@dexterai/x402 1.7.2 → 1.8.1

package/dist/server/index.cjs

@@ -107,25 +107,77 @@ function decodeBase64Json(encoded) {
 }
 
 // src/server/facilitator-client.ts
+function isRetryable(error) {
+  if (error instanceof TypeError) return true;
+  if (error && typeof error === "object" && "status" in error) {
+    const status = error.status;
+    return status >= 500 && status < 600;
+  }
+  return false;
+}
+var HttpError = class extends Error {
+  status;
+  body;
+  constructor(status, body) {
+    super(`HTTP ${status}`);
+    this.status = status;
+    this.body = body;
+  }
+};
 var FacilitatorClient = class {
   facilitatorUrl;
   cachedSupported = null;
   cacheTime = 0;
   CACHE_TTL_MS = 6e4;
-  // 1 minute cache
-  constructor(facilitatorUrl = DEXTER_FACILITATOR_URL) {
+  timeoutMs;
+  maxRetries;
+  retryBaseMs;
+  constructor(facilitatorUrl = DEXTER_FACILITATOR_URL, config) {
     this.facilitatorUrl = facilitatorUrl.replace(/\/$/, "");
+    this.timeoutMs = config?.timeoutMs ?? 1e4;
+    this.maxRetries = config?.maxRetries ?? 3;
+    this.retryBaseMs = config?.retryBaseMs ?? 500;
+  }
+  async fetchWithTimeout(url, init) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), this.timeoutMs);
+    try {
+      return await fetch(url, { ...init, signal: controller.signal });
+    } finally {
+      clearTimeout(timer);
+    }
+  }
+  async fetchWithRetry(url, init) {
+    let lastError;
+    for (let attempt = 0; attempt < this.maxRetries; attempt++) {
+      try {
+        const response = await this.fetchWithTimeout(url, init);
+        if (!response.ok && response.status >= 500) {
+          throw new HttpError(response.status, await response.text());
+        }
+        return response;
+      } catch (error) {
+        lastError = error;
+        if (attempt < this.maxRetries - 1 && isRetryable(error)) {
+          const delay = this.retryBaseMs * Math.pow(2, attempt);
+          await new Promise((r) => setTimeout(r, delay));
+          continue;
+        }
+        throw error;
+      }
+    }
+    throw lastError;
   }
   /**
-   * Get supported payment kinds from the facilitator
-   * Results are cached for 1 minute to reduce network calls
+   * Get supported payment kinds from the facilitator.
+   * Results are cached for 1 minute to reduce network calls.
    */
   async getSupported() {
     const now = Date.now();
     if (this.cachedSupported && now - this.cacheTime < this.CACHE_TTL_MS) {
       return this.cachedSupported;
     }
-    const response = await fetch(`${this.facilitatorUrl}/supported`);
+    const response = await this.fetchWithTimeout(`${this.facilitatorUrl}/supported`);
     if (!response.ok) {
       throw new Error(`Facilitator /supported returned ${response.status}`);
     }
@@ -135,9 +187,6 @@ var FacilitatorClient = class {
   }
   /**
    * Get the fee payer address for a specific network
-   *
-   * @param network - CAIP-2 network identifier
-   * @returns Fee payer address
    */
   async getFeePayer(network) {
     const supported = await this.getSupported();
@@ -153,9 +202,6 @@ var FacilitatorClient = class {
   }
   /**
    * Get extra data for a network (feePayer, decimals, EIP-712 data, etc.)
-   *
-   * @param network - CAIP-2 network identifier
-   * @returns Extra data from /supported
    */
   async getNetworkExtra(network) {
     const supported = await this.getSupported();
@@ -165,30 +211,22 @@ var FacilitatorClient = class {
     return kind?.extra;
   }
   /**
-   * Verify a payment with the facilitator
-   *
-   * @param paymentSignatureHeader - Base64-encoded PAYMENT-SIGNATURE header value
-   * @param requirements - The payment requirements that were sent to the client
-   * @returns Verification response
+   * Verify a payment with the facilitator.
+   * Retries on 5xx and network errors with exponential backoff.
    */
   async verifyPayment(paymentSignatureHeader, requirements) {
     try {
       const paymentPayload = decodeBase64Json(paymentSignatureHeader);
-      const verifyPayload = {
-        x402Version: 2,
-        paymentPayload,
-        paymentRequirements: requirements
-      };
-      const response = await fetch(`${this.facilitatorUrl}/verify`, {
+      const response = await this.fetchWithRetry(`${this.facilitatorUrl}/verify`, {
         method: "POST",
-        headers: {
-          "Content-Type": "application/json"
-        },
-        body: JSON.stringify(verifyPayload)
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          x402Version: 2,
+          paymentPayload,
+          paymentRequirements: requirements
+        })
       });
       if (!response.ok) {
-        const errorText = await response.text();
-        console.error(`Facilitator /verify returned ${response.status}:`, errorText);
         return {
           isValid: false,
           invalidReason: `facilitator_error_${response.status}`
@@ -196,38 +234,27 @@ var FacilitatorClient = class {
       }
       return await response.json();
     } catch (error) {
-      console.error("Payment verification failed:", error);
-      return {
-        isValid: false,
-        invalidReason: error instanceof Error ? error.message : "unexpected_verify_error"
-      };
+      const reason = error instanceof HttpError ? `facilitator_error_${error.status}` : error instanceof Error && error.name === "AbortError" ? "facilitator_timeout" : error instanceof Error ? error.message : "unexpected_verify_error";
+      return { isValid: false, invalidReason: reason };
     }
   }
   /**
-   * Settle a payment with the facilitator
-   *
-   * @param paymentSignatureHeader - Base64-encoded PAYMENT-SIGNATURE header value
-   * @param requirements - The payment requirements that were sent to the client
-   * @returns Settlement response with transaction signature on success
+   * Settle a payment with the facilitator.
+   * Retries on 5xx and network errors with exponential backoff.
    */
   async settlePayment(paymentSignatureHeader, requirements) {
     try {
       const paymentPayload = decodeBase64Json(paymentSignatureHeader);
-      const settlePayload = {
-        x402Version: 2,
-        paymentPayload,
-        paymentRequirements: requirements
-      };
-      const response = await fetch(`${this.facilitatorUrl}/settle`, {
+      const response = await this.fetchWithRetry(`${this.facilitatorUrl}/settle`, {
         method: "POST",
-        headers: {
-          "Content-Type": "application/json"
-        },
-        body: JSON.stringify(settlePayload)
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          x402Version: 2,
+          paymentPayload,
+          paymentRequirements: requirements
+        })
       });
       if (!response.ok) {
-        const errorText = await response.text();
-        console.error(`Facilitator /settle returned ${response.status}:`, errorText);
         return {
           success: false,
           network: requirements.network,
@@ -235,22 +262,27 @@ var FacilitatorClient = class {
         };
       }
       const result = await response.json();
-      return {
-        ...result,
-        network: requirements.network
-      };
+      return { ...result, network: requirements.network };
     } catch (error) {
-      console.error("Payment settlement failed:", error);
+      const reason = error instanceof HttpError ? `facilitator_error_${error.status}` : error instanceof Error && error.name === "AbortError" ? "facilitator_timeout" : error instanceof Error ? error.message : "unexpected_settle_error";
       return {
         success: false,
         network: requirements.network,
-        errorReason: error instanceof Error ? error.message : "unexpected_settle_error"
+        errorReason: reason
       };
     }
   }
 };
 
 // src/server/x402-server.ts
+function extractAmountFromHeader(paymentSignatureHeader) {
+  try {
+    const decoded = decodeBase64Json(paymentSignatureHeader);
+    return decoded?.accepted?.amount ?? decoded?.accepted?.maxAmountRequired;
+  } catch {
+    return void 0;
+  }
+}
 function createX402Server(config) {
   const {
     payTo,
@@ -261,6 +293,29 @@ function createX402Server(config) {
   } = config;
   const facilitator = new FacilitatorClient(facilitatorUrl);
   let cachedExtra = null;
+  const requirementsCache = /* @__PURE__ */ new Map();
+  const CACHE_PRUNE_INTERVAL = 3e4;
+  let lastPrune = Date.now();
+  function cacheRequirements(accept) {
+    const ttl = (accept.maxTimeoutSeconds || defaultTimeoutSeconds) * 1e3;
+    requirementsCache.set(accept.payTo, { accept, expiresAt: Date.now() + ttl });
+    if (Date.now() - lastPrune > CACHE_PRUNE_INTERVAL) {
+      const now = Date.now();
+      for (const [key, entry] of requirementsCache) {
+        if (entry.expiresAt < now) requirementsCache.delete(key);
+      }
+      lastPrune = now;
+    }
+  }
+  function getCachedRequirements(address) {
+    const entry = requirementsCache.get(address);
+    if (!entry) return void 0;
+    if (entry.expiresAt < Date.now()) {
+      requirementsCache.delete(address);
+      return void 0;
+    }
+    return entry.accept;
+  }
   async function resolvePayTo(context) {
     if (typeof payTo === "string") return payTo;
     return payTo(context || {});
@@ -269,15 +324,15 @@ function createX402Server(config) {
     if (!cachedExtra) {
       cachedExtra = await facilitator.getNetworkExtra(network);
     }
-    if (!cachedExtra?.feePayer) {
+    const isSvm = network.startsWith("solana:");
+    if (isSvm && !cachedExtra?.feePayer) {
       throw new Error(`Facilitator does not provide feePayer for network "${network}"`);
     }
     return {
-      feePayer: cachedExtra.feePayer,
-      decimals: cachedExtra.decimals ?? asset.decimals,
-      // Include any additional EIP-712 data for EVM chains
-      name: cachedExtra.name,
-      version: cachedExtra.version
+      ...cachedExtra?.feePayer ? { feePayer: cachedExtra.feePayer } : {},
+      decimals: cachedExtra?.decimals ?? asset.decimals,
+      name: cachedExtra?.name,
+      version: cachedExtra?.version
     };
   }
   async function buildPaymentAccept(resolvedPayTo, options) {
@@ -286,7 +341,7 @@ function createX402Server(config) {
       timeoutSeconds = defaultTimeoutSeconds
     } = options;
     const extra = await getNetworkExtra();
-    return {
+    const accept = {
       scheme: "exact",
       network,
       amount: amountAtomic,
@@ -296,6 +351,8 @@ function createX402Server(config) {
       maxTimeoutSeconds: timeoutSeconds,
       extra
     };
+    cacheRequirements(accept);
+    return accept;
   }
   async function getPaymentAccept(options) {
     const address = await resolvePayTo({
@@ -338,14 +395,26 @@ function createX402Server(config) {
   async function verifyPayment(paymentSignatureHeader, requirements) {
     if (!requirements) {
       const address = await resolvePayTo({ paymentHeader: paymentSignatureHeader });
-      requirements = await buildPaymentAccept(address, { amountAtomic: "0", resourceUrl: "" });
+      requirements = getCachedRequirements(address);
+      if (!requirements) {
+        requirements = await buildPaymentAccept(address, {
+          amountAtomic: extractAmountFromHeader(paymentSignatureHeader) ?? "0",
+          resourceUrl: ""
+        });
+      }
     }
     return facilitator.verifyPayment(paymentSignatureHeader, requirements);
   }
   async function settlePayment(paymentSignatureHeader, requirements) {
     if (!requirements) {
       const address = await resolvePayTo({ paymentHeader: paymentSignatureHeader });
-      requirements = await buildPaymentAccept(address, { amountAtomic: "0", resourceUrl: "" });
+      requirements = getCachedRequirements(address);
+      if (!requirements) {
+        requirements = await buildPaymentAccept(address, {
+          amountAtomic: extractAmountFromHeader(paymentSignatureHeader) ?? "0",
+          resourceUrl: ""
+        });
+      }
     }
     return facilitator.settlePayment(paymentSignatureHeader, requirements);
   }
@@ -364,6 +433,15 @@ function createX402Server(config) {
 // src/server/middleware.ts
 var DEFAULT_NETWORK = "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp";
 var USDC_DECIMALS = 6;
+function resolvePayToForNetwork(payTo, network) {
+  if (typeof payTo === "string" || typeof payTo === "function") return payTo;
+  if (network in payTo) return payTo[network];
+  const prefix = network.split(":")[0];
+  const globKey = `${prefix}:*`;
+  if (globKey in payTo) return payTo[globKey];
+  if ("*" in payTo) return payTo["*"];
+  throw new Error(`No payTo configured for network "${network}"`);
+}
 function x402Middleware(config) {
   const {
     payTo,
@@ -378,18 +456,37 @@ function x402Middleware(config) {
     getAmount,
     getDescription
   } = config;
-  const providerDefaults = typeof payTo !== "string" ? payTo._x402Defaults : void 0;
-  const network = config.network ?? providerDefaults?.network ?? DEFAULT_NETWORK;
-  const facilitatorUrl = config.facilitatorUrl ?? providerDefaults?.facilitatorUrl;
   const log = verbose ? console.log.bind(console, "[x402:middleware]") : () => {
   };
-  const server = createX402Server({
-    payTo,
-    network,
-    asset,
-    facilitatorUrl,
-    defaultTimeoutSeconds: timeoutSeconds
-  });
+  const singleProviderDefaults = typeof payTo === "function" ? payTo._x402Defaults : void 0;
+  const facilitatorUrl = config.facilitatorUrl ?? singleProviderDefaults?.facilitatorUrl;
+  const configuredNetworks = (() => {
+    if (config.network) {
+      return Array.isArray(config.network) ? config.network : [config.network];
+    }
+    if (singleProviderDefaults?.network) return [singleProviderDefaults.network];
+    return [DEFAULT_NETWORK];
+  })();
+  const servers = /* @__PURE__ */ new Map();
+  for (const net of configuredNetworks) {
+    const netPayTo = resolvePayToForNetwork(payTo, net);
+    if (typeof netPayTo === "function" && netPayTo._stripeNetwork) {
+      const stripeNet = netPayTo._stripeNetwork;
+      if (net !== stripeNet) {
+        throw new Error(
+          `stripePayTo is configured for "${stripeNet}" but middleware includes network "${net}". Stripe only supports Base deposit addresses. Use a static payTo for other chains.`
+        );
+      }
+    }
+    servers.set(net, createX402Server({
+      payTo: netPayTo,
+      network: net,
+      asset,
+      facilitatorUrl,
+      defaultTimeoutSeconds: timeoutSeconds
+    }));
+  }
+  const primaryServer = servers.get(configuredNetworks[0]);
   return async (req, res, next) => {
     try {
       const paymentSignature = req.headers["payment-signature"];
@@ -407,8 +504,23 @@ function x402Middleware(config) {
           mimeType,
           timeoutSeconds
         };
-        const requirements = await server.buildRequirements(requirementsOptions);
-        const encoded = server.encodeRequirements(requirements);
+        const allAccepts = [];
+        let requirements = null;
+        for (const [, srv] of servers) {
+          try {
+            const reqs = await srv.buildRequirements(requirementsOptions);
+            allAccepts.push(...reqs.accepts);
+            if (!requirements) requirements = reqs;
+          } catch (e) {
+            log("Failed to build requirements for a network:", e);
+          }
+        }
+        if (!requirements || allAccepts.length === 0) {
+          res.status(500).json({ error: "Failed to build payment requirements" });
+          return;
+        }
+        requirements = { ...requirements, accepts: allAccepts };
+        const encoded = primaryServer.encodeRequirements(requirements);
         res.setHeader("PAYMENT-REQUIRED", encoded);
         res.status(402).json({
           error: "Payment required",
@@ -418,7 +530,16 @@ function x402Middleware(config) {
         return;
       }
       log("Payment signature received, verifying...");
-      const verifyResult = await server.verifyPayment(paymentSignature);
+      let targetServer = primaryServer;
+      try {
+        const decoded = JSON.parse(Buffer.from(paymentSignature, "base64").toString());
+        const paymentNetwork = decoded?.accepted?.network;
+        if (paymentNetwork && servers.has(paymentNetwork)) {
+          targetServer = servers.get(paymentNetwork);
+        }
+      } catch {
+      }
+      const verifyResult = await targetServer.verifyPayment(paymentSignature);
       if (!verifyResult.isValid) {
         log("Payment verification failed:", verifyResult.invalidReason);
         res.status(402).json({
@@ -428,7 +549,7 @@ function x402Middleware(config) {
         return;
       }
       log("Payment verified, settling...");
-      const settleResult = await server.settlePayment(paymentSignature);
+      const settleResult = await targetServer.settlePayment(paymentSignature);
       if (!settleResult.success) {
         log("Payment settlement failed:", settleResult.errorReason);
         res.status(402).json({
@@ -438,15 +559,16 @@ function x402Middleware(config) {
         return;
       }
       log("Payment settled:", settleResult.transaction);
+      const settledNetwork = settleResult.network || configuredNetworks[0];
       req.x402 = {
         transaction: settleResult.transaction,
         payer: verifyResult.payer ?? "",
-        network
+        network: settledNetwork
       };
       const paymentResponseData = {
         success: true,
         transaction: settleResult.transaction,
-        network,
+        network: settledNetwork,
         payer: verifyResult.payer ?? ""
       };
       if (settleResult.extensions) {
@@ -482,6 +604,9 @@ function x402Middleware(config) {
 }
 
 // src/server/browser-support.ts
+function esc(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
 var USDC_ICON_SVG = `<svg width="18" height="18" viewBox="0 0 2000 2000" xmlns="http://www.w3.org/2000/svg"><path d="M1000 2000c554.17 0 1000-445.83 1000-1000S1554.17 0 1000 0 0 445.83 0 1000s445.83 1000 1000 1000z" fill="#2775ca"/><path d="M1275 1158.33c0-145.83-87.5-195.83-262.5-216.66-125-16.67-150-50-150-108.34s41.67-95.83 125-95.83c75 0 116.67 25 137.5 87.5 4.17 12.5 16.67 20.83 29.17 20.83h66.66c16.67 0 29.17-12.5 29.17-29.16v-4.17c-16.67-91.67-91.67-162.5-187.5-170.83v-100c0-16.67-12.5-29.17-33.33-33.34h-62.5c-16.67 0-29.17 12.5-33.34 33.34v95.83c-125 16.67-204.16 100-204.16 204.17 0 137.5 83.33 191.66 258.33 212.5 116.67 20.83 154.17 45.83 154.17 112.5s-58.34 112.5-137.5 112.5c-108.34 0-145.84-45.84-158.34-108.34-4.16-16.66-16.66-25-29.16-25h-70.84c-16.66 0-29.16 12.5-29.16 29.17v4.17c16.66 104.16 83.33 179.16 220.83 200v100c0 16.66 12.5 29.16 33.33 33.33h62.5c16.67 0 29.17-12.5 33.34-33.33v-100c125-20.84 208.33-108.34 208.33-220.84z" fill="#fff"/><path d="M787.5 1595.83c-325-116.66-491.67-479.16-370.83-800 62.5-175 200-308.33 370.83-370.83 16.67-8.33 25-20.83 25-41.67V325c0-16.67-8.33-29.17-25-33.33-4.17 0-12.5 0-16.67 4.16-395.83 125-612.5 545.84-487.5 941.67 75 233.33 254.17 412.5 487.5 487.5 16.67 8.33 33.34 0 37.5-16.67 4.17-4.16 4.17-8.33 4.17-16.66v-58.34c0-12.5-12.5-29.16-25-37.5zM1229.17 295.83c-16.67-8.33-33.34 0-37.5 16.67-4.17 4.17-4.17 8.33-4.17 16.67v58.33c0 16.67 12.5 33.33 25 41.67 325 116.66 491.67 479.16 370.83 800-62.5 175-200 308.33-370.83 370.83-16.67 8.33-25 20.83-25 41.67V1700c0 16.67 8.33 29.17 25 33.33 4.17 0 12.5 0 16.67-4.16 395.83-125 612.5-545.84 487.5-941.67-75-237.5-258.34-416.67-487.5-491.67z" fill="#fff"/></svg>`;
 var DEXTER_CREST_SVG = `<svg width="36" height="36" viewBox="0 0 300 300" xmlns="http://www.w3.org/2000/svg"><g><path fill="#F2681A" d="m324.93,313.11c-115.5,0-231,0-350,0l350,0z"/><path fill="#FDFAF5" d="m230.43,50.62c1.1.85 2.19 1.7 3.32 2.57 6.02 4.8 11.77 9.88 17.46 15.07.92.84.92.84 1.86 1.69 1.82 1.69 3.59 3.42 5.35 5.16.61.56 1.22 1.13 1.84 1.71 5.66 5.76 6.18 10.43 6.13 18.3.02 1.16.04 2.32.06 3.52.06 3.83.06 7.65.07 11.48.02 2.68.05 5.35.08 8.03.05 5.6.09 11.21.1 16.81.02 7.15.09 14.31.17 21.46.06 5.53.1 11.05.13 16.58.02 2.64.04 5.27.07 7.91.18 17.58.12 32.82-11.24 47.32-7.35 7.27-16.54 12.06-25.42 17.22-1.97 1.16-3.94 2.33-5.91 3.49-7.16 4.24-14.34 8.44-21.53 12.62-4.8 2.79-9.59 5.6-14.38 8.42-1.25.73-2.5 1.47-3.79 2.23-2.32 1.36-4.64 2.73-6.96 4.1-27.47 16.09-27.47 16.09-42.16 12.93-8.06-2.28-14.94-5.82-22.16-10.02-1.17-.67-2.34-1.34-3.54-2.04-24.55-14.25-43.58-27.03-51.9-55.58-1.07-4.58-1.54-8.92-1.52-13.61.28-9.5.28-9.5-3.3-17.97-1.81-1.49-3.68-2.92-5.59-4.28-9.19-7.06-12.7-20.03-14.18-31.06-.54-5.77-.55-11.56-.6-17.35-.03-1.32-.07-2.63-.1-3.99-.01-1.26-.02-2.53-.03-3.83-.02-1.15-.03-2.29-.05-3.47.72-4.02 1.94-5.36 5.21-7.74 2.89-.53 2.89-.53 6.07-.46 1.71.02 1.71.02 3.46.05 1.19.04 2.37.08 3.59.12 1.2.02 2.41.04 3.65.06 2.97.05 5.93.13 8.9.23.14-1.35.29-2.7.43-4.08.63-5 1.78-9.74 3.14-14.58.22-.79.43-1.59.66-2.4.53-1.92 1.06-3.84 1.6-5.76-1.55-.45-1.55-.45-3.13-.9-9.52-3.52-17.1-10.95-21.37-20.1-3.81-9.26-3.87-20.34-.29-29.68 6.49-13.99 16.36-23.23 30.66-29.01 49.81-17.69 115.79 8.35 155.13 38.85z"/><path fill="#F2671A" d="m142.93,22.62c.86.19 1.73.39 2.62.59 36.12 8.21 68.79 24.98 95.38 50.75 1.02.98 2.03 1.97 3.08 2.98 10.84 10.66 10.84 10.66 11.05 14.62-2.06 3.55-5.44 4.18-9.17 5.3-.79.25-1.59.49-2.41.75-28.13 8.43-60.95 6.37-87.13-7.16-.86-.49-1.71-.97-2.6-1.48-7.37-4.05-12.59-3.36-20.59-1.54-22.76 4-48.47 1.53-68.69-9.74-4.88-3.88-8.23-8.29-10.21-14.22-.93-10.38-.67-18.44 5.83-26.83 19.57-23.38 55.99-20.36 82.83-14z"/><path fill="#F16619" d="m44.93,129.12c27.36-.03 54.72-.05 82.08-.06 12.7-.01 25.41-.01 38.11-.03 11.07-.01 22.14-.02 33.2-.02 5.86 0 11.73-.01 17.59-.01 5.51-.01 11.03-.01 16.54-.01 2.03 0 4.06 0 6.09-.01 2.76-.01 5.52 0 8.28 0 .81 0 1.63-.01 2.47-.01 5.51.02 5.51.02 6.81 1.32.22 3.43.22 3.43 0 7-2.75 2.75-3.42 2.66-7.15 2.82-1.41.07-1.41.07-2.85.14-1.47.05-1.47.05-2.98.11-1.49.07-1.49.07-3 .14-2.45.11-4.9.21-7.35.3-.2 1.3-.4 2.59-.6 3.93-2.57 16.08-5.93 29.89-18.89 40.86-10.35 7.28-21.87 8.49-34.17 7.71-13.11-2.33-22.52-9.19-30.33-19.83-4.49-7.64-4.8-17.05-5.83-25.67-4.24.39-8.47.77-12.83 1.17-.28 1.84-.28 1.84-.56 3.71-2.32 14.39-5.63 23.35-16.95 33.11-2.32 1.67-2.32 1.67-4.65 1.67 4 4.67 9.06 6.59 14.87 8.24 3.79 1.09 3.79 1.09 6.12 3.43-.65 5.31-.65 5.31-2.33 7-8.42-.27-15.13-2.29-22.17-7-1.09-1.21-2.17-2.43-3.25-3.65-2.72-2.81-4.45-3.84-8.36-4.16-1.67-.02-3.34-.02-5.01.01-1.77-.04-3.54-.09-5.3-.15-1.27-.04-1.27-.04-2.56-.08-9.26-.54-17.6-4.56-24.51-10.64-9.58-11.11-11.03-22.56-10.72-36.82.02-1.4.03-2.8.05-4.24.04-3.42.1-6.85.17-10.27z"/><path fill="#F26117" d="m172.68,203.08c7.27.09 13.23 1.97 18.87 6.65 2.88 3.07 3.86 5.12 4.25 9.32-.12 1.01-.24 2.02-.36 3.06-2.55.95-2.55.95-5.83 1.17-3.28-2.84-3.28-2.84-5.83-5.83-.36.58-.71 1.16-1.08 1.75-7.6 11.29-20.06 17.74-33.05 21.09-20.36 3.1-36.81-1.66-53.37-13.73-2.33-2.11-2.33-2.11-4.67-5.61.42-3.45.99-4.49 3.5-7 4.07.37 5.95 2.13 8.75 4.96 9.81 8.93 22.53 11.87 35.51 11.69 11.74-1.05 22.38-5.85 31.57-13.15 2.06-2.45 2.06-2.45 3.5-4.67-1.66.07-1.66.07-3.35.15-3.65-.15-3.65-.15-5.98-2.48.75-6.18 1.46-7.19 7.58-7.36z"/></g></svg>`;
 var DEXTER_STYLES = `
@@ -741,22 +866,22 @@ function generatePaywallHtml(paymentRequiredHeader, requestUrl, method, config,
   } catch {
   }
   const chainName = network.includes("solana") ? "Solana" : network.includes("eip155") ? "Base" : "";
-  const endpointSection = config.showEndpoint ? `<div class="endpoint"><code>${method} ${requestUrl}</code></div>` : "";
+  const endpointSection = config.showEndpoint ? `<div class="endpoint"><code>${esc(method)} ${esc(requestUrl)}</code></div>` : "";
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
-<title>${config.title} \u2014 ${price} USDC</title>
+<title>${esc(config.title)} \u2014 ${esc(price)} USDC</title>
 <style>${DEXTER_STYLES}${PAY_BUTTON_STYLES}</style>
 </head>
 <body>
 <div class="card">
   <div class="crest">${DEXTER_CREST_SVG}</div>
-  <h1>${config.title}</h1>
-  <p class="desc">${description}</p>
-  <div class="price">${USDC_ICON_SVG}<span id="price-value">${price}</span></div>
-  <div class="chain">${chainName}${chainName ? " network" : ""}</div>
+  <h1>${esc(config.title)}</h1>
+  <p class="desc">${esc(description)}</p>
+  <div class="price">${USDC_ICON_SVG}<span id="price-value">${esc(price)}</span></div>
+  <div class="chain">${esc(chainName)}${chainName ? " network" : ""}</div>
   ${endpointSection}
 
   <div id="pay-section" class="pay-section" style="display:none">
@@ -890,11 +1015,15 @@ function x402AccessPass(config) {
     facilitatorUrl,
     tiers: tierPrices,
     ratePerHour,
-    secret = import_crypto.default.randomBytes(32),
+    secret: explicitSecret,
     issuer = "x402-access-pass",
     verbose = false,
     description
   } = config;
+  const secret = explicitSecret ?? import_crypto.default.randomBytes(32);
+  if (!explicitSecret) {
+    console.warn("[x402:access-pass] No secret provided \u2014 access passes will be invalidated on server restart. Set `secret` for production use.");
+  }
   if (!tierPrices && !ratePerHour) {
     throw new Error("x402AccessPass: at least one of `tiers` or `ratePerHour` is required");
   }
@@ -1903,13 +2032,9 @@ function stripePayTo(secretKeyOrConfig) {
       amount: amountInCents,
       currency: "usd",
       payment_method_types: ["crypto"],
-      payment_method_data: {
-        type: "crypto"
-      },
+      payment_method_data: { type: "crypto" },
       payment_method_options: {
-        crypto: {
-          mode: "custom"
-        }
+        crypto: { mode: "custom" }
       },
       confirm: true
     });
@@ -1932,6 +2057,7 @@ function stripePayTo(secretKeyOrConfig) {
     network: caip2Network,
     facilitatorUrl: "https://x402.dexter.cash"
   };
+  provider._stripeNetwork = caip2Network;
   return provider;
 }
 // Annotate the CommonJS export names for ESM import in node: