@mixrpay/merchant-sdk 0.3.0 → 0.3.2

package/README.md

@@ -225,9 +225,35 @@ interface MixrPayment {
   
   /** Error message if invalid */
   error?: string;
+  
+  /** Whether payment was pre-charged by the agent (session only) */
+  preCharged?: boolean;
 }
 ```
 
+### Pre-Charged Sessions
+
+When AI agents use the Agent SDK, they can pre-charge before calling your API by passing `X-Mixr-Charged: <amount>`. The middleware detects this and validates the session without double-charging:
+
+```typescript
+// Agent SDK calls your API with pre-charged session
+// Headers: { 'X-Mixr-Session': 'sess_abc', 'X-Mixr-Charged': '0.05' }
+
+app.post('/api/query', mixrpay({ priceUsd: 0.05 }), (req, res) => {
+  const { preCharged, amountUsd, payer } = req.mixrPayment!;
+  
+  if (preCharged) {
+    // Agent pre-charged - session validated only, no additional charge made
+    console.log(`Pre-charged payment of $${amountUsd} from ${payer}`);
+  } else {
+    // Middleware charged the session
+    console.log(`Charged $${amountUsd} from ${payer}`);
+  }
+  
+  res.json({ result: 'success' });
+});
+```
+
 ## Advanced Usage
 
 ### Dynamic Pricing
@@ -301,6 +327,55 @@ if (result.valid) {
 }
 ```
 
+### Webhook Verification
+
+Verify webhook signatures to ensure events are from MixrPay:
+
+```typescript
+import { verifySessionWebhook } from '@mixrpay/merchant-sdk';
+
+app.post('/webhooks/mixrpay', (req, res) => {
+  const signature = req.headers['x-mixrpay-signature'] as string;
+  const payload = JSON.stringify(req.body);
+  
+  // Verify signature using your webhook secret from the dashboard
+  if (!verifySessionWebhook(payload, signature, process.env.WEBHOOK_SECRET!)) {
+    return res.status(401).json({ error: 'Invalid signature' });
+  }
+  
+  const event = req.body;
+  
+  switch (event.event) {
+    case 'session.created':
+      // New session authorized
+      console.log(`Session created: ${event.session_id} from ${event.user_wallet}`);
+      console.log(`Spending limit: $${event.spending_limit_usd}`);
+      break;
+      
+    case 'session.charged':
+      // Successful charge against a session
+      console.log(`Charged $${event.amount_usd} from ${event.user_wallet}`);
+      console.log(`Remaining: $${event.remaining_usd}`);
+      // Update your database, trigger fulfillment, etc.
+      break;
+      
+    case 'session.revoked':
+      // User revoked their session
+      console.log(`Session revoked: ${event.session_id}`);
+      break;
+      
+    case 'session.expired':
+      // Session expired
+      console.log(`Session expired: ${event.session_id}`);
+      break;
+  }
+  
+  res.json({ received: true });
+});
+```
+
+Configure webhook URLs in your [MixrPay Dashboard](https://www.mixrpay.com/seller/developers).
+
 ## Testing
 
 Enable test mode to accept test payments during development:

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { V as VerifyReceiptOptions, P as PaymentReceipt } from './types-jelXkTp9.mjs';
-export { M as MixrPayOptions, a as MixrPayPaymentResult, b as PaymentMethod, c as PriceContext } from './types-jelXkTp9.mjs';
+import { V as VerifyReceiptOptions, P as PaymentReceipt } from './types-BwiuIaOu.mjs';
+export { M as MixrPayOptions, a as MixrPayPaymentResult, b as PaymentMethod, c as PriceContext } from './types-BwiuIaOu.mjs';
 
 /**
  * MixrPay Merchant SDK - Payment Receipt Verification

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { V as VerifyReceiptOptions, P as PaymentReceipt } from './types-jelXkTp9.js';
-export { M as MixrPayOptions, a as MixrPayPaymentResult, b as PaymentMethod, c as PriceContext } from './types-jelXkTp9.js';
+import { V as VerifyReceiptOptions, P as PaymentReceipt } from './types-BwiuIaOu.js';
+export { M as MixrPayOptions, a as MixrPayPaymentResult, b as PaymentMethod, c as PriceContext } from './types-BwiuIaOu.js';
 
 /**
  * MixrPay Merchant SDK - Payment Receipt Verification

package/dist/index.js

@@ -37,7 +37,7 @@ module.exports = __toCommonJS(src_exports);
 
 // src/receipt.ts
 var jose = __toESM(require("jose"));
-var DEFAULT_JWKS_URL = process.env.MIXRPAY_JWKS_URL || "https://mixrpay.com/.well-known/jwks";
+var DEFAULT_JWKS_URL = process.env.MIXRPAY_JWKS_URL || "https://www.mixrpay.com/.well-known/jwks";
 var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
 var jwksCache = /* @__PURE__ */ new Map();
 async function getJWKS(jwksUrl) {

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts","../src/receipt.ts","../src/charges.ts"],"sourcesContent":["/**\n * MixrPay Merchant SDK\n * \n * Accept payments from AI agents and web apps with one middleware.\n * \n * @example Express\n * ```typescript\n * import { mixrpay } from '@mixrpay/merchant-sdk/express';\n * \n * app.post('/api/query', mixrpay({ priceUsd: 0.05 }), (req, res) => {\n *   console.log(`Paid by ${req.mixrPayment?.payer}`);\n *   res.json({ result: 'success' });\n * });\n * ```\n * \n * @example Next.js\n * ```typescript\n * import { withMixrPay } from '@mixrpay/merchant-sdk/nextjs';\n * \n * export const POST = withMixrPay({ priceUsd: 0.05 }, async (req, payment) => {\n *   return NextResponse.json({ result: 'success' });\n * });\n * ```\n * \n * @packageDocumentation\n */\n\n// Receipt verification (for custom integrations)\nexport { verifyPaymentReceipt } from './receipt';\n\n// Session webhook verification\nexport { verifySessionWebhook } from './charges';\n\n// Types for TypeScript users\nexport type {\n  MixrPayOptions,\n  MixrPayPaymentResult,\n  PaymentMethod,\n  PriceContext,\n  PaymentReceipt,\n} from './types';\n\nexport type {\n  SessionGrant,\n} from './charges';\n\n// Widget element types (for TypeScript JSX support)\nexport type {} from './widget-elements';\n","/**\n * MixrPay Merchant SDK - Payment Receipt Verification\n * \n * Verify JWT payment receipts issued by MixrPay after successful x402 payments.\n * \n * @example\n * ```typescript\n * import { verifyPaymentReceipt } from '@mixrpay/merchant-sdk';\n * \n * const receipt = req.headers['x-payment-receipt'];\n * const payment = await verifyPaymentReceipt(receipt);\n * \n * console.log(`Payment received: $${payment.amountUsd} from ${payment.payer}`);\n * console.log(`Transaction: ${payment.txHash}`);\n * ```\n */\n\nimport * as jose from 'jose';\nimport type { PaymentReceipt, VerifyReceiptOptions } from './types';\n\n// =============================================================================\n// Constants\n// =============================================================================\n\nconst DEFAULT_JWKS_URL = process.env.MIXRPAY_JWKS_URL || 'https://mixrpay.com/.well-known/jwks';\nconst JWKS_CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour\n\n// =============================================================================\n// JWKS Cache\n// =============================================================================\n\ninterface CachedJWKS {\n  jwks: jose.JSONWebKeySet;\n  fetchedAt: number;\n}\n\nconst jwksCache = new Map<string, CachedJWKS>();\n\n/**\n * Fetch and cache JWKS from the specified URL.\n */\nasync function getJWKS(jwksUrl: string): Promise<jose.JSONWebKeySet> {\n  const cached = jwksCache.get(jwksUrl);\n  const now = Date.now();\n\n  // Return cached JWKS if still valid\n  if (cached && (now - cached.fetchedAt) < JWKS_CACHE_TTL_MS) {\n    return cached.jwks;\n  }\n\n  // Fetch fresh JWKS\n  const response = await fetch(jwksUrl);\n  \n  if (!response.ok) {\n    throw new Error(`Failed to fetch JWKS from ${jwksUrl}: ${response.status} ${response.statusText}`);\n  }\n\n  const jwks = await response.json() as jose.JSONWebKeySet;\n\n  // Validate JWKS structure\n  if (!jwks.keys || !Array.isArray(jwks.keys) || jwks.keys.length === 0) {\n    throw new Error('Invalid JWKS: missing or empty keys array');\n  }\n\n  // Cache the JWKS\n  jwksCache.set(jwksUrl, { jwks, fetchedAt: now });\n\n  return jwks;\n}\n\n/**\n * Create a JWKS key set from a fetched JWKS.\n */\nasync function createKeySet(jwksUrl: string): Promise<jose.JWTVerifyGetKey> {\n  const jwks = await getJWKS(jwksUrl);\n  return jose.createLocalJWKSet(jwks);\n}\n\n// =============================================================================\n// Receipt Verification\n// =============================================================================\n\n/**\n * Verify a JWT payment receipt from MixrPay.\n * \n * This function:\n * 1. Fetches the JWKS from MixrPay (cached for 1 hour)\n * 2. Verifies the JWT signature using RS256\n * 3. Validates standard JWT claims (exp, iat)\n * 4. Returns the typed payment receipt\n * \n * @param receipt - The JWT receipt string from X-Payment-Receipt header\n * @param options - Optional configuration (custom JWKS URL, issuer validation)\n * @returns Verified payment receipt\n * @throws Error if verification fails\n * \n * @example\n * ```typescript\n * // Basic usage\n * const payment = await verifyPaymentReceipt(receipt);\n * \n * // With custom JWKS URL (for testing or self-hosted)\n * const payment = await verifyPaymentReceipt(receipt, {\n *   jwksUrl: 'https://your-mixrpay.com/.well-known/jwks'\n * });\n * ```\n */\nexport async function verifyPaymentReceipt(\n  receipt: string,\n  options?: VerifyReceiptOptions\n): Promise<PaymentReceipt> {\n  const jwksUrl = options?.jwksUrl || DEFAULT_JWKS_URL;\n\n  try {\n    // Get the key set\n    const keySet = await createKeySet(jwksUrl);\n\n    // Build verification options\n    const verifyOptions: jose.JWTVerifyOptions = {\n      algorithms: ['RS256'],\n    };\n\n    // Add issuer validation if specified\n    if (options?.issuer) {\n      verifyOptions.issuer = options.issuer;\n    }\n\n    // Verify the JWT\n    const { payload } = await jose.jwtVerify(receipt, keySet, verifyOptions);\n\n    // Validate required payment fields\n    const requiredFields = ['paymentId', 'amount', 'amountUsd', 'payer', 'recipient', 'chainId', 'txHash', 'settledAt'];\n    for (const field of requiredFields) {\n      if (!(field in payload)) {\n        throw new Error(`Missing required field in receipt: ${field}`);\n      }\n    }\n\n    // Return typed receipt\n    return {\n      paymentId: payload.paymentId as string,\n      amount: payload.amount as string,\n      amountUsd: payload.amountUsd as number,\n      payer: payload.payer as string,\n      recipient: payload.recipient as string,\n      chainId: payload.chainId as number,\n      txHash: payload.txHash as string,\n      settledAt: payload.settledAt as string,\n      issuedAt: new Date((payload.iat as number) * 1000),\n      expiresAt: new Date((payload.exp as number) * 1000),\n    };\n  } catch (error) {\n    if (error instanceof jose.errors.JWTExpired) {\n      throw new Error('Payment receipt has expired');\n    }\n    if (error instanceof jose.errors.JWTClaimValidationFailed) {\n      throw new Error(`Receipt validation failed: ${error.message}`);\n    }\n    if (error instanceof jose.errors.JWSSignatureVerificationFailed) {\n      throw new Error('Invalid receipt signature');\n    }\n    throw error;\n  }\n}\n\n/**\n * Parse a JWT payment receipt without verification.\n * \n * WARNING: This does NOT verify the signature. Use only for debugging\n * or when you've already verified the receipt elsewhere.\n * \n * @param receipt - The JWT receipt string\n * @returns Decoded payload (unverified)\n */\nexport function parsePaymentReceipt(receipt: string): PaymentReceipt {\n  const decoded = jose.decodeJwt(receipt);\n\n  return {\n    paymentId: decoded.paymentId as string,\n    amount: decoded.amount as string,\n    amountUsd: decoded.amountUsd as number,\n    payer: decoded.payer as string,\n    recipient: decoded.recipient as string,\n    chainId: decoded.chainId as number,\n    txHash: decoded.txHash as string,\n    settledAt: decoded.settledAt as string,\n    issuedAt: decoded.iat ? new Date(decoded.iat * 1000) : undefined,\n    expiresAt: decoded.exp ? new Date(decoded.exp * 1000) : undefined,\n  };\n}\n\n/**\n * Check if a receipt is expired.\n * \n * @param receipt - The JWT receipt string or parsed PaymentReceipt\n * @returns true if expired, false otherwise\n */\nexport function isReceiptExpired(receipt: string | PaymentReceipt): boolean {\n  const parsed = typeof receipt === 'string' ? parsePaymentReceipt(receipt) : receipt;\n  \n  if (!parsed.expiresAt) {\n    return false; // No expiration = never expires\n  }\n\n  return parsed.expiresAt.getTime() < Date.now();\n}\n\n/**\n * Clear the JWKS cache.\n * Useful for testing or when keys have rotated.\n */\nexport function clearJWKSCache(): void {\n  jwksCache.clear();\n}\n\n/**\n * Get the default JWKS URL.\n */\nexport function getDefaultJWKSUrl(): string {\n  return DEFAULT_JWKS_URL;\n}\n\n","/**\n * MixrPay Charges Module\n * \n * Create and manage charges using session signers.\n * Session signers allow you to charge user wallets without\n * requiring approval for each transaction.\n */\n\n// =============================================================================\n// Types\n// =============================================================================\n\nexport interface CreateChargeParams {\n  /** Session key ID granted by the user */\n  sessionId: string;\n  /** Amount to charge in USD (e.g., 0.05 for 5 cents) */\n  amountUsd: number;\n  /** Unique reference for idempotency (e.g., \"order_123\") */\n  reference: string;\n  /** Optional metadata */\n  metadata?: Record<string, unknown>;\n}\n\nexport interface Charge {\n  /** Unique charge ID */\n  id: string;\n  /** Current status */\n  status: 'pending' | 'submitted' | 'confirmed' | 'failed';\n  /** Amount in USD */\n  amountUsd: number;\n  /** Formatted USDC amount */\n  amountUsdc: string;\n  /** Transaction hash (if submitted) */\n  txHash?: string;\n  /** Block explorer URL */\n  explorerUrl?: string;\n  /** From wallet address */\n  fromAddress: string;\n  /** To wallet address */\n  toAddress: string;\n  /** Your reference */\n  reference: string;\n  /** When the charge was created */\n  createdAt: string;\n  /** When the charge was confirmed */\n  confirmedAt?: string;\n  /** Session name */\n  sessionName?: string;\n  /** User wallet address */\n  userWallet?: string;\n  /** Error message if failed */\n  error?: string;\n}\n\nexport interface CreateChargeResult {\n  success: boolean;\n  charge?: Charge;\n  /** True if this is a replay of an existing charge */\n  idempotentReplay?: boolean;\n  error?: string;\n  details?: string;\n}\n\nexport interface SessionGrant {\n  /** Session key ID */\n  sessionId: string;\n  /** User's wallet address */\n  userWallet: string;\n  /** Your merchant wallet address */\n  merchantWallet: string;\n  /** Spending limits */\n  limits: {\n    maxTotalUsd?: number;\n    maxPerTxUsd?: number;\n    expiresAt: string;\n  };\n  /** When the session was granted */\n  grantedAt: string;\n}\n\n// Internal types for API responses\ninterface CreateChargeApiResponse {\n  success: boolean;\n  charge_id?: string;\n  status?: string;\n  amount_usd?: number;\n  amount_usdc?: string;\n  tx_hash?: string;\n  explorer_url?: string;\n  idempotent_replay?: boolean;\n  error?: string;\n  details?: string;\n}\n\ninterface ChargeApiResponse {\n  id: string;\n  status: string;\n  amount_usd: number;\n  amount_usdc: string;\n  tx_hash?: string;\n  explorer_url?: string;\n  from_address: string;\n  to_address: string;\n  reference: string;\n  created_at: string;\n  confirmed_at?: string;\n  session_name?: string;\n  user_wallet?: string;\n}\n\nexport interface ChargesClientOptions {\n  /** Your API key */\n  apiKey: string;\n  /** MixrPay API base URL */\n  baseUrl?: string;\n}\n\n// =============================================================================\n// Client\n// =============================================================================\n\nexport class ChargesClient {\n  private apiKey: string;\n  private baseUrl: string;\n\n  constructor(options: ChargesClientOptions) {\n    this.apiKey = options.apiKey;\n    this.baseUrl = options.baseUrl || process.env.MIXRPAY_BASE_URL || 'https://mixrpay.com';\n  }\n\n  /**\n   * Create a new charge.\n   * \n   * @example\n   * ```typescript\n   * const result = await charges.create({\n   *   sessionId: 'sk_xxx',\n   *   amountUsd: 0.05,\n   *   reference: 'image_gen_123',\n   *   metadata: { feature: 'image_generation' }\n   * });\n   * \n   * if (result.success) {\n   *   console.log(`Charged ${result.charge.amountUsdc}`);\n   *   console.log(`TX: ${result.charge.explorerUrl}`);\n   * }\n   * ```\n   */\n  async create(params: CreateChargeParams): Promise<CreateChargeResult> {\n    const response = await fetch(`${this.baseUrl}/api/v1/charges`, {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/json',\n        'Authorization': `Bearer ${this.apiKey}`,\n      },\n      body: JSON.stringify({\n        session_id: params.sessionId,\n        amount_usd: params.amountUsd,\n        reference: params.reference,\n        metadata: params.metadata,\n      }),\n    });\n\n    const data = await response.json() as CreateChargeApiResponse;\n\n    if (!response.ok) {\n      return {\n        success: false,\n        error: data.error,\n        details: data.details,\n      };\n    }\n\n    return {\n      success: data.success,\n      charge: data.charge_id ? {\n        id: data.charge_id,\n        status: data.status as Charge['status'],\n        amountUsd: data.amount_usd ?? 0,\n        amountUsdc: data.amount_usdc ?? '0',\n        txHash: data.tx_hash,\n        explorerUrl: data.explorer_url,\n        fromAddress: '',\n        toAddress: '',\n        reference: params.reference,\n        createdAt: new Date().toISOString(),\n      } : undefined,\n      idempotentReplay: data.idempotent_replay,\n      error: data.error,\n    };\n  }\n\n  /**\n   * Get a charge by ID.\n   * \n   * @example\n   * ```typescript\n   * const charge = await charges.get('chg_xxx');\n   * console.log(charge.status); // 'confirmed'\n   * ```\n   */\n  async get(chargeId: string): Promise<Charge | null> {\n    const response = await fetch(`${this.baseUrl}/api/v1/charges?id=${chargeId}`, {\n      headers: {\n        'Authorization': `Bearer ${this.apiKey}`,\n      },\n    });\n\n    if (!response.ok) {\n      if (response.status === 404) {\n        return null;\n      }\n      throw new Error(`Failed to get charge: ${response.statusText}`);\n    }\n\n    const data = await response.json() as ChargeApiResponse;\n\n    return {\n      id: data.id,\n      status: data.status as Charge['status'],\n      amountUsd: data.amount_usd,\n      amountUsdc: data.amount_usdc,\n      txHash: data.tx_hash,\n      explorerUrl: data.explorer_url,\n      fromAddress: data.from_address,\n      toAddress: data.to_address,\n      reference: data.reference,\n      createdAt: data.created_at,\n      confirmedAt: data.confirmed_at,\n      sessionName: data.session_name,\n      userWallet: data.user_wallet,\n    };\n  }\n\n  /**\n   * Get a charge by transaction hash.\n   */\n  async getByTxHash(txHash: string): Promise<Charge | null> {\n    const response = await fetch(`${this.baseUrl}/api/v1/charges?tx_hash=${txHash}`, {\n      headers: {\n        'Authorization': `Bearer ${this.apiKey}`,\n      },\n    });\n\n    if (!response.ok) {\n      if (response.status === 404) {\n        return null;\n      }\n      throw new Error(`Failed to get charge: ${response.statusText}`);\n    }\n\n    const data = await response.json() as ChargeApiResponse;\n\n    return {\n      id: data.id,\n      status: data.status as Charge['status'],\n      amountUsd: data.amount_usd,\n      amountUsdc: data.amount_usdc,\n      txHash: data.tx_hash,\n      explorerUrl: data.explorer_url,\n      fromAddress: data.from_address,\n      toAddress: data.to_address,\n      reference: data.reference,\n      createdAt: data.created_at,\n      confirmedAt: data.confirmed_at,\n      sessionName: data.session_name,\n      userWallet: data.user_wallet,\n    };\n  }\n}\n\n// =============================================================================\n// Webhook Verification\n// =============================================================================\n\nimport crypto from 'crypto';\n\n/**\n * Verify a session.granted webhook signature.\n * \n * @example\n * ```typescript\n * const payload = req.body;\n * const signature = req.headers['x-mixrpay-signature'];\n * \n * if (verifySessionWebhook(JSON.stringify(payload), signature, webhookSecret)) {\n *   const grant = parseSessionGrant(payload);\n *   console.log(`User ${grant.userWallet} granted access`);\n * }\n * ```\n */\nexport function verifySessionWebhook(\n  payload: string,\n  signature: string,\n  secret: string\n): boolean {\n  const expectedSignature = crypto\n    .createHmac('sha256', secret)\n    .update(payload)\n    .digest('hex');\n  \n  return crypto.timingSafeEqual(\n    Buffer.from(signature),\n    Buffer.from(expectedSignature)\n  );\n}\n\n/**\n * Parse a session.granted webhook payload.\n */\nexport function parseSessionGrant(payload: {\n  event: string;\n  session_id: string;\n  user_wallet: string;\n  merchant_wallet: string;\n  limits: {\n    max_total_usd?: number;\n    max_per_tx_usd?: number;\n    expires_at: string;\n  };\n  granted_at: string;\n}): SessionGrant {\n  if (payload.event !== 'session.granted') {\n    throw new Error(`Unexpected event type: ${payload.event}`);\n  }\n\n  return {\n    sessionId: payload.session_id,\n    userWallet: payload.user_wallet,\n    merchantWallet: payload.merchant_wallet,\n    limits: {\n      maxTotalUsd: payload.limits.max_total_usd,\n      maxPerTxUsd: payload.limits.max_per_tx_usd,\n      expiresAt: payload.limits.expires_at,\n    },\n    grantedAt: payload.granted_at,\n  };\n}\n\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACiBA,WAAsB;AAOtB,IAAM,mBAAmB,QAAQ,IAAI,oBAAoB;AACzD,IAAM,oBAAoB,KAAK,KAAK;AAWpC,IAAM,YAAY,oBAAI,IAAwB;AAK9C,eAAe,QAAQ,SAA8C;AACnE,QAAM,SAAS,UAAU,IAAI,OAAO;AACpC,QAAM,MAAM,KAAK,IAAI;AAGrB,MAAI,UAAW,MAAM,OAAO,YAAa,mBAAmB;AAC1D,WAAO,OAAO;AAAA,EAChB;AAGA,QAAM,WAAW,MAAM,MAAM,OAAO;AAEpC,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,MAAM,6BAA6B,OAAO,KAAK,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,EACnG;AAEA,QAAM,OAAO,MAAM,SAAS,KAAK;AAGjC,MAAI,CAAC,KAAK,QAAQ,CAAC,MAAM,QAAQ,KAAK,IAAI,KAAK,KAAK,KAAK,WAAW,GAAG;AACrE,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAGA,YAAU,IAAI,SAAS,EAAE,MAAM,WAAW,IAAI,CAAC;AAE/C,SAAO;AACT;AAKA,eAAe,aAAa,SAAgD;AAC1E,QAAM,OAAO,MAAM,QAAQ,OAAO;AAClC,SAAY,uBAAkB,IAAI;AACpC;AA+BA,eAAsB,qBACpB,SACA,SACyB;AACzB,QAAM,UAAU,SAAS,WAAW;AAEpC,MAAI;AAEF,UAAM,SAAS,MAAM,aAAa,OAAO;AAGzC,UAAM,gBAAuC;AAAA,MAC3C,YAAY,CAAC,OAAO;AAAA,IACtB;AAGA,QAAI,SAAS,QAAQ;AACnB,oBAAc,SAAS,QAAQ;AAAA,IACjC;AAGA,UAAM,EAAE,QAAQ,IAAI,MAAW,eAAU,SAAS,QAAQ,aAAa;AAGvE,UAAM,iBAAiB,CAAC,aAAa,UAAU,aAAa,SAAS,aAAa,WAAW,UAAU,WAAW;AAClH,eAAW,SAAS,gBAAgB;AAClC,UAAI,EAAE,SAAS,UAAU;AACvB,cAAM,IAAI,MAAM,sCAAsC,KAAK,EAAE;AAAA,MAC/D;AAAA,IACF;AAGA,WAAO;AAAA,MACL,WAAW,QAAQ;AAAA,MACnB,QAAQ,QAAQ;AAAA,MAChB,WAAW,QAAQ;AAAA,MACnB,OAAO,QAAQ;AAAA,MACf,WAAW,QAAQ;AAAA,MACnB,SAAS,QAAQ;AAAA,MACjB,QAAQ,QAAQ;AAAA,MAChB,WAAW,QAAQ;AAAA,MACnB,UAAU,IAAI,KAAM,QAAQ,MAAiB,GAAI;AAAA,MACjD,WAAW,IAAI,KAAM,QAAQ,MAAiB,GAAI;AAAA,IACpD;AAAA,EACF,SAAS,OAAO;AACd,QAAI,iBAAsB,YAAO,YAAY;AAC3C,YAAM,IAAI,MAAM,6BAA6B;AAAA,IAC/C;AACA,QAAI,iBAAsB,YAAO,0BAA0B;AACzD,YAAM,IAAI,MAAM,8BAA8B,MAAM,OAAO,EAAE;AAAA,IAC/D;AACA,QAAI,iBAAsB,YAAO,gCAAgC;AAC/D,YAAM,IAAI,MAAM,2BAA2B;AAAA,IAC7C;AACA,UAAM;AAAA,EACR;AACF;;;ACgHA,oBAAmB;AAgBZ,SAAS,qBACd,SACA,WACA,QACS;AACT,QAAM,oBAAoB,cAAAA,QACvB,WAAW,UAAU,MAAM,EAC3B,OAAO,OAAO,EACd,OAAO,KAAK;AAEf,SAAO,cAAAA,QAAO;AAAA,IACZ,OAAO,KAAK,SAAS;AAAA,IACrB,OAAO,KAAK,iBAAiB;AAAA,EAC/B;AACF;","names":["crypto"]}
+{"version":3,"sources":["../src/index.ts","../src/receipt.ts","../src/charges.ts"],"sourcesContent":["/**\n * MixrPay Merchant SDK\n * \n * Accept payments from AI agents and web apps with one middleware.\n * \n * @example Express\n * ```typescript\n * import { mixrpay } from '@mixrpay/merchant-sdk/express';\n * \n * app.post('/api/query', mixrpay({ priceUsd: 0.05 }), (req, res) => {\n *   console.log(`Paid by ${req.mixrPayment?.payer}`);\n *   res.json({ result: 'success' });\n * });\n * ```\n * \n * @example Next.js\n * ```typescript\n * import { withMixrPay } from '@mixrpay/merchant-sdk/nextjs';\n * \n * export const POST = withMixrPay({ priceUsd: 0.05 }, async (req, payment) => {\n *   return NextResponse.json({ result: 'success' });\n * });\n * ```\n * \n * @packageDocumentation\n */\n\n// Receipt verification (for custom integrations)\nexport { verifyPaymentReceipt } from './receipt';\n\n// Session webhook verification\nexport { verifySessionWebhook } from './charges';\n\n// Types for TypeScript users\nexport type {\n  MixrPayOptions,\n  MixrPayPaymentResult,\n  PaymentMethod,\n  PriceContext,\n  PaymentReceipt,\n} from './types';\n\nexport type {\n  SessionGrant,\n} from './charges';\n\n// Widget element types (for TypeScript JSX support)\nexport type {} from './widget-elements';\n","/**\n * MixrPay Merchant SDK - Payment Receipt Verification\n * \n * Verify JWT payment receipts issued by MixrPay after successful x402 payments.\n * \n * @example\n * ```typescript\n * import { verifyPaymentReceipt } from '@mixrpay/merchant-sdk';\n * \n * const receipt = req.headers['x-payment-receipt'];\n * const payment = await verifyPaymentReceipt(receipt);\n * \n * console.log(`Payment received: $${payment.amountUsd} from ${payment.payer}`);\n * console.log(`Transaction: ${payment.txHash}`);\n * ```\n */\n\nimport * as jose from 'jose';\nimport type { PaymentReceipt, VerifyReceiptOptions } from './types';\n\n// =============================================================================\n// Constants\n// =============================================================================\n\nconst DEFAULT_JWKS_URL = process.env.MIXRPAY_JWKS_URL || 'https://www.mixrpay.com/.well-known/jwks';\nconst JWKS_CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour\n\n// =============================================================================\n// JWKS Cache\n// =============================================================================\n\ninterface CachedJWKS {\n  jwks: jose.JSONWebKeySet;\n  fetchedAt: number;\n}\n\nconst jwksCache = new Map<string, CachedJWKS>();\n\n/**\n * Fetch and cache JWKS from the specified URL.\n */\nasync function getJWKS(jwksUrl: string): Promise<jose.JSONWebKeySet> {\n  const cached = jwksCache.get(jwksUrl);\n  const now = Date.now();\n\n  // Return cached JWKS if still valid\n  if (cached && (now - cached.fetchedAt) < JWKS_CACHE_TTL_MS) {\n    return cached.jwks;\n  }\n\n  // Fetch fresh JWKS\n  const response = await fetch(jwksUrl);\n  \n  if (!response.ok) {\n    throw new Error(`Failed to fetch JWKS from ${jwksUrl}: ${response.status} ${response.statusText}`);\n  }\n\n  const jwks = await response.json() as jose.JSONWebKeySet;\n\n  // Validate JWKS structure\n  if (!jwks.keys || !Array.isArray(jwks.keys) || jwks.keys.length === 0) {\n    throw new Error('Invalid JWKS: missing or empty keys array');\n  }\n\n  // Cache the JWKS\n  jwksCache.set(jwksUrl, { jwks, fetchedAt: now });\n\n  return jwks;\n}\n\n/**\n * Create a JWKS key set from a fetched JWKS.\n */\nasync function createKeySet(jwksUrl: string): Promise<jose.JWTVerifyGetKey> {\n  const jwks = await getJWKS(jwksUrl);\n  return jose.createLocalJWKSet(jwks);\n}\n\n// =============================================================================\n// Receipt Verification\n// =============================================================================\n\n/**\n * Verify a JWT payment receipt from MixrPay.\n * \n * This function:\n * 1. Fetches the JWKS from MixrPay (cached for 1 hour)\n * 2. Verifies the JWT signature using RS256\n * 3. Validates standard JWT claims (exp, iat)\n * 4. Returns the typed payment receipt\n * \n * @param receipt - The JWT receipt string from X-Payment-Receipt header\n * @param options - Optional configuration (custom JWKS URL, issuer validation)\n * @returns Verified payment receipt\n * @throws Error if verification fails\n * \n * @example\n * ```typescript\n * // Basic usage\n * const payment = await verifyPaymentReceipt(receipt);\n * \n * // With custom JWKS URL (for testing or self-hosted)\n * const payment = await verifyPaymentReceipt(receipt, {\n *   jwksUrl: 'https://your-mixrpay.com/.well-known/jwks'\n * });\n * ```\n */\nexport async function verifyPaymentReceipt(\n  receipt: string,\n  options?: VerifyReceiptOptions\n): Promise<PaymentReceipt> {\n  const jwksUrl = options?.jwksUrl || DEFAULT_JWKS_URL;\n\n  try {\n    // Get the key set\n    const keySet = await createKeySet(jwksUrl);\n\n    // Build verification options\n    const verifyOptions: jose.JWTVerifyOptions = {\n      algorithms: ['RS256'],\n    };\n\n    // Add issuer validation if specified\n    if (options?.issuer) {\n      verifyOptions.issuer = options.issuer;\n    }\n\n    // Verify the JWT\n    const { payload } = await jose.jwtVerify(receipt, keySet, verifyOptions);\n\n    // Validate required payment fields\n    const requiredFields = ['paymentId', 'amount', 'amountUsd', 'payer', 'recipient', 'chainId', 'txHash', 'settledAt'];\n    for (const field of requiredFields) {\n      if (!(field in payload)) {\n        throw new Error(`Missing required field in receipt: ${field}`);\n      }\n    }\n\n    // Return typed receipt\n    return {\n      paymentId: payload.paymentId as string,\n      amount: payload.amount as string,\n      amountUsd: payload.amountUsd as number,\n      payer: payload.payer as string,\n      recipient: payload.recipient as string,\n      chainId: payload.chainId as number,\n      txHash: payload.txHash as string,\n      settledAt: payload.settledAt as string,\n      issuedAt: new Date((payload.iat as number) * 1000),\n      expiresAt: new Date((payload.exp as number) * 1000),\n    };\n  } catch (error) {\n    if (error instanceof jose.errors.JWTExpired) {\n      throw new Error('Payment receipt has expired');\n    }\n    if (error instanceof jose.errors.JWTClaimValidationFailed) {\n      throw new Error(`Receipt validation failed: ${error.message}`);\n    }\n    if (error instanceof jose.errors.JWSSignatureVerificationFailed) {\n      throw new Error('Invalid receipt signature');\n    }\n    throw error;\n  }\n}\n\n/**\n * Parse a JWT payment receipt without verification.\n * \n * WARNING: This does NOT verify the signature. Use only for debugging\n * or when you've already verified the receipt elsewhere.\n * \n * @param receipt - The JWT receipt string\n * @returns Decoded payload (unverified)\n */\nexport function parsePaymentReceipt(receipt: string): PaymentReceipt {\n  const decoded = jose.decodeJwt(receipt);\n\n  return {\n    paymentId: decoded.paymentId as string,\n    amount: decoded.amount as string,\n    amountUsd: decoded.amountUsd as number,\n    payer: decoded.payer as string,\n    recipient: decoded.recipient as string,\n    chainId: decoded.chainId as number,\n    txHash: decoded.txHash as string,\n    settledAt: decoded.settledAt as string,\n    issuedAt: decoded.iat ? new Date(decoded.iat * 1000) : undefined,\n    expiresAt: decoded.exp ? new Date(decoded.exp * 1000) : undefined,\n  };\n}\n\n/**\n * Check if a receipt is expired.\n * \n * @param receipt - The JWT receipt string or parsed PaymentReceipt\n * @returns true if expired, false otherwise\n */\nexport function isReceiptExpired(receipt: string | PaymentReceipt): boolean {\n  const parsed = typeof receipt === 'string' ? parsePaymentReceipt(receipt) : receipt;\n  \n  if (!parsed.expiresAt) {\n    return false; // No expiration = never expires\n  }\n\n  return parsed.expiresAt.getTime() < Date.now();\n}\n\n/**\n * Clear the JWKS cache.\n * Useful for testing or when keys have rotated.\n */\nexport function clearJWKSCache(): void {\n  jwksCache.clear();\n}\n\n/**\n * Get the default JWKS URL.\n */\nexport function getDefaultJWKSUrl(): string {\n  return DEFAULT_JWKS_URL;\n}\n\n","/**\n * MixrPay Charges Module\n * \n * Create and manage charges using session signers.\n * Session signers allow you to charge user wallets without\n * requiring approval for each transaction.\n */\n\n// =============================================================================\n// Types\n// =============================================================================\n\nexport interface CreateChargeParams {\n  /** Session key ID granted by the user */\n  sessionId: string;\n  /** Amount to charge in USD (e.g., 0.05 for 5 cents) */\n  amountUsd: number;\n  /** Unique reference for idempotency (e.g., \"order_123\") */\n  reference: string;\n  /** Optional metadata */\n  metadata?: Record<string, unknown>;\n}\n\nexport interface Charge {\n  /** Unique charge ID */\n  id: string;\n  /** Current status */\n  status: 'pending' | 'submitted' | 'confirmed' | 'failed';\n  /** Amount in USD */\n  amountUsd: number;\n  /** Formatted USDC amount */\n  amountUsdc: string;\n  /** Transaction hash (if submitted) */\n  txHash?: string;\n  /** Block explorer URL */\n  explorerUrl?: string;\n  /** From wallet address */\n  fromAddress: string;\n  /** To wallet address */\n  toAddress: string;\n  /** Your reference */\n  reference: string;\n  /** When the charge was created */\n  createdAt: string;\n  /** When the charge was confirmed */\n  confirmedAt?: string;\n  /** Session name */\n  sessionName?: string;\n  /** User wallet address */\n  userWallet?: string;\n  /** Error message if failed */\n  error?: string;\n}\n\nexport interface CreateChargeResult {\n  success: boolean;\n  charge?: Charge;\n  /** True if this is a replay of an existing charge */\n  idempotentReplay?: boolean;\n  error?: string;\n  details?: string;\n}\n\nexport interface SessionGrant {\n  /** Session key ID */\n  sessionId: string;\n  /** User's wallet address */\n  userWallet: string;\n  /** Your merchant wallet address */\n  merchantWallet: string;\n  /** Spending limits */\n  limits: {\n    maxTotalUsd?: number;\n    maxPerTxUsd?: number;\n    expiresAt: string;\n  };\n  /** When the session was granted */\n  grantedAt: string;\n}\n\n// Internal types for API responses\ninterface CreateChargeApiResponse {\n  success: boolean;\n  charge_id?: string;\n  status?: string;\n  amount_usd?: number;\n  amount_usdc?: string;\n  tx_hash?: string;\n  explorer_url?: string;\n  idempotent_replay?: boolean;\n  error?: string;\n  details?: string;\n}\n\ninterface ChargeApiResponse {\n  id: string;\n  status: string;\n  amount_usd: number;\n  amount_usdc: string;\n  tx_hash?: string;\n  explorer_url?: string;\n  from_address: string;\n  to_address: string;\n  reference: string;\n  created_at: string;\n  confirmed_at?: string;\n  session_name?: string;\n  user_wallet?: string;\n}\n\nexport interface ChargesClientOptions {\n  /** Your API key */\n  apiKey: string;\n  /** MixrPay API base URL */\n  baseUrl?: string;\n}\n\n// =============================================================================\n// Client\n// =============================================================================\n\nexport class ChargesClient {\n  private apiKey: string;\n  private baseUrl: string;\n\n  constructor(options: ChargesClientOptions) {\n    this.apiKey = options.apiKey;\n    this.baseUrl = options.baseUrl || process.env.MIXRPAY_BASE_URL || 'https://www.mixrpay.com';\n  }\n\n  /**\n   * Create a new charge.\n   * \n   * @example\n   * ```typescript\n   * const result = await charges.create({\n   *   sessionId: 'sk_xxx',\n   *   amountUsd: 0.05,\n   *   reference: 'image_gen_123',\n   *   metadata: { feature: 'image_generation' }\n   * });\n   * \n   * if (result.success) {\n   *   console.log(`Charged ${result.charge.amountUsdc}`);\n   *   console.log(`TX: ${result.charge.explorerUrl}`);\n   * }\n   * ```\n   */\n  async create(params: CreateChargeParams): Promise<CreateChargeResult> {\n    const response = await fetch(`${this.baseUrl}/api/v1/charges`, {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/json',\n        'Authorization': `Bearer ${this.apiKey}`,\n      },\n      body: JSON.stringify({\n        session_id: params.sessionId,\n        amount_usd: params.amountUsd,\n        reference: params.reference,\n        metadata: params.metadata,\n      }),\n    });\n\n    const data = await response.json() as CreateChargeApiResponse;\n\n    if (!response.ok) {\n      return {\n        success: false,\n        error: data.error,\n        details: data.details,\n      };\n    }\n\n    return {\n      success: data.success,\n      charge: data.charge_id ? {\n        id: data.charge_id,\n        status: data.status as Charge['status'],\n        amountUsd: data.amount_usd ?? 0,\n        amountUsdc: data.amount_usdc ?? '0',\n        txHash: data.tx_hash,\n        explorerUrl: data.explorer_url,\n        fromAddress: '',\n        toAddress: '',\n        reference: params.reference,\n        createdAt: new Date().toISOString(),\n      } : undefined,\n      idempotentReplay: data.idempotent_replay,\n      error: data.error,\n    };\n  }\n\n  /**\n   * Get a charge by ID.\n   * \n   * @example\n   * ```typescript\n   * const charge = await charges.get('chg_xxx');\n   * console.log(charge.status); // 'confirmed'\n   * ```\n   */\n  async get(chargeId: string): Promise<Charge | null> {\n    const response = await fetch(`${this.baseUrl}/api/v1/charges?id=${chargeId}`, {\n      headers: {\n        'Authorization': `Bearer ${this.apiKey}`,\n      },\n    });\n\n    if (!response.ok) {\n      if (response.status === 404) {\n        return null;\n      }\n      throw new Error(`Failed to get charge: ${response.statusText}`);\n    }\n\n    const data = await response.json() as ChargeApiResponse;\n\n    return {\n      id: data.id,\n      status: data.status as Charge['status'],\n      amountUsd: data.amount_usd,\n      amountUsdc: data.amount_usdc,\n      txHash: data.tx_hash,\n      explorerUrl: data.explorer_url,\n      fromAddress: data.from_address,\n      toAddress: data.to_address,\n      reference: data.reference,\n      createdAt: data.created_at,\n      confirmedAt: data.confirmed_at,\n      sessionName: data.session_name,\n      userWallet: data.user_wallet,\n    };\n  }\n\n  /**\n   * Get a charge by transaction hash.\n   */\n  async getByTxHash(txHash: string): Promise<Charge | null> {\n    const response = await fetch(`${this.baseUrl}/api/v1/charges?tx_hash=${txHash}`, {\n      headers: {\n        'Authorization': `Bearer ${this.apiKey}`,\n      },\n    });\n\n    if (!response.ok) {\n      if (response.status === 404) {\n        return null;\n      }\n      throw new Error(`Failed to get charge: ${response.statusText}`);\n    }\n\n    const data = await response.json() as ChargeApiResponse;\n\n    return {\n      id: data.id,\n      status: data.status as Charge['status'],\n      amountUsd: data.amount_usd,\n      amountUsdc: data.amount_usdc,\n      txHash: data.tx_hash,\n      explorerUrl: data.explorer_url,\n      fromAddress: data.from_address,\n      toAddress: data.to_address,\n      reference: data.reference,\n      createdAt: data.created_at,\n      confirmedAt: data.confirmed_at,\n      sessionName: data.session_name,\n      userWallet: data.user_wallet,\n    };\n  }\n}\n\n// =============================================================================\n// Webhook Verification\n// =============================================================================\n\nimport crypto from 'crypto';\n\n/**\n * Verify a session.granted webhook signature.\n * \n * @example\n * ```typescript\n * const payload = req.body;\n * const signature = req.headers['x-mixrpay-signature'];\n * \n * if (verifySessionWebhook(JSON.stringify(payload), signature, webhookSecret)) {\n *   const grant = parseSessionGrant(payload);\n *   console.log(`User ${grant.userWallet} granted access`);\n * }\n * ```\n */\nexport function verifySessionWebhook(\n  payload: string,\n  signature: string,\n  secret: string\n): boolean {\n  const expectedSignature = crypto\n    .createHmac('sha256', secret)\n    .update(payload)\n    .digest('hex');\n  \n  return crypto.timingSafeEqual(\n    Buffer.from(signature),\n    Buffer.from(expectedSignature)\n  );\n}\n\n/**\n * Parse a session.granted webhook payload.\n */\nexport function parseSessionGrant(payload: {\n  event: string;\n  session_id: string;\n  user_wallet: string;\n  merchant_wallet: string;\n  limits: {\n    max_total_usd?: number;\n    max_per_tx_usd?: number;\n    expires_at: string;\n  };\n  granted_at: string;\n}): SessionGrant {\n  if (payload.event !== 'session.granted') {\n    throw new Error(`Unexpected event type: ${payload.event}`);\n  }\n\n  return {\n    sessionId: payload.session_id,\n    userWallet: payload.user_wallet,\n    merchantWallet: payload.merchant_wallet,\n    limits: {\n      maxTotalUsd: payload.limits.max_total_usd,\n      maxPerTxUsd: payload.limits.max_per_tx_usd,\n      expiresAt: payload.limits.expires_at,\n    },\n    grantedAt: payload.granted_at,\n  };\n}\n\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACiBA,WAAsB;AAOtB,IAAM,mBAAmB,QAAQ,IAAI,oBAAoB;AACzD,IAAM,oBAAoB,KAAK,KAAK;AAWpC,IAAM,YAAY,oBAAI,IAAwB;AAK9C,eAAe,QAAQ,SAA8C;AACnE,QAAM,SAAS,UAAU,IAAI,OAAO;AACpC,QAAM,MAAM,KAAK,IAAI;AAGrB,MAAI,UAAW,MAAM,OAAO,YAAa,mBAAmB;AAC1D,WAAO,OAAO;AAAA,EAChB;AAGA,QAAM,WAAW,MAAM,MAAM,OAAO;AAEpC,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,MAAM,6BAA6B,OAAO,KAAK,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,EACnG;AAEA,QAAM,OAAO,MAAM,SAAS,KAAK;AAGjC,MAAI,CAAC,KAAK,QAAQ,CAAC,MAAM,QAAQ,KAAK,IAAI,KAAK,KAAK,KAAK,WAAW,GAAG;AACrE,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAGA,YAAU,IAAI,SAAS,EAAE,MAAM,WAAW,IAAI,CAAC;AAE/C,SAAO;AACT;AAKA,eAAe,aAAa,SAAgD;AAC1E,QAAM,OAAO,MAAM,QAAQ,OAAO;AAClC,SAAY,uBAAkB,IAAI;AACpC;AA+BA,eAAsB,qBACpB,SACA,SACyB;AACzB,QAAM,UAAU,SAAS,WAAW;AAEpC,MAAI;AAEF,UAAM,SAAS,MAAM,aAAa,OAAO;AAGzC,UAAM,gBAAuC;AAAA,MAC3C,YAAY,CAAC,OAAO;AAAA,IACtB;AAGA,QAAI,SAAS,QAAQ;AACnB,oBAAc,SAAS,QAAQ;AAAA,IACjC;AAGA,UAAM,EAAE,QAAQ,IAAI,MAAW,eAAU,SAAS,QAAQ,aAAa;AAGvE,UAAM,iBAAiB,CAAC,aAAa,UAAU,aAAa,SAAS,aAAa,WAAW,UAAU,WAAW;AAClH,eAAW,SAAS,gBAAgB;AAClC,UAAI,EAAE,SAAS,UAAU;AACvB,cAAM,IAAI,MAAM,sCAAsC,KAAK,EAAE;AAAA,MAC/D;AAAA,IACF;AAGA,WAAO;AAAA,MACL,WAAW,QAAQ;AAAA,MACnB,QAAQ,QAAQ;AAAA,MAChB,WAAW,QAAQ;AAAA,MACnB,OAAO,QAAQ;AAAA,MACf,WAAW,QAAQ;AAAA,MACnB,SAAS,QAAQ;AAAA,MACjB,QAAQ,QAAQ;AAAA,MAChB,WAAW,QAAQ;AAAA,MACnB,UAAU,IAAI,KAAM,QAAQ,MAAiB,GAAI;AAAA,MACjD,WAAW,IAAI,KAAM,QAAQ,MAAiB,GAAI;AAAA,IACpD;AAAA,EACF,SAAS,OAAO;AACd,QAAI,iBAAsB,YAAO,YAAY;AAC3C,YAAM,IAAI,MAAM,6BAA6B;AAAA,IAC/C;AACA,QAAI,iBAAsB,YAAO,0BAA0B;AACzD,YAAM,IAAI,MAAM,8BAA8B,MAAM,OAAO,EAAE;AAAA,IAC/D;AACA,QAAI,iBAAsB,YAAO,gCAAgC;AAC/D,YAAM,IAAI,MAAM,2BAA2B;AAAA,IAC7C;AACA,UAAM;AAAA,EACR;AACF;;;ACgHA,oBAAmB;AAgBZ,SAAS,qBACd,SACA,WACA,QACS;AACT,QAAM,oBAAoB,cAAAA,QACvB,WAAW,UAAU,MAAM,EAC3B,OAAO,OAAO,EACd,OAAO,KAAK;AAEf,SAAO,cAAAA,QAAO;AAAA,IACZ,OAAO,KAAK,SAAS;AAAA,IACrB,OAAO,KAAK,iBAAiB;AAAA,EAC/B;AACF;","names":["crypto"]}

package/dist/index.mjs

@@ -1,6 +1,6 @@
 // src/receipt.ts
 import * as jose from "jose";
-var DEFAULT_JWKS_URL = process.env.MIXRPAY_JWKS_URL || "https://mixrpay.com/.well-known/jwks";
+var DEFAULT_JWKS_URL = process.env.MIXRPAY_JWKS_URL || "https://www.mixrpay.com/.well-known/jwks";
 var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
 var jwksCache = /* @__PURE__ */ new Map();
 async function getJWKS(jwksUrl) {

package/dist/index.mjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/receipt.ts","../src/charges.ts"],"sourcesContent":["/**\n * MixrPay Merchant SDK - Payment Receipt Verification\n * \n * Verify JWT payment receipts issued by MixrPay after successful x402 payments.\n * \n * @example\n * ```typescript\n * import { verifyPaymentReceipt } from '@mixrpay/merchant-sdk';\n * \n * const receipt = req.headers['x-payment-receipt'];\n * const payment = await verifyPaymentReceipt(receipt);\n * \n * console.log(`Payment received: $${payment.amountUsd} from ${payment.payer}`);\n * console.log(`Transaction: ${payment.txHash}`);\n * ```\n */\n\nimport * as jose from 'jose';\nimport type { PaymentReceipt, VerifyReceiptOptions } from './types';\n\n// =============================================================================\n// Constants\n// =============================================================================\n\nconst DEFAULT_JWKS_URL = process.env.MIXRPAY_JWKS_URL || 'https://mixrpay.com/.well-known/jwks';\nconst JWKS_CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour\n\n// =============================================================================\n// JWKS Cache\n// =============================================================================\n\ninterface CachedJWKS {\n  jwks: jose.JSONWebKeySet;\n  fetchedAt: number;\n}\n\nconst jwksCache = new Map<string, CachedJWKS>();\n\n/**\n * Fetch and cache JWKS from the specified URL.\n */\nasync function getJWKS(jwksUrl: string): Promise<jose.JSONWebKeySet> {\n  const cached = jwksCache.get(jwksUrl);\n  const now = Date.now();\n\n  // Return cached JWKS if still valid\n  if (cached && (now - cached.fetchedAt) < JWKS_CACHE_TTL_MS) {\n    return cached.jwks;\n  }\n\n  // Fetch fresh JWKS\n  const response = await fetch(jwksUrl);\n  \n  if (!response.ok) {\n    throw new Error(`Failed to fetch JWKS from ${jwksUrl}: ${response.status} ${response.statusText}`);\n  }\n\n  const jwks = await response.json() as jose.JSONWebKeySet;\n\n  // Validate JWKS structure\n  if (!jwks.keys || !Array.isArray(jwks.keys) || jwks.keys.length === 0) {\n    throw new Error('Invalid JWKS: missing or empty keys array');\n  }\n\n  // Cache the JWKS\n  jwksCache.set(jwksUrl, { jwks, fetchedAt: now });\n\n  return jwks;\n}\n\n/**\n * Create a JWKS key set from a fetched JWKS.\n */\nasync function createKeySet(jwksUrl: string): Promise<jose.JWTVerifyGetKey> {\n  const jwks = await getJWKS(jwksUrl);\n  return jose.createLocalJWKSet(jwks);\n}\n\n// =============================================================================\n// Receipt Verification\n// =============================================================================\n\n/**\n * Verify a JWT payment receipt from MixrPay.\n * \n * This function:\n * 1. Fetches the JWKS from MixrPay (cached for 1 hour)\n * 2. Verifies the JWT signature using RS256\n * 3. Validates standard JWT claims (exp, iat)\n * 4. Returns the typed payment receipt\n * \n * @param receipt - The JWT receipt string from X-Payment-Receipt header\n * @param options - Optional configuration (custom JWKS URL, issuer validation)\n * @returns Verified payment receipt\n * @throws Error if verification fails\n * \n * @example\n * ```typescript\n * // Basic usage\n * const payment = await verifyPaymentReceipt(receipt);\n * \n * // With custom JWKS URL (for testing or self-hosted)\n * const payment = await verifyPaymentReceipt(receipt, {\n *   jwksUrl: 'https://your-mixrpay.com/.well-known/jwks'\n * });\n * ```\n */\nexport async function verifyPaymentReceipt(\n  receipt: string,\n  options?: VerifyReceiptOptions\n): Promise<PaymentReceipt> {\n  const jwksUrl = options?.jwksUrl || DEFAULT_JWKS_URL;\n\n  try {\n    // Get the key set\n    const keySet = await createKeySet(jwksUrl);\n\n    // Build verification options\n    const verifyOptions: jose.JWTVerifyOptions = {\n      algorithms: ['RS256'],\n    };\n\n    // Add issuer validation if specified\n    if (options?.issuer) {\n      verifyOptions.issuer = options.issuer;\n    }\n\n    // Verify the JWT\n    const { payload } = await jose.jwtVerify(receipt, keySet, verifyOptions);\n\n    // Validate required payment fields\n    const requiredFields = ['paymentId', 'amount', 'amountUsd', 'payer', 'recipient', 'chainId', 'txHash', 'settledAt'];\n    for (const field of requiredFields) {\n      if (!(field in payload)) {\n        throw new Error(`Missing required field in receipt: ${field}`);\n      }\n    }\n\n    // Return typed receipt\n    return {\n      paymentId: payload.paymentId as string,\n      amount: payload.amount as string,\n      amountUsd: payload.amountUsd as number,\n      payer: payload.payer as string,\n      recipient: payload.recipient as string,\n      chainId: payload.chainId as number,\n      txHash: payload.txHash as string,\n      settledAt: payload.settledAt as string,\n      issuedAt: new Date((payload.iat as number) * 1000),\n      expiresAt: new Date((payload.exp as number) * 1000),\n    };\n  } catch (error) {\n    if (error instanceof jose.errors.JWTExpired) {\n      throw new Error('Payment receipt has expired');\n    }\n    if (error instanceof jose.errors.JWTClaimValidationFailed) {\n      throw new Error(`Receipt validation failed: ${error.message}`);\n    }\n    if (error instanceof jose.errors.JWSSignatureVerificationFailed) {\n      throw new Error('Invalid receipt signature');\n    }\n    throw error;\n  }\n}\n\n/**\n * Parse a JWT payment receipt without verification.\n * \n * WARNING: This does NOT verify the signature. Use only for debugging\n * or when you've already verified the receipt elsewhere.\n * \n * @param receipt - The JWT receipt string\n * @returns Decoded payload (unverified)\n */\nexport function parsePaymentReceipt(receipt: string): PaymentReceipt {\n  const decoded = jose.decodeJwt(receipt);\n\n  return {\n    paymentId: decoded.paymentId as string,\n    amount: decoded.amount as string,\n    amountUsd: decoded.amountUsd as number,\n    payer: decoded.payer as string,\n    recipient: decoded.recipient as string,\n    chainId: decoded.chainId as number,\n    txHash: decoded.txHash as string,\n    settledAt: decoded.settledAt as string,\n    issuedAt: decoded.iat ? new Date(decoded.iat * 1000) : undefined,\n    expiresAt: decoded.exp ? new Date(decoded.exp * 1000) : undefined,\n  };\n}\n\n/**\n * Check if a receipt is expired.\n * \n * @param receipt - The JWT receipt string or parsed PaymentReceipt\n * @returns true if expired, false otherwise\n */\nexport function isReceiptExpired(receipt: string | PaymentReceipt): boolean {\n  const parsed = typeof receipt === 'string' ? parsePaymentReceipt(receipt) : receipt;\n  \n  if (!parsed.expiresAt) {\n    return false; // No expiration = never expires\n  }\n\n  return parsed.expiresAt.getTime() < Date.now();\n}\n\n/**\n * Clear the JWKS cache.\n * Useful for testing or when keys have rotated.\n */\nexport function clearJWKSCache(): void {\n  jwksCache.clear();\n}\n\n/**\n * Get the default JWKS URL.\n */\nexport function getDefaultJWKSUrl(): string {\n  return DEFAULT_JWKS_URL;\n}\n\n","/**\n * MixrPay Charges Module\n * \n * Create and manage charges using session signers.\n * Session signers allow you to charge user wallets without\n * requiring approval for each transaction.\n */\n\n// =============================================================================\n// Types\n// =============================================================================\n\nexport interface CreateChargeParams {\n  /** Session key ID granted by the user */\n  sessionId: string;\n  /** Amount to charge in USD (e.g., 0.05 for 5 cents) */\n  amountUsd: number;\n  /** Unique reference for idempotency (e.g., \"order_123\") */\n  reference: string;\n  /** Optional metadata */\n  metadata?: Record<string, unknown>;\n}\n\nexport interface Charge {\n  /** Unique charge ID */\n  id: string;\n  /** Current status */\n  status: 'pending' | 'submitted' | 'confirmed' | 'failed';\n  /** Amount in USD */\n  amountUsd: number;\n  /** Formatted USDC amount */\n  amountUsdc: string;\n  /** Transaction hash (if submitted) */\n  txHash?: string;\n  /** Block explorer URL */\n  explorerUrl?: string;\n  /** From wallet address */\n  fromAddress: string;\n  /** To wallet address */\n  toAddress: string;\n  /** Your reference */\n  reference: string;\n  /** When the charge was created */\n  createdAt: string;\n  /** When the charge was confirmed */\n  confirmedAt?: string;\n  /** Session name */\n  sessionName?: string;\n  /** User wallet address */\n  userWallet?: string;\n  /** Error message if failed */\n  error?: string;\n}\n\nexport interface CreateChargeResult {\n  success: boolean;\n  charge?: Charge;\n  /** True if this is a replay of an existing charge */\n  idempotentReplay?: boolean;\n  error?: string;\n  details?: string;\n}\n\nexport interface SessionGrant {\n  /** Session key ID */\n  sessionId: string;\n  /** User's wallet address */\n  userWallet: string;\n  /** Your merchant wallet address */\n  merchantWallet: string;\n  /** Spending limits */\n  limits: {\n    maxTotalUsd?: number;\n    maxPerTxUsd?: number;\n    expiresAt: string;\n  };\n  /** When the session was granted */\n  grantedAt: string;\n}\n\n// Internal types for API responses\ninterface CreateChargeApiResponse {\n  success: boolean;\n  charge_id?: string;\n  status?: string;\n  amount_usd?: number;\n  amount_usdc?: string;\n  tx_hash?: string;\n  explorer_url?: string;\n  idempotent_replay?: boolean;\n  error?: string;\n  details?: string;\n}\n\ninterface ChargeApiResponse {\n  id: string;\n  status: string;\n  amount_usd: number;\n  amount_usdc: string;\n  tx_hash?: string;\n  explorer_url?: string;\n  from_address: string;\n  to_address: string;\n  reference: string;\n  created_at: string;\n  confirmed_at?: string;\n  session_name?: string;\n  user_wallet?: string;\n}\n\nexport interface ChargesClientOptions {\n  /** Your API key */\n  apiKey: string;\n  /** MixrPay API base URL */\n  baseUrl?: string;\n}\n\n// =============================================================================\n// Client\n// =============================================================================\n\nexport class ChargesClient {\n  private apiKey: string;\n  private baseUrl: string;\n\n  constructor(options: ChargesClientOptions) {\n    this.apiKey = options.apiKey;\n    this.baseUrl = options.baseUrl || process.env.MIXRPAY_BASE_URL || 'https://mixrpay.com';\n  }\n\n  /**\n   * Create a new charge.\n   * \n   * @example\n   * ```typescript\n   * const result = await charges.create({\n   *   sessionId: 'sk_xxx',\n   *   amountUsd: 0.05,\n   *   reference: 'image_gen_123',\n   *   metadata: { feature: 'image_generation' }\n   * });\n   * \n   * if (result.success) {\n   *   console.log(`Charged ${result.charge.amountUsdc}`);\n   *   console.log(`TX: ${result.charge.explorerUrl}`);\n   * }\n   * ```\n   */\n  async create(params: CreateChargeParams): Promise<CreateChargeResult> {\n    const response = await fetch(`${this.baseUrl}/api/v1/charges`, {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/json',\n        'Authorization': `Bearer ${this.apiKey}`,\n      },\n      body: JSON.stringify({\n        session_id: params.sessionId,\n        amount_usd: params.amountUsd,\n        reference: params.reference,\n        metadata: params.metadata,\n      }),\n    });\n\n    const data = await response.json() as CreateChargeApiResponse;\n\n    if (!response.ok) {\n      return {\n        success: false,\n        error: data.error,\n        details: data.details,\n      };\n    }\n\n    return {\n      success: data.success,\n      charge: data.charge_id ? {\n        id: data.charge_id,\n        status: data.status as Charge['status'],\n        amountUsd: data.amount_usd ?? 0,\n        amountUsdc: data.amount_usdc ?? '0',\n        txHash: data.tx_hash,\n        explorerUrl: data.explorer_url,\n        fromAddress: '',\n        toAddress: '',\n        reference: params.reference,\n        createdAt: new Date().toISOString(),\n      } : undefined,\n      idempotentReplay: data.idempotent_replay,\n      error: data.error,\n    };\n  }\n\n  /**\n   * Get a charge by ID.\n   * \n   * @example\n   * ```typescript\n   * const charge = await charges.get('chg_xxx');\n   * console.log(charge.status); // 'confirmed'\n   * ```\n   */\n  async get(chargeId: string): Promise<Charge | null> {\n    const response = await fetch(`${this.baseUrl}/api/v1/charges?id=${chargeId}`, {\n      headers: {\n        'Authorization': `Bearer ${this.apiKey}`,\n      },\n    });\n\n    if (!response.ok) {\n      if (response.status === 404) {\n        return null;\n      }\n      throw new Error(`Failed to get charge: ${response.statusText}`);\n    }\n\n    const data = await response.json() as ChargeApiResponse;\n\n    return {\n      id: data.id,\n      status: data.status as Charge['status'],\n      amountUsd: data.amount_usd,\n      amountUsdc: data.amount_usdc,\n      txHash: data.tx_hash,\n      explorerUrl: data.explorer_url,\n      fromAddress: data.from_address,\n      toAddress: data.to_address,\n      reference: data.reference,\n      createdAt: data.created_at,\n      confirmedAt: data.confirmed_at,\n      sessionName: data.session_name,\n      userWallet: data.user_wallet,\n    };\n  }\n\n  /**\n   * Get a charge by transaction hash.\n   */\n  async getByTxHash(txHash: string): Promise<Charge | null> {\n    const response = await fetch(`${this.baseUrl}/api/v1/charges?tx_hash=${txHash}`, {\n      headers: {\n        'Authorization': `Bearer ${this.apiKey}`,\n      },\n    });\n\n    if (!response.ok) {\n      if (response.status === 404) {\n        return null;\n      }\n      throw new Error(`Failed to get charge: ${response.statusText}`);\n    }\n\n    const data = await response.json() as ChargeApiResponse;\n\n    return {\n      id: data.id,\n      status: data.status as Charge['status'],\n      amountUsd: data.amount_usd,\n      amountUsdc: data.amount_usdc,\n      txHash: data.tx_hash,\n      explorerUrl: data.explorer_url,\n      fromAddress: data.from_address,\n      toAddress: data.to_address,\n      reference: data.reference,\n      createdAt: data.created_at,\n      confirmedAt: data.confirmed_at,\n      sessionName: data.session_name,\n      userWallet: data.user_wallet,\n    };\n  }\n}\n\n// =============================================================================\n// Webhook Verification\n// =============================================================================\n\nimport crypto from 'crypto';\n\n/**\n * Verify a session.granted webhook signature.\n * \n * @example\n * ```typescript\n * const payload = req.body;\n * const signature = req.headers['x-mixrpay-signature'];\n * \n * if (verifySessionWebhook(JSON.stringify(payload), signature, webhookSecret)) {\n *   const grant = parseSessionGrant(payload);\n *   console.log(`User ${grant.userWallet} granted access`);\n * }\n * ```\n */\nexport function verifySessionWebhook(\n  payload: string,\n  signature: string,\n  secret: string\n): boolean {\n  const expectedSignature = crypto\n    .createHmac('sha256', secret)\n    .update(payload)\n    .digest('hex');\n  \n  return crypto.timingSafeEqual(\n    Buffer.from(signature),\n    Buffer.from(expectedSignature)\n  );\n}\n\n/**\n * Parse a session.granted webhook payload.\n */\nexport function parseSessionGrant(payload: {\n  event: string;\n  session_id: string;\n  user_wallet: string;\n  merchant_wallet: string;\n  limits: {\n    max_total_usd?: number;\n    max_per_tx_usd?: number;\n    expires_at: string;\n  };\n  granted_at: string;\n}): SessionGrant {\n  if (payload.event !== 'session.granted') {\n    throw new Error(`Unexpected event type: ${payload.event}`);\n  }\n\n  return {\n    sessionId: payload.session_id,\n    userWallet: payload.user_wallet,\n    merchantWallet: payload.merchant_wallet,\n    limits: {\n      maxTotalUsd: payload.limits.max_total_usd,\n      maxPerTxUsd: payload.limits.max_per_tx_usd,\n      expiresAt: payload.limits.expires_at,\n    },\n    grantedAt: payload.granted_at,\n  };\n}\n\n"],"mappings":";AAiBA,YAAY,UAAU;AAOtB,IAAM,mBAAmB,QAAQ,IAAI,oBAAoB;AACzD,IAAM,oBAAoB,KAAK,KAAK;AAWpC,IAAM,YAAY,oBAAI,IAAwB;AAK9C,eAAe,QAAQ,SAA8C;AACnE,QAAM,SAAS,UAAU,IAAI,OAAO;AACpC,QAAM,MAAM,KAAK,IAAI;AAGrB,MAAI,UAAW,MAAM,OAAO,YAAa,mBAAmB;AAC1D,WAAO,OAAO;AAAA,EAChB;AAGA,QAAM,WAAW,MAAM,MAAM,OAAO;AAEpC,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,MAAM,6BAA6B,OAAO,KAAK,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,EACnG;AAEA,QAAM,OAAO,MAAM,SAAS,KAAK;AAGjC,MAAI,CAAC,KAAK,QAAQ,CAAC,MAAM,QAAQ,KAAK,IAAI,KAAK,KAAK,KAAK,WAAW,GAAG;AACrE,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAGA,YAAU,IAAI,SAAS,EAAE,MAAM,WAAW,IAAI,CAAC;AAE/C,SAAO;AACT;AAKA,eAAe,aAAa,SAAgD;AAC1E,QAAM,OAAO,MAAM,QAAQ,OAAO;AAClC,SAAY,uBAAkB,IAAI;AACpC;AA+BA,eAAsB,qBACpB,SACA,SACyB;AACzB,QAAM,UAAU,SAAS,WAAW;AAEpC,MAAI;AAEF,UAAM,SAAS,MAAM,aAAa,OAAO;AAGzC,UAAM,gBAAuC;AAAA,MAC3C,YAAY,CAAC,OAAO;AAAA,IACtB;AAGA,QAAI,SAAS,QAAQ;AACnB,oBAAc,SAAS,QAAQ;AAAA,IACjC;AAGA,UAAM,EAAE,QAAQ,IAAI,MAAW,eAAU,SAAS,QAAQ,aAAa;AAGvE,UAAM,iBAAiB,CAAC,aAAa,UAAU,aAAa,SAAS,aAAa,WAAW,UAAU,WAAW;AAClH,eAAW,SAAS,gBAAgB;AAClC,UAAI,EAAE,SAAS,UAAU;AACvB,cAAM,IAAI,MAAM,sCAAsC,KAAK,EAAE;AAAA,MAC/D;AAAA,IACF;AAGA,WAAO;AAAA,MACL,WAAW,QAAQ;AAAA,MACnB,QAAQ,QAAQ;AAAA,MAChB,WAAW,QAAQ;AAAA,MACnB,OAAO,QAAQ;AAAA,MACf,WAAW,QAAQ;AAAA,MACnB,SAAS,QAAQ;AAAA,MACjB,QAAQ,QAAQ;AAAA,MAChB,WAAW,QAAQ;AAAA,MACnB,UAAU,IAAI,KAAM,QAAQ,MAAiB,GAAI;AAAA,MACjD,WAAW,IAAI,KAAM,QAAQ,MAAiB,GAAI;AAAA,IACpD;AAAA,EACF,SAAS,OAAO;AACd,QAAI,iBAAsB,YAAO,YAAY;AAC3C,YAAM,IAAI,MAAM,6BAA6B;AAAA,IAC/C;AACA,QAAI,iBAAsB,YAAO,0BAA0B;AACzD,YAAM,IAAI,MAAM,8BAA8B,MAAM,OAAO,EAAE;AAAA,IAC/D;AACA,QAAI,iBAAsB,YAAO,gCAAgC;AAC/D,YAAM,IAAI,MAAM,2BAA2B;AAAA,IAC7C;AACA,UAAM;AAAA,EACR;AACF;;;ACgHA,OAAO,YAAY;AAgBZ,SAAS,qBACd,SACA,WACA,QACS;AACT,QAAM,oBAAoB,OACvB,WAAW,UAAU,MAAM,EAC3B,OAAO,OAAO,EACd,OAAO,KAAK;AAEf,SAAO,OAAO;AAAA,IACZ,OAAO,KAAK,SAAS;AAAA,IACrB,OAAO,KAAK,iBAAiB;AAAA,EAC/B;AACF;","names":[]}
+{"version":3,"sources":["../src/receipt.ts","../src/charges.ts"],"sourcesContent":["/**\n * MixrPay Merchant SDK - Payment Receipt Verification\n * \n * Verify JWT payment receipts issued by MixrPay after successful x402 payments.\n * \n * @example\n * ```typescript\n * import { verifyPaymentReceipt } from '@mixrpay/merchant-sdk';\n * \n * const receipt = req.headers['x-payment-receipt'];\n * const payment = await verifyPaymentReceipt(receipt);\n * \n * console.log(`Payment received: $${payment.amountUsd} from ${payment.payer}`);\n * console.log(`Transaction: ${payment.txHash}`);\n * ```\n */\n\nimport * as jose from 'jose';\nimport type { PaymentReceipt, VerifyReceiptOptions } from './types';\n\n// =============================================================================\n// Constants\n// =============================================================================\n\nconst DEFAULT_JWKS_URL = process.env.MIXRPAY_JWKS_URL || 'https://www.mixrpay.com/.well-known/jwks';\nconst JWKS_CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour\n\n// =============================================================================\n// JWKS Cache\n// =============================================================================\n\ninterface CachedJWKS {\n  jwks: jose.JSONWebKeySet;\n  fetchedAt: number;\n}\n\nconst jwksCache = new Map<string, CachedJWKS>();\n\n/**\n * Fetch and cache JWKS from the specified URL.\n */\nasync function getJWKS(jwksUrl: string): Promise<jose.JSONWebKeySet> {\n  const cached = jwksCache.get(jwksUrl);\n  const now = Date.now();\n\n  // Return cached JWKS if still valid\n  if (cached && (now - cached.fetchedAt) < JWKS_CACHE_TTL_MS) {\n    return cached.jwks;\n  }\n\n  // Fetch fresh JWKS\n  const response = await fetch(jwksUrl);\n  \n  if (!response.ok) {\n    throw new Error(`Failed to fetch JWKS from ${jwksUrl}: ${response.status} ${response.statusText}`);\n  }\n\n  const jwks = await response.json() as jose.JSONWebKeySet;\n\n  // Validate JWKS structure\n  if (!jwks.keys || !Array.isArray(jwks.keys) || jwks.keys.length === 0) {\n    throw new Error('Invalid JWKS: missing or empty keys array');\n  }\n\n  // Cache the JWKS\n  jwksCache.set(jwksUrl, { jwks, fetchedAt: now });\n\n  return jwks;\n}\n\n/**\n * Create a JWKS key set from a fetched JWKS.\n */\nasync function createKeySet(jwksUrl: string): Promise<jose.JWTVerifyGetKey> {\n  const jwks = await getJWKS(jwksUrl);\n  return jose.createLocalJWKSet(jwks);\n}\n\n// =============================================================================\n// Receipt Verification\n// =============================================================================\n\n/**\n * Verify a JWT payment receipt from MixrPay.\n * \n * This function:\n * 1. Fetches the JWKS from MixrPay (cached for 1 hour)\n * 2. Verifies the JWT signature using RS256\n * 3. Validates standard JWT claims (exp, iat)\n * 4. Returns the typed payment receipt\n * \n * @param receipt - The JWT receipt string from X-Payment-Receipt header\n * @param options - Optional configuration (custom JWKS URL, issuer validation)\n * @returns Verified payment receipt\n * @throws Error if verification fails\n * \n * @example\n * ```typescript\n * // Basic usage\n * const payment = await verifyPaymentReceipt(receipt);\n * \n * // With custom JWKS URL (for testing or self-hosted)\n * const payment = await verifyPaymentReceipt(receipt, {\n *   jwksUrl: 'https://your-mixrpay.com/.well-known/jwks'\n * });\n * ```\n */\nexport async function verifyPaymentReceipt(\n  receipt: string,\n  options?: VerifyReceiptOptions\n): Promise<PaymentReceipt> {\n  const jwksUrl = options?.jwksUrl || DEFAULT_JWKS_URL;\n\n  try {\n    // Get the key set\n    const keySet = await createKeySet(jwksUrl);\n\n    // Build verification options\n    const verifyOptions: jose.JWTVerifyOptions = {\n      algorithms: ['RS256'],\n    };\n\n    // Add issuer validation if specified\n    if (options?.issuer) {\n      verifyOptions.issuer = options.issuer;\n    }\n\n    // Verify the JWT\n    const { payload } = await jose.jwtVerify(receipt, keySet, verifyOptions);\n\n    // Validate required payment fields\n    const requiredFields = ['paymentId', 'amount', 'amountUsd', 'payer', 'recipient', 'chainId', 'txHash', 'settledAt'];\n    for (const field of requiredFields) {\n      if (!(field in payload)) {\n        throw new Error(`Missing required field in receipt: ${field}`);\n      }\n    }\n\n    // Return typed receipt\n    return {\n      paymentId: payload.paymentId as string,\n      amount: payload.amount as string,\n      amountUsd: payload.amountUsd as number,\n      payer: payload.payer as string,\n      recipient: payload.recipient as string,\n      chainId: payload.chainId as number,\n      txHash: payload.txHash as string,\n      settledAt: payload.settledAt as string,\n      issuedAt: new Date((payload.iat as number) * 1000),\n      expiresAt: new Date((payload.exp as number) * 1000),\n    };\n  } catch (error) {\n    if (error instanceof jose.errors.JWTExpired) {\n      throw new Error('Payment receipt has expired');\n    }\n    if (error instanceof jose.errors.JWTClaimValidationFailed) {\n      throw new Error(`Receipt validation failed: ${error.message}`);\n    }\n    if (error instanceof jose.errors.JWSSignatureVerificationFailed) {\n      throw new Error('Invalid receipt signature');\n    }\n    throw error;\n  }\n}\n\n/**\n * Parse a JWT payment receipt without verification.\n * \n * WARNING: This does NOT verify the signature. Use only for debugging\n * or when you've already verified the receipt elsewhere.\n * \n * @param receipt - The JWT receipt string\n * @returns Decoded payload (unverified)\n */\nexport function parsePaymentReceipt(receipt: string): PaymentReceipt {\n  const decoded = jose.decodeJwt(receipt);\n\n  return {\n    paymentId: decoded.paymentId as string,\n    amount: decoded.amount as string,\n    amountUsd: decoded.amountUsd as number,\n    payer: decoded.payer as string,\n    recipient: decoded.recipient as string,\n    chainId: decoded.chainId as number,\n    txHash: decoded.txHash as string,\n    settledAt: decoded.settledAt as string,\n    issuedAt: decoded.iat ? new Date(decoded.iat * 1000) : undefined,\n    expiresAt: decoded.exp ? new Date(decoded.exp * 1000) : undefined,\n  };\n}\n\n/**\n * Check if a receipt is expired.\n * \n * @param receipt - The JWT receipt string or parsed PaymentReceipt\n * @returns true if expired, false otherwise\n */\nexport function isReceiptExpired(receipt: string | PaymentReceipt): boolean {\n  const parsed = typeof receipt === 'string' ? parsePaymentReceipt(receipt) : receipt;\n  \n  if (!parsed.expiresAt) {\n    return false; // No expiration = never expires\n  }\n\n  return parsed.expiresAt.getTime() < Date.now();\n}\n\n/**\n * Clear the JWKS cache.\n * Useful for testing or when keys have rotated.\n */\nexport function clearJWKSCache(): void {\n  jwksCache.clear();\n}\n\n/**\n * Get the default JWKS URL.\n */\nexport function getDefaultJWKSUrl(): string {\n  return DEFAULT_JWKS_URL;\n}\n\n","/**\n * MixrPay Charges Module\n * \n * Create and manage charges using session signers.\n * Session signers allow you to charge user wallets without\n * requiring approval for each transaction.\n */\n\n// =============================================================================\n// Types\n// =============================================================================\n\nexport interface CreateChargeParams {\n  /** Session key ID granted by the user */\n  sessionId: string;\n  /** Amount to charge in USD (e.g., 0.05 for 5 cents) */\n  amountUsd: number;\n  /** Unique reference for idempotency (e.g., \"order_123\") */\n  reference: string;\n  /** Optional metadata */\n  metadata?: Record<string, unknown>;\n}\n\nexport interface Charge {\n  /** Unique charge ID */\n  id: string;\n  /** Current status */\n  status: 'pending' | 'submitted' | 'confirmed' | 'failed';\n  /** Amount in USD */\n  amountUsd: number;\n  /** Formatted USDC amount */\n  amountUsdc: string;\n  /** Transaction hash (if submitted) */\n  txHash?: string;\n  /** Block explorer URL */\n  explorerUrl?: string;\n  /** From wallet address */\n  fromAddress: string;\n  /** To wallet address */\n  toAddress: string;\n  /** Your reference */\n  reference: string;\n  /** When the charge was created */\n  createdAt: string;\n  /** When the charge was confirmed */\n  confirmedAt?: string;\n  /** Session name */\n  sessionName?: string;\n  /** User wallet address */\n  userWallet?: string;\n  /** Error message if failed */\n  error?: string;\n}\n\nexport interface CreateChargeResult {\n  success: boolean;\n  charge?: Charge;\n  /** True if this is a replay of an existing charge */\n  idempotentReplay?: boolean;\n  error?: string;\n  details?: string;\n}\n\nexport interface SessionGrant {\n  /** Session key ID */\n  sessionId: string;\n  /** User's wallet address */\n  userWallet: string;\n  /** Your merchant wallet address */\n  merchantWallet: string;\n  /** Spending limits */\n  limits: {\n    maxTotalUsd?: number;\n    maxPerTxUsd?: number;\n    expiresAt: string;\n  };\n  /** When the session was granted */\n  grantedAt: string;\n}\n\n// Internal types for API responses\ninterface CreateChargeApiResponse {\n  success: boolean;\n  charge_id?: string;\n  status?: string;\n  amount_usd?: number;\n  amount_usdc?: string;\n  tx_hash?: string;\n  explorer_url?: string;\n  idempotent_replay?: boolean;\n  error?: string;\n  details?: string;\n}\n\ninterface ChargeApiResponse {\n  id: string;\n  status: string;\n  amount_usd: number;\n  amount_usdc: string;\n  tx_hash?: string;\n  explorer_url?: string;\n  from_address: string;\n  to_address: string;\n  reference: string;\n  created_at: string;\n  confirmed_at?: string;\n  session_name?: string;\n  user_wallet?: string;\n}\n\nexport interface ChargesClientOptions {\n  /** Your API key */\n  apiKey: string;\n  /** MixrPay API base URL */\n  baseUrl?: string;\n}\n\n// =============================================================================\n// Client\n// =============================================================================\n\nexport class ChargesClient {\n  private apiKey: string;\n  private baseUrl: string;\n\n  constructor(options: ChargesClientOptions) {\n    this.apiKey = options.apiKey;\n    this.baseUrl = options.baseUrl || process.env.MIXRPAY_BASE_URL || 'https://www.mixrpay.com';\n  }\n\n  /**\n   * Create a new charge.\n   * \n   * @example\n   * ```typescript\n   * const result = await charges.create({\n   *   sessionId: 'sk_xxx',\n   *   amountUsd: 0.05,\n   *   reference: 'image_gen_123',\n   *   metadata: { feature: 'image_generation' }\n   * });\n   * \n   * if (result.success) {\n   *   console.log(`Charged ${result.charge.amountUsdc}`);\n   *   console.log(`TX: ${result.charge.explorerUrl}`);\n   * }\n   * ```\n   */\n  async create(params: CreateChargeParams): Promise<CreateChargeResult> {\n    const response = await fetch(`${this.baseUrl}/api/v1/charges`, {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/json',\n        'Authorization': `Bearer ${this.apiKey}`,\n      },\n      body: JSON.stringify({\n        session_id: params.sessionId,\n        amount_usd: params.amountUsd,\n        reference: params.reference,\n        metadata: params.metadata,\n      }),\n    });\n\n    const data = await response.json() as CreateChargeApiResponse;\n\n    if (!response.ok) {\n      return {\n        success: false,\n        error: data.error,\n        details: data.details,\n      };\n    }\n\n    return {\n      success: data.success,\n      charge: data.charge_id ? {\n        id: data.charge_id,\n        status: data.status as Charge['status'],\n        amountUsd: data.amount_usd ?? 0,\n        amountUsdc: data.amount_usdc ?? '0',\n        txHash: data.tx_hash,\n        explorerUrl: data.explorer_url,\n        fromAddress: '',\n        toAddress: '',\n        reference: params.reference,\n        createdAt: new Date().toISOString(),\n      } : undefined,\n      idempotentReplay: data.idempotent_replay,\n      error: data.error,\n    };\n  }\n\n  /**\n   * Get a charge by ID.\n   * \n   * @example\n   * ```typescript\n   * const charge = await charges.get('chg_xxx');\n   * console.log(charge.status); // 'confirmed'\n   * ```\n   */\n  async get(chargeId: string): Promise<Charge | null> {\n    const response = await fetch(`${this.baseUrl}/api/v1/charges?id=${chargeId}`, {\n      headers: {\n        'Authorization': `Bearer ${this.apiKey}`,\n      },\n    });\n\n    if (!response.ok) {\n      if (response.status === 404) {\n        return null;\n      }\n      throw new Error(`Failed to get charge: ${response.statusText}`);\n    }\n\n    const data = await response.json() as ChargeApiResponse;\n\n    return {\n      id: data.id,\n      status: data.status as Charge['status'],\n      amountUsd: data.amount_usd,\n      amountUsdc: data.amount_usdc,\n      txHash: data.tx_hash,\n      explorerUrl: data.explorer_url,\n      fromAddress: data.from_address,\n      toAddress: data.to_address,\n      reference: data.reference,\n      createdAt: data.created_at,\n      confirmedAt: data.confirmed_at,\n      sessionName: data.session_name,\n      userWallet: data.user_wallet,\n    };\n  }\n\n  /**\n   * Get a charge by transaction hash.\n   */\n  async getByTxHash(txHash: string): Promise<Charge | null> {\n    const response = await fetch(`${this.baseUrl}/api/v1/charges?tx_hash=${txHash}`, {\n      headers: {\n        'Authorization': `Bearer ${this.apiKey}`,\n      },\n    });\n\n    if (!response.ok) {\n      if (response.status === 404) {\n        return null;\n      }\n      throw new Error(`Failed to get charge: ${response.statusText}`);\n    }\n\n    const data = await response.json() as ChargeApiResponse;\n\n    return {\n      id: data.id,\n      status: data.status as Charge['status'],\n      amountUsd: data.amount_usd,\n      amountUsdc: data.amount_usdc,\n      txHash: data.tx_hash,\n      explorerUrl: data.explorer_url,\n      fromAddress: data.from_address,\n      toAddress: data.to_address,\n      reference: data.reference,\n      createdAt: data.created_at,\n      confirmedAt: data.confirmed_at,\n      sessionName: data.session_name,\n      userWallet: data.user_wallet,\n    };\n  }\n}\n\n// =============================================================================\n// Webhook Verification\n// =============================================================================\n\nimport crypto from 'crypto';\n\n/**\n * Verify a session.granted webhook signature.\n * \n * @example\n * ```typescript\n * const payload = req.body;\n * const signature = req.headers['x-mixrpay-signature'];\n * \n * if (verifySessionWebhook(JSON.stringify(payload), signature, webhookSecret)) {\n *   const grant = parseSessionGrant(payload);\n *   console.log(`User ${grant.userWallet} granted access`);\n * }\n * ```\n */\nexport function verifySessionWebhook(\n  payload: string,\n  signature: string,\n  secret: string\n): boolean {\n  const expectedSignature = crypto\n    .createHmac('sha256', secret)\n    .update(payload)\n    .digest('hex');\n  \n  return crypto.timingSafeEqual(\n    Buffer.from(signature),\n    Buffer.from(expectedSignature)\n  );\n}\n\n/**\n * Parse a session.granted webhook payload.\n */\nexport function parseSessionGrant(payload: {\n  event: string;\n  session_id: string;\n  user_wallet: string;\n  merchant_wallet: string;\n  limits: {\n    max_total_usd?: number;\n    max_per_tx_usd?: number;\n    expires_at: string;\n  };\n  granted_at: string;\n}): SessionGrant {\n  if (payload.event !== 'session.granted') {\n    throw new Error(`Unexpected event type: ${payload.event}`);\n  }\n\n  return {\n    sessionId: payload.session_id,\n    userWallet: payload.user_wallet,\n    merchantWallet: payload.merchant_wallet,\n    limits: {\n      maxTotalUsd: payload.limits.max_total_usd,\n      maxPerTxUsd: payload.limits.max_per_tx_usd,\n      expiresAt: payload.limits.expires_at,\n    },\n    grantedAt: payload.granted_at,\n  };\n}\n\n"],"mappings":";AAiBA,YAAY,UAAU;AAOtB,IAAM,mBAAmB,QAAQ,IAAI,oBAAoB;AACzD,IAAM,oBAAoB,KAAK,KAAK;AAWpC,IAAM,YAAY,oBAAI,IAAwB;AAK9C,eAAe,QAAQ,SAA8C;AACnE,QAAM,SAAS,UAAU,IAAI,OAAO;AACpC,QAAM,MAAM,KAAK,IAAI;AAGrB,MAAI,UAAW,MAAM,OAAO,YAAa,mBAAmB;AAC1D,WAAO,OAAO;AAAA,EAChB;AAGA,QAAM,WAAW,MAAM,MAAM,OAAO;AAEpC,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,MAAM,6BAA6B,OAAO,KAAK,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,EACnG;AAEA,QAAM,OAAO,MAAM,SAAS,KAAK;AAGjC,MAAI,CAAC,KAAK,QAAQ,CAAC,MAAM,QAAQ,KAAK,IAAI,KAAK,KAAK,KAAK,WAAW,GAAG;AACrE,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAGA,YAAU,IAAI,SAAS,EAAE,MAAM,WAAW,IAAI,CAAC;AAE/C,SAAO;AACT;AAKA,eAAe,aAAa,SAAgD;AAC1E,QAAM,OAAO,MAAM,QAAQ,OAAO;AAClC,SAAY,uBAAkB,IAAI;AACpC;AA+BA,eAAsB,qBACpB,SACA,SACyB;AACzB,QAAM,UAAU,SAAS,WAAW;AAEpC,MAAI;AAEF,UAAM,SAAS,MAAM,aAAa,OAAO;AAGzC,UAAM,gBAAuC;AAAA,MAC3C,YAAY,CAAC,OAAO;AAAA,IACtB;AAGA,QAAI,SAAS,QAAQ;AACnB,oBAAc,SAAS,QAAQ;AAAA,IACjC;AAGA,UAAM,EAAE,QAAQ,IAAI,MAAW,eAAU,SAAS,QAAQ,aAAa;AAGvE,UAAM,iBAAiB,CAAC,aAAa,UAAU,aAAa,SAAS,aAAa,WAAW,UAAU,WAAW;AAClH,eAAW,SAAS,gBAAgB;AAClC,UAAI,EAAE,SAAS,UAAU;AACvB,cAAM,IAAI,MAAM,sCAAsC,KAAK,EAAE;AAAA,MAC/D;AAAA,IACF;AAGA,WAAO;AAAA,MACL,WAAW,QAAQ;AAAA,MACnB,QAAQ,QAAQ;AAAA,MAChB,WAAW,QAAQ;AAAA,MACnB,OAAO,QAAQ;AAAA,MACf,WAAW,QAAQ;AAAA,MACnB,SAAS,QAAQ;AAAA,MACjB,QAAQ,QAAQ;AAAA,MAChB,WAAW,QAAQ;AAAA,MACnB,UAAU,IAAI,KAAM,QAAQ,MAAiB,GAAI;AAAA,MACjD,WAAW,IAAI,KAAM,QAAQ,MAAiB,GAAI;AAAA,IACpD;AAAA,EACF,SAAS,OAAO;AACd,QAAI,iBAAsB,YAAO,YAAY;AAC3C,YAAM,IAAI,MAAM,6BAA6B;AAAA,IAC/C;AACA,QAAI,iBAAsB,YAAO,0BAA0B;AACzD,YAAM,IAAI,MAAM,8BAA8B,MAAM,OAAO,EAAE;AAAA,IAC/D;AACA,QAAI,iBAAsB,YAAO,gCAAgC;AAC/D,YAAM,IAAI,MAAM,2BAA2B;AAAA,IAC7C;AACA,UAAM;AAAA,EACR;AACF;;;ACgHA,OAAO,YAAY;AAgBZ,SAAS,qBACd,SACA,WACA,QACS;AACT,QAAM,oBAAoB,OACvB,WAAW,UAAU,MAAM,EAC3B,OAAO,OAAO,EACd,OAAO,KAAK;AAEf,SAAO,OAAO;AAAA,IACZ,OAAO,KAAK,SAAS;AAAA,IACrB,OAAO,KAAK,iBAAiB;AAAA,EAC/B;AACF;","names":[]}

package/dist/middleware/express.d.mts

@@ -1,5 +1,5 @@
 import { Request, Response, NextFunction } from 'express';
-import { X as X402PaymentResult, a as MixrPayPaymentResult, d as X402Options, M as MixrPayOptions } from '../types-jelXkTp9.mjs';
+import { X as X402PaymentResult, a as MixrPayPaymentResult, d as X402Options, M as MixrPayOptions } from '../types-BwiuIaOu.mjs';
 
 /**
  * MixrPay Merchant SDK - Express Middleware

package/dist/middleware/express.d.ts

@@ -1,5 +1,5 @@
 import { Request, Response, NextFunction } from 'express';
-import { X as X402PaymentResult, a as MixrPayPaymentResult, d as X402Options, M as MixrPayOptions } from '../types-jelXkTp9.js';
+import { X as X402PaymentResult, a as MixrPayPaymentResult, d as X402Options, M as MixrPayOptions } from '../types-BwiuIaOu.js';
 
 /**
  * MixrPay Merchant SDK - Express Middleware

package/dist/middleware/express.js

@@ -192,7 +192,7 @@ async function verifyX402Payment(paymentHeader, options) {
 }
 
 // src/receipt-fetcher.ts
-var DEFAULT_MIXRPAY_API_URL = process.env.MIXRPAY_BASE_URL || "https://mixrpay.com";
+var DEFAULT_MIXRPAY_API_URL = process.env.MIXRPAY_BASE_URL || "https://www.mixrpay.com";
 async function fetchPaymentReceipt(params) {
   const apiUrl = params.apiUrl || DEFAULT_MIXRPAY_API_URL;
   const endpoint = `${apiUrl}/api/v1/receipts`;
@@ -359,7 +359,7 @@ async function getFeaturePriceExpress(feature, baseUrl) {
 function mixrpay(options) {
   return async (req, res, next) => {
     try {
-      const baseUrl = options.mixrpayApiUrl || process.env.MIXRPAY_API_URL || "https://mixrpay.com";
+      const baseUrl = options.mixrpayApiUrl || process.env.MIXRPAY_API_URL || "https://www.mixrpay.com";
       const context = {
         path: req.path,
         method: req.method,
@@ -436,7 +436,7 @@ function mixrpay(options) {
   };
 }
 async function verifySessionPayment(sessionId, priceUsd, options, req) {
-  const baseUrl = options.mixrpayApiUrl || process.env.MIXRPAY_API_URL || "https://mixrpay.com";
+  const baseUrl = options.mixrpayApiUrl || process.env.MIXRPAY_API_URL || "https://www.mixrpay.com";
   const secretKey = process.env.MIXRPAY_SECRET_KEY;
   if (!secretKey) {
     return {
@@ -445,52 +445,108 @@ async function verifySessionPayment(sessionId, priceUsd, options, req) {
       error: "MIXRPAY_SECRET_KEY not configured"
     };
   }
+  const preChargedHeader = req.headers["x-mixr-charged"];
+  const isPreCharged = preChargedHeader && preChargedHeader !== "0" && preChargedHeader.toLowerCase() !== "false";
   try {
-    const response = await fetch(`${baseUrl}/api/v2/charge`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "Authorization": `Bearer ${secretKey}`
-      },
-      body: JSON.stringify({
-        sessionId,
-        amountUsd: priceUsd,
-        feature: options.feature || req.headers["x-mixr-feature"],
-        idempotencyKey: req.headers["x-idempotency-key"]
-      })
-    });
-    if (!response.ok) {
-      const errorData = await response.json().catch(() => ({}));
-      return {
-        valid: false,
-        method: "session",
-        error: errorData.message || errorData.error || `Charge failed: ${response.status}`,
-        sessionId
-      };
+    if (isPreCharged) {
+      return await validatePreChargedSession(sessionId, priceUsd, preChargedHeader, baseUrl, secretKey, options);
+    } else {
+      return await chargeSession(sessionId, priceUsd, baseUrl, secretKey, options, req);
     }
-    const data = await response.json();
+  } catch (error) {
     return {
-      valid: true,
+      valid: false,
       method: "session",
-      payer: data.payer || data.walletAddress,
-      amountUsd: data.amountUsd || priceUsd,
-      txHash: data.txHash,
-      chargeId: data.chargeId,
-      sessionId,
-      feature: options.feature,
-      settledAt: data.settledAt ? new Date(data.settledAt) : /* @__PURE__ */ new Date()
+      error: `Session verification failed: ${error.message}`,
+      sessionId
     };
-  } catch (error) {
+  }
+}
+async function validatePreChargedSession(sessionId, expectedPriceUsd, chargedAmount, baseUrl, secretKey, options) {
+  const chargedUsd = parseFloat(chargedAmount);
+  if (isNaN(chargedUsd) || chargedUsd < expectedPriceUsd) {
     return {
       valid: false,
       method: "session",
-      error: `Session verification failed: ${error.message}`,
+      error: `Insufficient payment: charged $${chargedUsd}, required $${expectedPriceUsd}`,
+      sessionId
+    };
+  }
+  const response = await fetch(`${baseUrl}/api/v2/session/validate`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${secretKey}`
+    },
+    body: JSON.stringify({ session_id: sessionId })
+  });
+  if (!response.ok) {
+    const errorData = await response.json().catch(() => ({}));
+    return {
+      valid: false,
+      method: "session",
+      error: errorData.error || `Validation failed: ${response.status}`,
+      sessionId
+    };
+  }
+  const data = await response.json();
+  if (!data.valid) {
+    return {
+      valid: false,
+      method: "session",
+      error: data.error || data.code || "Session invalid",
       sessionId
     };
   }
+  return {
+    valid: true,
+    method: "session",
+    payer: data.wallet_address,
+    amountUsd: chargedUsd,
+    sessionId,
+    feature: options.feature,
+    settledAt: /* @__PURE__ */ new Date(),
+    preCharged: true
+  };
+}
+async function chargeSession(sessionId, priceUsd, baseUrl, secretKey, options, req) {
+  const response = await fetch(`${baseUrl}/api/v2/charge`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${secretKey}`
+    },
+    body: JSON.stringify({
+      session_id: sessionId,
+      price_usd: priceUsd,
+      feature: options.feature || req.headers["x-mixr-feature"],
+      idempotency_key: req.headers["x-idempotency-key"]
+    })
+  });
+  if (!response.ok) {
+    const errorData = await response.json().catch(() => ({}));
+    return {
+      valid: false,
+      method: "session",
+      error: errorData.message || errorData.error || `Charge failed: ${response.status}`,
+      sessionId
+    };
+  }
+  const data = await response.json();
+  return {
+    valid: true,
+    method: "session",
+    payer: data.payer || data.walletAddress,
+    amountUsd: data.charged_usd || priceUsd,
+    txHash: data.tx_hash,
+    chargeId: data.idempotency_key,
+    sessionId,
+    feature: options.feature,
+    settledAt: data.settledAt ? new Date(data.settledAt) : /* @__PURE__ */ new Date()
+  };
 }
 async function verifyWidgetPayment(paymentJwt, priceUsd, options, req) {
-  const baseUrl = options.mixrpayApiUrl || process.env.MIXRPAY_API_URL || "https://mixrpay.com";
+  const baseUrl = options.mixrpayApiUrl || process.env.MIXRPAY_API_URL || "https://www.mixrpay.com";
   const secretKey = process.env.MIXRPAY_SECRET_KEY;
   if (!secretKey) {
     return {