed",
+                reason: result.reason,
+                widget_id: resolved.widgetId,
+            });
+            return;
+        }
+        // ── Verified ────────────────────────────────────────────────────────────
+        req.agentVisa = { verified: true, result };
+        return next();
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/express/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/express/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAiC,UAAU,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAuBtF,MAAM,UAAU,SAAS,CAAC,MAAuB;IAC/C,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,OAAO,KAAK,UAAU,mBAAmB,CACvC,GAAQ,EACR,GAAQ,EACR,IAAY;QAEZ,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;QAE/D,2EAA2E;QAC3E,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,QAAQ,CAAC,YAAY,KAAK,aAAa,EAAE,CAAC;gBAC5C,GAAG,CAAC,SAAS,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;gBACxD,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;YACD,GAAG,CAAC,SAAS,CAAC,sBAAsB,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACzD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,oBAAoB;gBAC3B,OAAO,EACL,0DAA0D;oBAC1D,oEAAoE;oBACpE,sEAAsE;gBACxE,SAAS,EAAE,QAAQ,CAAC,QAAQ;aAC7B,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,2EAA2E;QAC3E,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAEjD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,IAAI,QAAQ,CAAC,YAAY,KAAK,aAAa,EAAE,CAAC;gBAC5C,GAAG,CAAC,SAAS,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;gBACnE,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;YACD,GAAG,CAAC,SAAS,CAAC,sBAAsB,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACzD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,+BAA+B;gBACtC,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,SAAS,EAAE,QAAQ,CAAC,QAAQ;aAC7B,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,2EAA2E;QAC3E,GAAG,CAAC,SAAS,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC3C,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,33 @@
+type Plan = "basic" | "pro";
+interface WidgetOptions {
+    widgetId: string;
+    plan?: Plan;
+    apiBaseUrl?: string;
+}
+interface VerificationResult {
+    valid: boolean;
+    reason: string;
+    plan: Plan;
+    widget_id: string;
+    human_name: string | null;
+    email: string | null;
+    phone: string | null;
+    verified_at: string | null;
+    expires_at: string | null;
+}
+
+declare class AgentVisa {
+    private options;
+    constructor(options: WidgetOptions);
+    /**
+     * Verify the current token for this widget.
+     * Returns the unified VerificationResult.
+     */
+    verify(): Promise<VerificationResult>;
+    /**
+     * Quick static helper for one-off verification (commonly used pattern).
+     */
+    static verify(options: WidgetOptions): Promise<VerificationResult>;
+}
+
+export { AgentVisa };

package/dist/next/index.d.ts

@@ -0,0 +1,42 @@
+/**
+ * AgentVisa Next.js middleware
+ *
+ * Usage — middleware.ts (project root):
+ *
+ *   import { withAgentVisa } from "@agentvisa/widget/next";
+ *
+ *   export default withAgentVisa({
+ *     widgetId: process.env.AV_WIDGET_ID!,
+ *     apiKey:   process.env.AV_API_KEY!,
+ *   });
+ *
+ *   export const config = {
+ *     matcher: ["/api/:path*"],  // paths to protect
+ *   };
+ *
+ * Or wrap your own middleware:
+ *
+ *   export default withAgentVisa({ widgetId, apiKey }, async (req) => {
+ *     // only runs if agent is verified
+ *     return NextResponse.next();
+ *   });
+ *
+ * Uses only standard Web APIs (Request/Response) — works on Node.js
+ * runtime and Edge runtime.
+ *
+ * On success, the forwarded request carries two headers your handlers can read:
+ *   X-AgentVisa-Verified: true
+ *   X-AgentVisa-Reason:   ok
+ */
+import { AgentVisaConfig, VerifyResult } from "../core.js";
+export type { AgentVisaConfig, VerifyResult };
+type NextHandler = (request: Request) => Response | Promise<Response>;
+/**
+ * Wrap a Next.js middleware handler (or use standalone).
+ *
+ * @param config  Widget ID + API key + options
+ * @param handler Optional inner handler — called only when agent is verified.
+ *                If omitted, passes through with Response headers set.
+ */
+export declare function withAgentVisa(config: AgentVisaConfig, handler?: NextHandler): NextHandler;
+//# sourceMappingURL=index.d.ts.map

package/dist/next/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/next/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAE,eAAe,EAAE,YAAY,EAA6B,MAAM,YAAY,CAAC;AAEtF,YAAY,EAAE,eAAe,EAAE,YAAY,EAAE,CAAC;AAE9C,KAAK,WAAW,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;AAEtE;;;;;;GAMG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,eAAe,EACvB,OAAO,CAAC,EAAE,WAAW,GACpB,WAAW,CA8Bb"}

package/dist/next/index.js

@@ -0,0 +1,108 @@
+/**
+ * AgentVisa Next.js middleware
+ *
+ * Usage — middleware.ts (project root):
+ *
+ *   import { withAgentVisa } from "@agentvisa/widget/next";
+ *
+ *   export default withAgentVisa({
+ *     widgetId: process.env.AV_WIDGET_ID!,
+ *     apiKey:   process.env.AV_API_KEY!,
+ *   });
+ *
+ *   export const config = {
+ *     matcher: ["/api/:path*"],  // paths to protect
+ *   };
+ *
+ * Or wrap your own middleware:
+ *
+ *   export default withAgentVisa({ widgetId, apiKey }, async (req) => {
+ *     // only runs if agent is verified
+ *     return NextResponse.next();
+ *   });
+ *
+ * Uses only standard Web APIs (Request/Response) — works on Node.js
+ * runtime and Edge runtime.
+ *
+ * On success, the forwarded request carries two headers your handlers can read:
+ *   X-AgentVisa-Verified: true
+ *   X-AgentVisa-Reason:   ok
+ */
+import { callVerify, resolveConfig } from "../core.js";
+/**
+ * Wrap a Next.js middleware handler (or use standalone).
+ *
+ * @param config  Widget ID + API key + options
+ * @param handler Optional inner handler — called only when agent is verified.
+ *                If omitted, passes through with Response headers set.
+ */
+export function withAgentVisa(config, handler) {
+    const resolved = resolveConfig(config);
+    return async function agentVisaMiddleware(request) {
+        const token = request.headers.get("x-agentvisa-token") ?? undefined;
+        // ── No token ──────────────────────────────────────────────────────────
+        if (!token) {
+            if (resolved.onUnverified === "passthrough") {
+                const req = addVerificationHeaders(request, false, "no_token");
+                return handler ? handler(req) : passthroughResponse(req);
+            }
+            return blockedResponse(resolved.widgetId, "no_token");
+        }
+        // ── Verify ────────────────────────────────────────────────────────────
+        const result = await callVerify(token, resolved);
+        if (!result.valid) {
+            if (resolved.onUnverified === "passthrough") {
+                const req = addVerificationHeaders(request, false, result.reason);
+                return handler ? handler(req) : passthroughResponse(req);
+            }
+            return blockedResponse(resolved.widgetId, result.reason);
+        }
+        // ── Verified ──────────────────────────────────────────────────────────
+        const req = addVerificationHeaders(request, true, "ok");
+        return handler ? handler(req) : passthroughResponse(req);
+    };
+}
+// ── Helpers ─────────────────────────────────────────────────────────────────
+function blockedResponse(widgetId, reason) {
+    return new Response(JSON.stringify({
+        error: "agentvisa_required",
+        reason,
+        widget_id: widgetId,
+        message: "This endpoint requires an AgentVisa verification token. " +
+            "Call POST /v1/token/assert with your api/token and this widget_id " +
+            "to get a TemporaryToken, then retry with X-AgentVisa-Token: <token>.",
+    }), {
+        status: 401,
+        headers: {
+            "Content-Type": "application/json",
+            "X-AgentVisa-Required": widgetId,
+        },
+    });
+}
+function addVerificationHeaders(request, verified, reason) {
+    // Clone the request and add verification headers so downstream handlers
+    // can read them via request.headers.get("x-agentvisa-verified")
+    const headers = new Headers(request.headers);
+    headers.set("x-agentvisa-verified", String(verified));
+    headers.set("x-agentvisa-reason", reason);
+    return new Request(request.url, {
+        method: request.method,
+        headers,
+        body: request.body,
+        // @ts-ignore — duplex needed for streaming bodies in some runtimes
+        duplex: "half",
+    });
+}
+function passthroughResponse(request) {
+    // Signal to Next.js to continue to the route handler.
+    // Uses the NextResponse.next() equivalent via headers.
+    return new Response(null, {
+        status: 200,
+        headers: {
+            "x-middleware-next": "1",
+            "x-agentvisa-verified": request.headers.get("x-agentvisa-verified") ?? "false",
+            "x-agentvisa-reason": request.headers.get("x-agentvisa-reason") ?? "unknown",
+        },
+    });
+}
+//# sourceMappingURL=index.js.map

package/dist/next/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/next/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAiC,UAAU,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAMtF;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAC3B,MAAuB,EACvB,OAAqB;IAErB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,OAAO,KAAK,UAAU,mBAAmB,CAAC,OAAgB;QACxD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,SAAS,CAAC;QAEpE,yEAAyE;QACzE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,QAAQ,CAAC,YAAY,KAAK,aAAa,EAAE,CAAC;gBAC5C,MAAM,GAAG,GAAG,sBAAsB,CAAC,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC;gBAC/D,OAAO,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC;YAC3D,CAAC;YACD,OAAO,eAAe,CAAC,QAAQ,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACxD,CAAC;QAED,yEAAyE;QACzE,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAEjD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,IAAI,QAAQ,CAAC,YAAY,KAAK,aAAa,EAAE,CAAC;gBAC5C,MAAM,GAAG,GAAG,sBAAsB,CAAC,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;gBAClE,OAAO,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC;YAC3D,CAAC;YACD,OAAO,eAAe,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QAC3D,CAAC;QAED,yEAAyE;QACzE,MAAM,GAAG,GAAG,sBAAsB,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QACxD,OAAO,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC;IAC3D,CAAC,CAAC;AACJ,CAAC;AAED,+EAA+E;AAE/E,SAAS,eAAe,CAAC,QAAgB,EAAE,MAAc;IACvD,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;QACb,KAAK,EAAE,oBAAoB;QAC3B,MAAM;QACN,SAAS,EAAE,QAAQ;QACnB,OAAO,EACL,0DAA0D;YAC1D,oEAAoE;YACpE,sEAAsE;KACzE,CAAC,EACF;QACE,MAAM,EAAE,GAAG;QACX,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,sBAAsB,EAAE,QAAQ;SACjC;KACF,CACF,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAC7B,OAAgB,EAChB,QAAiB,EACjB,MAAc;IAEd,wEAAwE;IACxE,gEAAgE;IAChE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,sBAAsB,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;IACtD,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAC1C,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE;QAC9B,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,OAAO;QACP,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,mEAAmE;QACnE,MAAM,EAAE,MAAM;KACf,CAAC,CAAC;AACL,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAgB;IAC3C,sDAAsD;IACtD,uDAAuD;IACvD,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;QACxB,MAAM,EAAE,GAAG;QACX,OAAO,EAAE;YACP,mBAAmB,EAAE,GAAG;YACxB,sBAAsB,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,IAAI,OAAO;YAC9E,oBAAoB,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,SAAS;SAC7E;KACF,CAAC,CAAC;AACL,CAAC"}

package/dist/widget.esm.js

@@ -0,0 +1,67 @@
+const DEFAULT_API_BASE = "https://api.agentvisa.ai";
+async function verifyToken(options) {
+    const { widgetId, plan = "basic", apiBaseUrl = DEFAULT_API_BASE, } = options;
+    const url = new URL("/v1/verify", apiBaseUrl);
+    url.searchParams.set("widget_id", widgetId);
+    url.searchParams.set("plan", plan);
+    // Note: token is currently empty — this is the skeleton.
+    // In real usage the AI agent will pass the tmp_ token here.
+    const response = await fetch(url.toString(), {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+            token: "",
+            widget_id: widgetId,
+            plan,
+        }),
+    });
+    if (!response.ok) {
+        return {
+            valid: false,
+            reason: "network_error",
+            plan,
+            widget_id: widgetId,
+            human_name: null,
+            email: null,
+            phone: null,
+            verified_at: null,
+            expires_at: null,
+        };
+    }
+    return response.json();
+}
+
+class AgentVisa {
+    constructor(options) {
+        this.options = {
+            plan: "basic",
+            apiBaseUrl: "https://api.agentvisa.ai",
+            ...options,
+        };
+    }
+    /**
+     * Verify the current token for this widget.
+     * Returns the unified VerificationResult.
+     */
+    async verify() {
+        return verifyToken(this.options);
+    }
+    /**
+     * Quick static helper for one-off verification (commonly used pattern).
+     */
+    static async verify(options) {
+        return verifyToken({
+            plan: "basic",
+            apiBaseUrl: "https://api.agentvisa.ai",
+            ...options,
+        });
+    }
+}
+// Allow usage as a global script if desired (lightweight CDN use)
+if (typeof window !== "undefined") {
+    window.AgentVisa = AgentVisa;
+}
+
+export { AgentVisa };

package/dist/widget.js

@@ -0,0 +1,75 @@
+(function (global, factory) {
+    typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :
+    typeof define === 'function' && define.amd ? define(['exports'], factory) :
+    (global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.AgentVisa = {}));
+})(this, (function (exports) { 'use strict';
+
+    const DEFAULT_API_BASE = "https://api.agentvisa.ai";
+    async function verifyToken(options) {
+        const { widgetId, plan = "basic", apiBaseUrl = DEFAULT_API_BASE, } = options;
+        const url = new URL("/v1/verify", apiBaseUrl);
+        url.searchParams.set("widget_id", widgetId);
+        url.searchParams.set("plan", plan);
+        // Note: token is currently empty — this is the skeleton.
+        // In real usage the AI agent will pass the tmp_ token here.
+        const response = await fetch(url.toString(), {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({
+                token: "",
+                widget_id: widgetId,
+                plan,
+            }),
+        });
+        if (!response.ok) {
+            return {
+                valid: false,
+                reason: "network_error",
+                plan,
+                widget_id: widgetId,
+                human_name: null,
+                email: null,
+                phone: null,
+                verified_at: null,
+                expires_at: null,
+            };
+        }
+        return response.json();
+    }
+
+    class AgentVisa {
+        constructor(options) {
+            this.options = {
+                plan: "basic",
+                apiBaseUrl: "https://api.agentvisa.ai",
+                ...options,
+            };
+        }
+        /**
+         * Verify the current token for this widget.
+         * Returns the unified VerificationResult.
+         */
+        async verify() {
+            return verifyToken(this.options);
+        }
+        /**
+         * Quick static helper for one-off verification (commonly used pattern).
+         */
+        static async verify(options) {
+            return verifyToken({
+                plan: "basic",
+                apiBaseUrl: "https://api.agentvisa.ai",
+                ...options,
+            });
+        }
+    }
+    // Allow usage as a global script if desired (lightweight CDN use)
+    if (typeof window !== "undefined") {
+        window.AgentVisa = AgentVisa;
+    }
+
+    exports.AgentVisa = AgentVisa;
+
+}));

package/package.json

@@ -0,0 +1,72 @@
+{
+  "name": "@agentvisa/widget",
+  "version": "0.2.0",
+  "description": "AgentVisa widget + server middleware for Express and Next.js",
+  "keywords": [
+    "agentvisa",
+    "verification",
+    "ai-agents",
+    "widget",
+    "middleware",
+    "express",
+    "nextjs",
+    "5-factor"
+  ],
+  "author": "AgentVisa",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/agentvisa/widget.git"
+  },
+  "bugs": {
+    "url": "https://github.com/agentvisa/widget/issues"
+  },
+  "homepage": "https://agentvisa.ai",
+  "type": "module",
+  "main": "dist/widget.js",
+  "module": "dist/widget.esm.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "exports": {
+    ".": {
+      "import": "./dist/widget.esm.js",
+      "require": "./dist/widget.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./express": {
+      "import": "./dist/express/index.js",
+      "require": "./dist/express/index.js",
+      "types": "./dist/express/index.d.ts"
+    },
+    "./next": {
+      "import": "./dist/next/index.js",
+      "require": "./dist/next/index.js",
+      "types": "./dist/next/index.d.ts"
+    }
+  },
+  "scripts": {
+    "build": "rollup -c && tsc -p tsconfig.middleware.json",
+    "clean": "rm -rf dist",
+    "dev": "npm run build",
+    "prepublishOnly": "npm run clean && npm run build"
+  },
+  "devDependencies": {
+    "@rollup/plugin-typescript": "^11.1.0",
+    "@types/express": "^4.17.21",
+    "@types/node": "^22.0.0",
+    "rollup": "^4.17.0",
+    "rollup-plugin-dts": "^6.0.0",
+    "tslib": "^2.8.1",
+    "typescript": "^5.4.0"
+  },
+  "peerDependencies": {
+    "express": ">=4.0.0"
+  },
+  "peerDependenciesMeta": {
+    "express": {
+      "optional": true
+    }
+  }
+}