npm - @metr-sdk/express - Versions diffs - 0.1.0 → 0.2.0 - Mend

@metr-sdk/express 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -1,9 +1,9 @@
 /**
- * @metr/express - One line of middleware to monetize any Express.js API
+ * @metr-sdk/express - One line of middleware to monetize any Express.js API
  *
  * @example
  * ```typescript
- * import { metr } from '@metr/express';
+ * import { metr } from '@metr-sdk/express';
  *
  * app.post('/api/summarize', metr({ price: 0.001 }), (req, res) => {
  *   res.json({ summary: 'Your text summary...' });
@@ -24,11 +24,17 @@ export interface MetrConfig {
     endpointId?: string;
     /** metr gateway URL. Falls back to METR_GATEWAY_URL env var */
     gatewayUrl?: string;
+    /** Ed25519 public key (base64). Falls back to METR_PUBLIC_KEY env var.
+     *  If not set, fetched from gateway on first request. */
+    publicKey?: string;
+    /** Max token age in seconds. Reject tokens older than this even if not expired. */
+    maxTokenAge?: number;
+    /** Require IP whitelist in JWT. If true, requests without ips claim are rejected. */
+    requireIp?: boolean;
 }
 export interface MetrPaymentInfo {
-    sessionToken: string;
     buyerId: string;
-    balanceUsd: number;
+    tokenIssuedAt: number;
 }
 declare global {
     namespace Express {
@@ -40,9 +46,9 @@ declare global {
 /**
  * metr middleware - add to any Express route to require payment.
  *
- * Checks for a valid billing session token in the `Authorization` header.
- * If missing or invalid, returns 402 Payment Required with a checkout URL.
- * If valid, meters the usage and passes control to your handler.
+ * Verifies buyer JWT locally (Ed25519, ~0.05ms, zero network calls).
+ * If missing/invalid, returns 402 Payment Required with deposit URL.
+ * After handler completes, fires usage event to gateway (async, non-blocking).
  */
 export declare function metr(config: MetrConfig): (req: Request, res: Response, next: NextFunction) => Promise<void>;
 export default metr;

package/dist/index.js CHANGED Viewed

@@ -1,10 +1,10 @@
 "use strict";
 /**
- * @metr/express - One line of middleware to monetize any Express.js API
+ * @metr-sdk/express - One line of middleware to monetize any Express.js API
  *
  * @example
  * ```typescript
- * import { metr } from '@metr/express';
+ * import { metr } from '@metr-sdk/express';
  *
  * app.post('/api/summarize', metr({ price: 0.001 }), (req, res) => {
  *   res.json({ summary: 'Your text summary...' });
@@ -13,103 +13,229 @@
  *
  * @packageDocumentation
  */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.metr = metr;
+const crypto_1 = require("crypto");
+let cachedPublicKey = null;
+let publicKeyFetchPromise = null;
+async function getPublicKey(config) {
+    if (cachedPublicKey)
+        return cachedPublicKey;
+    if (config.publicKey) {
+        cachedPublicKey = base64UrlDecode(config.publicKey);
+        return cachedPublicKey;
+    }
+    // Fetch from gateway (once)
+    if (!publicKeyFetchPromise) {
+        publicKeyFetchPromise = (async () => {
+            const res = await fetch(`${config.gatewayUrl}/.well-known/metr.json`);
+            const data = await res.json();
+            cachedPublicKey = base64UrlDecode(data.public_key);
+        })();
+    }
+    await publicKeyFetchPromise;
+    return cachedPublicKey;
+}
+function base64UrlDecode(str) {
+    const padded = str.replace(/-/g, '+').replace(/_/g, '/');
+    const binary = Buffer.from(padded, 'base64');
+    return new Uint8Array(binary);
+}
+async function verifyJwt(token, publicKey) {
+    const parts = token.split('.');
+    if (parts.length !== 3)
+        throw new Error('invalid JWT format');
+    const message = `${parts[0]}.${parts[1]}`;
+    const signatureBytes = base64UrlDecode(parts[2]);
+    // Ed25519 verify using Node.js crypto
+    const { createPublicKey, verify } = await Promise.resolve().then(() => __importStar(require('crypto')));
+    const key = createPublicKey({
+        key: Buffer.concat([
+            // Ed25519 DER prefix for public key
+            Buffer.from('302a300506032b6570032100', 'hex'),
+            Buffer.from(publicKey),
+        ]),
+        format: 'der',
+        type: 'spki',
+    });
+    const isValid = verify(null, Buffer.from(message), key, Buffer.from(signatureBytes));
+    if (!isValid)
+        throw new Error('invalid signature');
+    // Decode claims
+    const payloadJson = Buffer.from(base64UrlDecode(parts[1])).toString('utf-8');
+    const claims = JSON.parse(payloadJson);
+    // Check expiry
+    const now = Math.floor(Date.now() / 1000);
+    if (now > claims.exp)
+        throw new Error('token expired');
+    return claims;
+}
+function extractTokenSig(token) {
+    const parts = token.split('.');
+    if (parts.length !== 3)
+        return '';
+    const sigBytes = base64UrlDecode(parts[2]);
+    return Buffer.from(sigBytes.slice(0, 16)).toString('hex');
+}
 const DEFAULT_GATEWAY_URL = 'https://api.metr.dev';
+function resolveConfig(config) {
+    const apiKey = config.apiKey || process.env.METR_API_KEY;
+    if (!apiKey)
+        throw new Error('metr: API key required. Set config.apiKey or METR_API_KEY env var.');
+    return {
+        price: config.price,
+        unitType: config.unitType || 'request',
+        apiKey,
+        endpointId: config.endpointId || process.env.METR_ENDPOINT_ID || '',
+        gatewayUrl: config.gatewayUrl || process.env.METR_GATEWAY_URL || DEFAULT_GATEWAY_URL,
+        publicKey: config.publicKey || process.env.METR_PUBLIC_KEY,
+        maxTokenAge: config.maxTokenAge,
+        requireIp: config.requireIp || false,
+    };
+}
+// ── Middleware ──
 /**
  * metr middleware - add to any Express route to require payment.
  *
- * Checks for a valid billing session token in the `Authorization` header.
- * If missing or invalid, returns 402 Payment Required with a checkout URL.
- * If valid, meters the usage and passes control to your handler.
+ * Verifies buyer JWT locally (Ed25519, ~0.05ms, zero network calls).
+ * If missing/invalid, returns 402 Payment Required with deposit URL.
+ * After handler completes, fires usage event to gateway (async, non-blocking).
  */
 function metr(config) {
-    const apiKey = config.apiKey || process.env.METR_API_KEY;
-    const endpointId = config.endpointId || process.env.METR_ENDPOINT_ID;
-    const gatewayUrl = config.gatewayUrl || process.env.METR_GATEWAY_URL || DEFAULT_GATEWAY_URL;
-    if (!apiKey) {
-        throw new Error('metr: API key required. Set config.apiKey or METR_API_KEY env var.');
-    }
+    const resolved = resolveConfig(config);
     return async (req, res, next) => {
-        // Extract session token from Authorization header
-        const authHeader = req.headers.authorization;
-        const sessionToken = authHeader?.startsWith('Bearer metr_sess_')
-            ? authHeader.slice(7)
-            : null;
-        if (!sessionToken) {
-            // No valid session — return 402 with checkout URL
-            try {
-                const checkoutRes = await fetch(`${gatewayUrl}/api/v1/checkout/create`, {
-                    method: 'POST',
-                    headers: {
-                        'Content-Type': 'application/json',
-                        'X-Metr-Api-Key': apiKey,
-                    },
-                    body: JSON.stringify({
-                        endpoint_id: endpointId,
-                        amount_usd: config.price,
-                    }),
-                });
-                const checkout = await checkoutRes.json();
-                res.status(402).json({
-                    error: 'payment_required',
-                    message: 'This API requires payment. Complete checkout to get access.',
-                    checkout_url: checkout.checkout_url,
-                    price: config.price,
-                    unit_type: config.unitType || 'request',
-                });
-            }
-            catch (err) {
-                res.status(500).json({ error: 'Failed to create checkout session' });
-            }
+        // Read X-Metr-Token header (never Authorization)
+        const token = req.headers['x-metr-token'];
+        if (!token) {
+            res.status(402).json({
+                error: 'payment_required',
+                message: 'This API requires payment. Deposit funds at metr.dev to get a token.',
+                deposit_url: `${resolved.gatewayUrl}/api/v1/wallet/deposit`,
+                price: resolved.price,
+                unit_type: resolved.unitType,
+            });
             return;
         }
-        // Verify session is valid
+        // Verify JWT locally (Ed25519 — no network call)
+        let claims;
         try {
-            const verifyRes = await fetch(`${gatewayUrl}/api/v1/verify`, {
-                method: 'POST',
-                headers: {
-                    'Content-Type': 'application/json',
-                    'X-Metr-Api-Key': apiKey,
-                },
-                body: JSON.stringify({ session_token: sessionToken }),
+            const publicKey = await getPublicKey(resolved);
+            claims = await verifyJwt(token, publicKey);
+        }
+        catch (err) {
+            const isExpired = err.message === 'token expired';
+            res.status(402).json({
+                error: isExpired ? 'token_expired' : 'invalid_token',
+                message: isExpired
+                    ? 'Your token has expired. Refresh it at the metr gateway.'
+                    : 'Invalid metr token.',
+                refresh_url: `${resolved.gatewayUrl}/api/v1/token/refresh`,
             });
-            const session = await verifyRes.json();
-            if (!session.valid) {
+            return;
+        }
+        // Check maxTokenAge (provider can enforce shorter lifetime than JWT exp)
+        if (resolved.maxTokenAge) {
+            const now = Math.floor(Date.now() / 1000);
+            const tokenAge = now - claims.iat;
+            if (tokenAge > resolved.maxTokenAge) {
                 res.status(402).json({
-                    error: 'session_expired',
-                    message: 'Your billing session has expired. Please create a new checkout.',
+                    error: 'token_too_old',
+                    message: `Token is ${tokenAge}s old. This endpoint requires tokens < ${resolved.maxTokenAge}s.`,
+                    refresh_url: `${resolved.gatewayUrl}/api/v1/token/refresh`,
                 });
                 return;
             }
-            // Attach payment info to request
-            req.metr = {
-                sessionToken,
-                buyerId: session.buyer_id || '',
-                balanceUsd: session.remaining_balance_usd || 0,
-            };
-            // Let the handler execute
-            next();
-            // After handler completes, record usage (fire and forget)
-            fetch(`${gatewayUrl}/api/v1/meter`, {
+        }
+        // Check IP whitelist
+        if (resolved.requireIp) {
+            if (!claims.ips || claims.ips.length === 0) {
+                res.status(403).json({
+                    error: 'ip_required',
+                    message: 'This endpoint requires IP-bound tokens. Issue a token with ips claim.',
+                });
+                return;
+            }
+            const clientIp = req.ip || req.socket.remoteAddress || '';
+            const allowed = claims.ips.some(ip => {
+                if (ip.includes('/')) {
+                    // CIDR check (simplified — exact match for now)
+                    return clientIp.startsWith(ip.split('/')[0].split('.').slice(0, 3).join('.'));
+                }
+                return ip === clientIp;
+            });
+            if (!allowed) {
+                res.status(403).json({
+                    error: 'ip_not_allowed',
+                    message: `Request from ${clientIp} not in token's IP whitelist.`,
+                });
+                return;
+            }
+        }
+        // Attach buyer info to request
+        req.metr = {
+            buyerId: claims.sub,
+            tokenIssuedAt: claims.iat,
+        };
+        // Run the handler
+        next();
+        // Post-response: fire-and-forget usage metering
+        const tokenSig = extractTokenSig(token);
+        const minuteBucket = new Date().toISOString().slice(0, 16).replace(/[-:T]/g, '');
+        const idempotencyKey = (0, crypto_1.createHash)('sha256')
+            .update(`${tokenSig}${resolved.endpointId}${minuteBucket}`)
+            .digest('hex');
+        res.on('finish', () => {
+            fetch(`${resolved.gatewayUrl}/api/v1/meter`, {
                 method: 'POST',
                 headers: {
                     'Content-Type': 'application/json',
-                    'X-Metr-Api-Key': apiKey,
+                    'X-Metr-Api-Key': resolved.apiKey,
                 },
                 body: JSON.stringify({
-                    endpoint_id: endpointId,
-                    session_token: sessionToken,
+                    endpoint_id: resolved.endpointId,
+                    buyer_token_sig: tokenSig,
+                    buyer_id: claims.sub,
                     units: 1,
-                    unit_type: config.unitType || 'request',
+                    unit_type: resolved.unitType,
+                    idempotency_key: idempotencyKey,
                 }),
             }).catch((err) => {
-                console.error('[metr] Failed to record usage:', err);
+                console.error('[metr] Failed to record usage:', err.message);
             });
-        }
-        catch (err) {
-            res.status(500).json({ error: 'Failed to verify session' });
-        }
+        });
     };
 }
 exports.default = metr;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@metr-sdk/express",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "One line of middleware to monetize any Express.js API",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -10,7 +10,16 @@
     "dev": "tsc --watch",
     "prepublishOnly": "npm run build"
   },
-  "keywords": ["metr", "api", "monetization", "metering", "billing", "stripe", "middleware", "express"],
+  "keywords": [
+    "metr",
+    "api",
+    "monetization",
+    "metering",
+    "billing",
+    "stripe",
+    "middleware",
+    "express"
+  ],
   "license": "MIT",
   "peerDependencies": {
     "express": "^4.0.0 || ^5.0.0"

package/src/index.ts CHANGED Viewed

@@ -1,9 +1,9 @@
 /**
- * @metr/express - One line of middleware to monetize any Express.js API
+ * @metr-sdk/express - One line of middleware to monetize any Express.js API
  *
  * @example
  * ```typescript
- * import { metr } from '@metr/express';
+ * import { metr } from '@metr-sdk/express';
  *
  * app.post('/api/summarize', metr({ price: 0.001 }), (req, res) => {
  *   res.json({ summary: 'Your text summary...' });
@@ -14,6 +14,9 @@
  */
 import { Request, Response, NextFunction } from 'express';
+import { createHash } from 'crypto';
+// ── Configuration ──
 export interface MetrConfig {
   /** Price per unit in USD (e.g., 0.001 = $0.001 per request) */
@@ -30,12 +33,21 @@ export interface MetrConfig {
   /** metr gateway URL. Falls back to METR_GATEWAY_URL env var */
   gatewayUrl?: string;
+  /** Ed25519 public key (base64). Falls back to METR_PUBLIC_KEY env var.
+   *  If not set, fetched from gateway on first request. */
+  publicKey?: string;
+  /** Max token age in seconds. Reject tokens older than this even if not expired. */
+  maxTokenAge?: number;
+  /** Require IP whitelist in JWT. If true, requests without ips claim are rejected. */
+  requireIp?: boolean;
 }
 export interface MetrPaymentInfo {
-  sessionToken: string;
   buyerId: string;
-  balanceUsd: number;
+  tokenIssuedAt: number;
 }
 declare global {
@@ -46,115 +58,242 @@ declare global {
   }
 }
+// ── Ed25519 JWT Verification (local, no network) ──
+interface JwtClaims {
+  sub: string;
+  exp: number;
+  iat: number;
+  ips?: string[];
+}
+let cachedPublicKey: Uint8Array | null = null;
+let publicKeyFetchPromise: Promise<void> | null = null;
+async function getPublicKey(config: ResolvedConfig): Promise<Uint8Array> {
+  if (cachedPublicKey) return cachedPublicKey;
+  if (config.publicKey) {
+    cachedPublicKey = base64UrlDecode(config.publicKey);
+    return cachedPublicKey;
+  }
+  // Fetch from gateway (once)
+  if (!publicKeyFetchPromise) {
+    publicKeyFetchPromise = (async () => {
+      const res = await fetch(`${config.gatewayUrl}/.well-known/metr.json`);
+      const data = await res.json() as { public_key: string };
+      cachedPublicKey = base64UrlDecode(data.public_key);
+    })();
+  }
+  await publicKeyFetchPromise;
+  return cachedPublicKey!;
+}
+function base64UrlDecode(str: string): Uint8Array {
+  const padded = str.replace(/-/g, '+').replace(/_/g, '/');
+  const binary = Buffer.from(padded, 'base64');
+  return new Uint8Array(binary);
+}
+async function verifyJwt(token: string, publicKey: Uint8Array): Promise<JwtClaims> {
+  const parts = token.split('.');
+  if (parts.length !== 3) throw new Error('invalid JWT format');
+  const message = `${parts[0]}.${parts[1]}`;
+  const signatureBytes = base64UrlDecode(parts[2]);
+  // Ed25519 verify using Node.js crypto
+  const { createPublicKey, verify } = await import('crypto');
+  const key = createPublicKey({
+    key: Buffer.concat([
+      // Ed25519 DER prefix for public key
+      Buffer.from('302a300506032b6570032100', 'hex'),
+      Buffer.from(publicKey),
+    ]),
+    format: 'der',
+    type: 'spki',
+  });
+  const isValid = verify(
+    null,
+    Buffer.from(message),
+    key,
+    Buffer.from(signatureBytes),
+  );
+  if (!isValid) throw new Error('invalid signature');
+  // Decode claims
+  const payloadJson = Buffer.from(base64UrlDecode(parts[1])).toString('utf-8');
+  const claims: JwtClaims = JSON.parse(payloadJson);
+  // Check expiry
+  const now = Math.floor(Date.now() / 1000);
+  if (now > claims.exp) throw new Error('token expired');
+  return claims;
+}
+function extractTokenSig(token: string): string {
+  const parts = token.split('.');
+  if (parts.length !== 3) return '';
+  const sigBytes = base64UrlDecode(parts[2]);
+  return Buffer.from(sigBytes.slice(0, 16)).toString('hex');
+}
+// ── Resolved Config ──
+interface ResolvedConfig {
+  price: number;
+  unitType: string;
+  apiKey: string;
+  endpointId: string;
+  gatewayUrl: string;
+  publicKey?: string;
+  maxTokenAge?: number;
+  requireIp: boolean;
+}
 const DEFAULT_GATEWAY_URL = 'https://api.metr.dev';
+function resolveConfig(config: MetrConfig): ResolvedConfig {
+  const apiKey = config.apiKey || process.env.METR_API_KEY;
+  if (!apiKey) throw new Error('metr: API key required. Set config.apiKey or METR_API_KEY env var.');
+  return {
+    price: config.price,
+    unitType: config.unitType || 'request',
+    apiKey,
+    endpointId: config.endpointId || process.env.METR_ENDPOINT_ID || '',
+    gatewayUrl: config.gatewayUrl || process.env.METR_GATEWAY_URL || DEFAULT_GATEWAY_URL,
+    publicKey: config.publicKey || process.env.METR_PUBLIC_KEY,
+    maxTokenAge: config.maxTokenAge,
+    requireIp: config.requireIp || false,
+  };
+}
+// ── Middleware ──
 /**
  * metr middleware - add to any Express route to require payment.
  *
- * Checks for a valid billing session token in the `Authorization` header.
- * If missing or invalid, returns 402 Payment Required with a checkout URL.
- * If valid, meters the usage and passes control to your handler.
+ * Verifies buyer JWT locally (Ed25519, ~0.05ms, zero network calls).
+ * If missing/invalid, returns 402 Payment Required with deposit URL.
+ * After handler completes, fires usage event to gateway (async, non-blocking).
  */
 export function metr(config: MetrConfig) {
-  const apiKey = config.apiKey || process.env.METR_API_KEY;
-  const endpointId = config.endpointId || process.env.METR_ENDPOINT_ID;
-  const gatewayUrl = config.gatewayUrl || process.env.METR_GATEWAY_URL || DEFAULT_GATEWAY_URL;
-  if (!apiKey) {
-    throw new Error('metr: API key required. Set config.apiKey or METR_API_KEY env var.');
-  }
+  const resolved = resolveConfig(config);
   return async (req: Request, res: Response, next: NextFunction): Promise<void> => {
-    // Extract session token from Authorization header
-    const authHeader = req.headers.authorization;
-    const sessionToken = authHeader?.startsWith('Bearer metr_sess_')
-      ? authHeader.slice(7)
-      : null;
-    if (!sessionToken) {
-      // No valid session — return 402 with checkout URL
-      try {
-        const checkoutRes = await fetch(`${gatewayUrl}/api/v1/checkout/create`, {
-          method: 'POST',
-          headers: {
-            'Content-Type': 'application/json',
-            'X-Metr-Api-Key': apiKey,
-          },
-          body: JSON.stringify({
-            endpoint_id: endpointId,
-            amount_usd: config.price,
-          }),
-        });
+    // Read X-Metr-Token header (never Authorization)
+    const token = req.headers['x-metr-token'] as string | undefined;
-        const checkout = await checkoutRes.json() as { checkout_url: string; session_token: string };
+    if (!token) {
+      res.status(402).json({
+        error: 'payment_required',
+        message: 'This API requires payment. Deposit funds at metr.dev to get a token.',
+        deposit_url: `${resolved.gatewayUrl}/api/v1/wallet/deposit`,
+        price: resolved.price,
+        unit_type: resolved.unitType,
+      });
+      return;
+    }
+    // Verify JWT locally (Ed25519 — no network call)
+    let claims: JwtClaims;
+    try {
+      const publicKey = await getPublicKey(resolved);
+      claims = await verifyJwt(token, publicKey);
+    } catch (err: any) {
+      const isExpired = err.message === 'token expired';
+      res.status(402).json({
+        error: isExpired ? 'token_expired' : 'invalid_token',
+        message: isExpired
+          ? 'Your token has expired. Refresh it at the metr gateway.'
+          : 'Invalid metr token.',
+        refresh_url: `${resolved.gatewayUrl}/api/v1/token/refresh`,
+      });
+      return;
+    }
+    // Check maxTokenAge (provider can enforce shorter lifetime than JWT exp)
+    if (resolved.maxTokenAge) {
+      const now = Math.floor(Date.now() / 1000);
+      const tokenAge = now - claims.iat;
+      if (tokenAge > resolved.maxTokenAge) {
         res.status(402).json({
-          error: 'payment_required',
-          message: 'This API requires payment. Complete checkout to get access.',
-          checkout_url: checkout.checkout_url,
-          price: config.price,
-          unit_type: config.unitType || 'request',
+          error: 'token_too_old',
+          message: `Token is ${tokenAge}s old. This endpoint requires tokens < ${resolved.maxTokenAge}s.`,
+          refresh_url: `${resolved.gatewayUrl}/api/v1/token/refresh`,
         });
-      } catch (err) {
-        res.status(500).json({ error: 'Failed to create checkout session' });
+        return;
       }
-      return;
     }
-    // Verify session is valid
-    try {
-      const verifyRes = await fetch(`${gatewayUrl}/api/v1/verify`, {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-          'X-Metr-Api-Key': apiKey,
-        },
-        body: JSON.stringify({ session_token: sessionToken }),
-      });
+    // Check IP whitelist
+    if (resolved.requireIp) {
+      if (!claims.ips || claims.ips.length === 0) {
+        res.status(403).json({
+          error: 'ip_required',
+          message: 'This endpoint requires IP-bound tokens. Issue a token with ips claim.',
+        });
+        return;
+      }
-      const session = await verifyRes.json() as {
-        valid: boolean;
-        buyer_id?: string;
-        remaining_balance_usd?: number;
-      };
+      const clientIp = req.ip || req.socket.remoteAddress || '';
+      const allowed = claims.ips.some(ip => {
+        if (ip.includes('/')) {
+          // CIDR check (simplified — exact match for now)
+          return clientIp.startsWith(ip.split('/')[0].split('.').slice(0, 3).join('.'));
+        }
+        return ip === clientIp;
+      });
-      if (!session.valid) {
-        res.status(402).json({
-          error: 'session_expired',
-          message: 'Your billing session has expired. Please create a new checkout.',
+      if (!allowed) {
+        res.status(403).json({
+          error: 'ip_not_allowed',
+          message: `Request from ${clientIp} not in token's IP whitelist.`,
         });
         return;
       }
+    }
-      // Attach payment info to request
-      req.metr = {
-        sessionToken,
-        buyerId: session.buyer_id || '',
-        balanceUsd: session.remaining_balance_usd || 0,
-      };
+    // Attach buyer info to request
+    req.metr = {
+      buyerId: claims.sub,
+      tokenIssuedAt: claims.iat,
+    };
-      // Let the handler execute
-      next();
+    // Run the handler
+    next();
-      // After handler completes, record usage (fire and forget)
-      fetch(`${gatewayUrl}/api/v1/meter`, {
+    // Post-response: fire-and-forget usage metering
+    const tokenSig = extractTokenSig(token);
+    const minuteBucket = new Date().toISOString().slice(0, 16).replace(/[-:T]/g, '');
+    const idempotencyKey = createHash('sha256')
+      .update(`${tokenSig}${resolved.endpointId}${minuteBucket}`)
+      .digest('hex');
+    res.on('finish', () => {
+      fetch(`${resolved.gatewayUrl}/api/v1/meter`, {
         method: 'POST',
         headers: {
           'Content-Type': 'application/json',
-          'X-Metr-Api-Key': apiKey,
+          'X-Metr-Api-Key': resolved.apiKey,
         },
         body: JSON.stringify({
-          endpoint_id: endpointId,
-          session_token: sessionToken,
+          endpoint_id: resolved.endpointId,
+          buyer_token_sig: tokenSig,
+          buyer_id: claims.sub,
           units: 1,
-          unit_type: config.unitType || 'request',
+          unit_type: resolved.unitType,
+          idempotency_key: idempotencyKey,
         }),
       }).catch((err) => {
-        console.error('[metr] Failed to record usage:', err);
+        console.error('[metr] Failed to record usage:', err.message);
       });
-    } catch (err) {
-      res.status(500).json({ error: 'Failed to verify session' });
-    }
+    });
   };
 }