@ottocode/ai-sdk 0.1.8 → 0.2.0

package/README.md

@@ -4,6 +4,8 @@ A drop-in SDK for accessing AI models (OpenAI, Anthropic, Google, Moonshot, Mini
 
 All you need is a Solana wallet — the SDK handles authentication, payment negotiation, and provider routing automatically.
 
+Normal API requests use bearer auth. The SDK signs a wallet nonce once to exchange for a short-lived Setu token, reuses that token across requests, and refreshes it automatically when needed.
+
 ## Install
 
 ```bash
@@ -32,6 +34,8 @@ console.log(text);
 
 The SDK auto-resolves which provider to use based on the model name. It returns ai-sdk compatible model instances that work directly with `generateText()`, `streamText()`, etc.
 
+Under the hood, the first protected request exchanges wallet auth headers for a bearer token via `POST /v1/auth/wallet-token`. Subsequent requests reuse `Authorization: Bearer <token>` until refresh is needed.
+
 ## Provider Auto-Resolution
 
 Models are resolved to providers by prefix:
@@ -103,6 +107,8 @@ const setu = createSetu({
 
 Monitor and control the payment lifecycle:
 
+Request authentication and payment signing are separate: bearer auth is used for normal Setu HTTP requests, while your wallet still signs the x402 payment transaction during topups.
+
 ```ts
 const setu = createSetu({
   auth: { privateKey: '...' },
@@ -287,6 +293,8 @@ setu.registry.mapModel('some-model', 'openai');
 
 Use the x402-aware fetch wrapper directly:
 
+`setu.fetch()` uses bearer auth for normal requests and automatically refreshes the Setu access token on `401` once before retrying.
+
 ```ts
 const customFetch = setu.fetch();
 
@@ -306,6 +314,7 @@ import {
   getPublicKeyFromPrivate,
   addAnthropicCacheControl,
   createSetuFetch,
+  createWalletContext,
 } from '@ottocode/ai-sdk';
 
 // Get wallet address from private key
@@ -324,16 +333,21 @@ const setuFetch = createSetuFetch({
 });
 ```
 
+`createWalletContext()` remains available for advanced usage. Its wallet headers are now intended for token exchange only; regular API traffic should go through `createSetu()`, `setu.fetch()`, `createSetuFetch()`, or `fetchBalance()` so bearer auth refresh is handled automatically.
+
 ## How It Works
 
 1. You call `setu.model('claude-sonnet-4-20250514')` — the SDK resolves this to Anthropic
 2. It creates an ai-sdk provider (`@ai-sdk/anthropic`) pointed at the Setu proxy
 3. A custom fetch wrapper intercepts all requests to:
-   - Inject wallet auth headers (address, nonce, signature)
+   - Exchange signed wallet headers for a short-lived bearer token when needed
+   - Inject `Authorization: Bearer <token>` into normal API requests
    - Inject Anthropic cache control (if enabled)
+   - Handle `401` by refreshing the bearer token once and retrying
    - Handle 402 responses by signing USDC payments via x402
    - Sniff balance/cost info from SSE stream comments
-4. The Setu proxy verifies the wallet, checks balance, forwards to the real provider, tracks usage
+4. During topups, the wallet still signs the x402 transaction, but the `/v1/topup` HTTP request itself uses bearer auth
+5. The Setu proxy verifies the wallet/token, checks balance, forwards to the real provider, and tracks usage
 
 ## Requirements
 

package/package.json

@@ -1,29 +1,29 @@
 {
-  "name": "@ottocode/ai-sdk",
-  "version": "0.1.8",
-  "type": "module",
-  "exports": {
-    ".": "./src/index.ts",
-    "./providers": "./src/providers/index.ts",
-    "./types": "./src/types.ts"
-  },
-  "files": [
-    "src"
-  ],
-  "dependencies": {
-    "@ai-sdk/anthropic": "^3.0.0",
-    "@ai-sdk/google": "^3.0.0",
-    "@ai-sdk/openai": "^3.0.0",
-    "@ai-sdk/openai-compatible": "^2.0.0",
-    "@solana/web3.js": "^1.98.0",
-    "bs58": "^6.0.0",
-    "tweetnacl": "^1.0.3",
-    "x402": "^1.1.0"
-  },
-  "peerDependencies": {
-    "ai": ">=6.0.0"
-  },
-  "devDependencies": {
-    "typescript": "~5.9.3"
-  }
+	"name": "@ottocode/ai-sdk",
+	"version": "0.2.0",
+	"type": "module",
+	"exports": {
+		".": "./src/index.ts",
+		"./providers": "./src/providers/index.ts",
+		"./types": "./src/types.ts"
+	},
+	"files": [
+		"src"
+	],
+	"dependencies": {
+		"@ai-sdk/anthropic": "^3.0.0",
+		"@ai-sdk/google": "^3.0.0",
+		"@ai-sdk/openai": "^3.0.0",
+		"@ai-sdk/openai-compatible": "^2.0.0",
+		"@solana/web3.js": "^1.98.0",
+		"bs58": "^6.0.0",
+		"tweetnacl": "^1.0.3",
+		"x402": "^1.1.0"
+	},
+	"peerDependencies": {
+		"ai": ">=6.0.0"
+	},
+	"devDependencies": {
+		"typescript": "~5.9.3"
+	}
 }

package/src/auth.ts

@@ -5,7 +5,13 @@ import type { SetuAuth } from './types.ts';
 
 export interface WalletContext {
 	walletAddress: string;
-	buildHeaders: () => Promise<Record<string, string>> | Record<string, string>;
+	buildWalletAuthHeaders:
+		| (() => Promise<Record<string, string>>)
+		| (() => Record<string, string>);
+	/** @deprecated Use buildWalletAuthHeaders() instead. */
+	buildHeaders:
+		| (() => Promise<Record<string, string>>)
+		| (() => Record<string, string>);
 	keypair?: Keypair;
 	privateKeyBytes?: Uint8Array;
 	signTransaction?: (transaction: Uint8Array) => Promise<Uint8Array>;
@@ -18,18 +24,20 @@ export function createWalletContext(auth: SetuAuth): WalletContext {
 			signNonce: customSignNonce,
 			signTransaction,
 		} = auth.signer;
+		const buildWalletAuthHeaders = async () => {
+			const nonce = Date.now().toString();
+			const signature = await customSignNonce(nonce);
+			return {
+				'x-wallet-address': walletAddress,
+				'x-wallet-nonce': nonce,
+				'x-wallet-signature': signature,
+			};
+		};
 		return {
 			walletAddress,
 			signTransaction,
-			buildHeaders: async () => {
-				const nonce = Date.now().toString();
-				const signature = await customSignNonce(nonce);
-				return {
-					'x-wallet-address': walletAddress,
-					'x-wallet-nonce': nonce,
-					'x-wallet-signature': signature,
-				};
-			},
+			buildWalletAuthHeaders,
+			buildHeaders: buildWalletAuthHeaders,
 		};
 	}
 
@@ -40,11 +48,14 @@ export function createWalletContext(auth: SetuAuth): WalletContext {
 	const privateKeyBytes = bs58.decode(auth.privateKey);
 	const keypair = Keypair.fromSecretKey(privateKeyBytes);
 	const walletAddress = keypair.publicKey.toBase58();
+	const buildWalletAuthHeaders = () =>
+		buildWalletHeaders(walletAddress, privateKeyBytes);
 	return {
 		keypair,
 		walletAddress,
 		privateKeyBytes,
-		buildHeaders: () => buildWalletHeaders(walletAddress, privateKeyBytes),
+		buildWalletAuthHeaders,
+		buildHeaders: buildWalletAuthHeaders,
 	};
 }
 
@@ -67,6 +78,8 @@ export function buildWalletHeaders(
 	};
 }
 
+export const buildWalletAuthHeaders = buildWalletHeaders;
+
 export function getPublicKeyFromPrivate(privateKey?: string): string | null {
 	if (!privateKey) return null;
 	try {

package/src/balance.ts

@@ -3,6 +3,7 @@ import { Keypair } from '@solana/web3.js';
 import type { SetuAuth, BalanceResponse, WalletUsdcBalance } from './types.ts';
 import type { WalletContext } from './auth.ts';
 import { createWalletContext } from './auth.ts';
+import { createAccessTokenManager } from './token.ts';
 
 const DEFAULT_BASE_URL = 'https://api.setu.ottocode.io';
 const DEFAULT_RPC_URL = 'https://api.mainnet-beta.solana.com';
@@ -17,8 +18,10 @@ function isWalletContext(input: unknown): input is WalletContext {
 	return (
 		typeof input === 'object' &&
 		input !== null &&
-		'buildHeaders' in input &&
-		typeof (input as WalletContext).buildHeaders === 'function'
+		(('buildWalletAuthHeaders' in input &&
+			typeof (input as WalletContext).buildWalletAuthHeaders === 'function') ||
+			('buildHeaders' in input &&
+				typeof (input as WalletContext).buildHeaders === 'function'))
 	);
 }
 
@@ -31,9 +34,19 @@ export async function fetchBalance(
 			? walletOrAuth
 			: createWalletContext(walletOrAuth);
 		const url = trimTrailingSlash(baseURL ?? DEFAULT_BASE_URL);
-		const headers = await wallet.buildHeaders();
+		const tokenManager = createAccessTokenManager({ wallet, baseURL: url });
+		const requestBalance = async (forceRefresh = false) => {
+			const accessToken = await tokenManager.getToken(forceRefresh);
+			return fetch(`${url}/v1/balance`, {
+				headers: { authorization: `Bearer ${accessToken}` },
+			});
+		};
 
-		const response = await fetch(`${url}/v1/balance`, { headers });
+		let response = await requestBalance();
+		if (response.status === 401) {
+			tokenManager.invalidate();
+			response = await requestBalance(true);
+		}
 
 		if (!response.ok) return null;
 

package/src/catalog.ts

@@ -1176,6 +1176,53 @@ export const setuCatalog: SetuCatalog = {
 				cache_read: 0.17587499999999998,
 			},
 		},
+		{
+			id: 'gpt-5.4',
+			name: 'GPT-5.4',
+			owned_by: 'openai',
+			context_length: 1050000,
+			max_output: 128000,
+			reasoning: true,
+			tool_call: true,
+			attachment: true,
+			temperature: false,
+			knowledge: '2025-08-31',
+			release_date: '2026-03-05',
+			last_updated: '2026-03-05',
+			open_weights: false,
+			modalities: {
+				input: ['text', 'image'],
+				output: ['text'],
+			},
+			pricing: {
+				input: 2.5124999999999997,
+				output: 15.075,
+				cache_read: 0.25125,
+			},
+		},
+		{
+			id: 'gpt-5.4-pro',
+			name: 'GPT-5.4 Pro',
+			owned_by: 'openai',
+			context_length: 1050000,
+			max_output: 128000,
+			reasoning: true,
+			tool_call: true,
+			attachment: true,
+			temperature: false,
+			knowledge: '2025-08-31',
+			release_date: '2026-03-05',
+			last_updated: '2026-03-05',
+			open_weights: false,
+			modalities: {
+				input: ['text', 'image'],
+				output: ['text'],
+			},
+			pricing: {
+				input: 30.15,
+				output: 180.89999999999998,
+			},
+		},
 		{
 			id: 'glm-4.7',
 			name: 'GLM-4.7',
@@ -1248,5 +1295,5 @@ export const setuCatalog: SetuCatalog = {
 		},
 	],
 	providers: ['anthropic', 'google', 'minimax', 'moonshot', 'openai', 'zai'],
-	lastUpdated: '2026-02-19',
+	lastUpdated: '2026-03-06',
 } as const satisfies SetuCatalog;

package/src/fetch.ts

@@ -8,6 +8,7 @@ import type {
 } from './types.ts';
 import { pickPaymentRequirement, handlePayment } from './payment.ts';
 import { addAnthropicCacheControl } from './cache.ts';
+import { createAccessTokenManager } from './token.ts';
 
 const DEFAULT_RPC_URL = 'https://api.mainnet-beta.solana.com';
 const DEFAULT_MAX_ATTEMPTS = 3;
@@ -186,6 +187,11 @@ export function createSetuFetch(options: CreateSetuFetchOptions) {
 	const topupApprovalMode = payment?.topupApprovalMode ?? 'auto';
 	const autoPayThresholdUsd = payment?.autoPayThresholdUsd ?? 0;
 	const baseFetch = customFetch ?? globalThis.fetch.bind(globalThis);
+	const tokenManager = createAccessTokenManager({
+		wallet,
+		baseURL,
+		fetch: baseFetch,
+	});
 
 	return async (
 		input: Parameters<typeof fetch>[0],
@@ -195,6 +201,13 @@ export function createSetuFetch(options: CreateSetuFetchOptions) {
 
 		while (attempt < maxAttempts) {
 			attempt++;
+			const performAuthenticatedRequest = async (forceRefresh = false) => {
+				const headers = new Headers(init?.headers);
+				const accessToken = await tokenManager.getToken(forceRefresh);
+				headers.set('authorization', `Bearer ${accessToken}`);
+				return baseFetch(input, { ...init, body, headers });
+			};
+
 			let body = init?.body;
 			if (body && typeof body === 'string') {
 				try {
@@ -213,13 +226,11 @@ export function createSetuFetch(options: CreateSetuFetchOptions) {
 				} catch {}
 			}
 
-			const headers = new Headers(init?.headers);
-			const walletHeaders = await wallet.buildHeaders();
-			headers.set('x-wallet-address', walletHeaders['x-wallet-address']);
-			headers.set('x-wallet-nonce', walletHeaders['x-wallet-nonce']);
-			headers.set('x-wallet-signature', walletHeaders['x-wallet-signature']);
-
-			const response = await baseFetch(input, { ...init, body, headers });
+			let response = await performAuthenticatedRequest();
+			if (response.status === 401) {
+				tokenManager.invalidate();
+				response = await performAuthenticatedRequest(true);
+			}
 
 			if (response.status !== 402) {
 				return wrapResponseWithBalanceSniffing(response, callbacks);
@@ -292,6 +303,7 @@ export function createSetuFetch(options: CreateSetuFetchOptions) {
 						rpcURL,
 						baseURL,
 						baseFetch,
+						tokenManager,
 						maxAttempts: remainingPayments,
 						callbacks,
 					});

package/src/payment.ts

@@ -9,6 +9,7 @@ import type {
 	PaymentCallbacks,
 	FetchFunction,
 } from './types.ts';
+import type { AccessTokenManager } from './token.ts';
 import {
 	address,
 	getTransactionEncoder,
@@ -138,6 +139,7 @@ export async function processSinglePayment(args: {
 	rpcURL: string;
 	baseURL: string;
 	baseFetch: FetchFunction;
+	tokenManager: AccessTokenManager;
 	callbacks: PaymentCallbacks;
 }): Promise<{ attempts: number; balance?: number | string }> {
 	args.callbacks.onPaymentSigning?.();
@@ -156,15 +158,26 @@ export async function processSinglePayment(args: {
 		throw new Error(`Setu: ${userMsg}`);
 	}
 
-	const walletHeaders = await args.wallet.buildHeaders();
-	const response = await args.baseFetch(`${args.baseURL}/v1/topup`, {
-		method: 'POST',
-		headers: { 'Content-Type': 'application/json', ...walletHeaders },
-		body: JSON.stringify({
-			paymentPayload,
-			paymentRequirement: args.requirement,
-		}),
-	});
+	const sendTopupRequest = async (forceRefresh = false) => {
+		const accessToken = await args.tokenManager.getToken(forceRefresh);
+		return args.baseFetch(`${args.baseURL}/v1/topup`, {
+			method: 'POST',
+			headers: {
+				'Content-Type': 'application/json',
+				authorization: `Bearer ${accessToken}`,
+			},
+			body: JSON.stringify({
+				paymentPayload,
+				paymentRequirement: args.requirement,
+			}),
+		});
+	};
+
+	let response = await sendTopupRequest();
+	if (response.status === 401) {
+		args.tokenManager.invalidate();
+		response = await sendTopupRequest(true);
+	}
 
 	const rawBody = await response.text().catch(() => '');
 	if (!response.ok) {
@@ -210,6 +223,7 @@ export async function handlePayment(args: {
 	rpcURL: string;
 	baseURL: string;
 	baseFetch: FetchFunction;
+	tokenManager: AccessTokenManager;
 	maxAttempts: number;
 	callbacks: PaymentCallbacks;
 }): Promise<{ attemptsUsed: number }> {

package/src/token.ts

@@ -0,0 +1,155 @@
+import type { WalletContext } from './auth.ts';
+import type { FetchFunction } from './types.ts';
+
+const DEFAULT_TOKEN_REFRESH_SKEW_MS = 60_000;
+const DEFAULT_TOKEN_TTL_MS = 5 * 60_000;
+
+interface AccessTokenState {
+	token: string;
+	expiresAt: number;
+}
+
+export interface AccessTokenManager {
+	getToken(forceRefresh?: boolean): Promise<string>;
+	invalidate(): void;
+}
+
+interface CreateAccessTokenManagerOptions {
+	wallet: WalletContext;
+	baseURL: string;
+	fetch?: FetchFunction;
+	tokenRefreshSkewMs?: number;
+}
+
+interface WalletTokenResponse {
+	accessToken?: string;
+	access_token?: string;
+	token?: string;
+	expiresAt?: number | string;
+	expires_at?: number | string;
+	expiresIn?: number | string;
+	expires_in?: number | string;
+}
+
+function trimTrailingSlash(url: string) {
+	return url.endsWith('/') ? url.slice(0, -1) : url;
+}
+
+function parseNumber(value: unknown): number | null {
+	if (typeof value === 'number' && Number.isFinite(value)) return value;
+	if (typeof value === 'string' && value.trim()) {
+		const parsed = Number(value);
+		if (Number.isFinite(parsed)) return parsed;
+	}
+	return null;
+}
+
+function parseJwtExpiry(token: string): number | null {
+	const parts = token.split('.');
+	if (parts.length < 2) return null;
+	try {
+		const base64 = parts[1]?.replace(/-/g, '+').replace(/_/g, '/');
+		if (!base64) return null;
+		const padded = base64.padEnd(Math.ceil(base64.length / 4) * 4, '=');
+		const json = JSON.parse(atob(padded)) as {
+			exp?: unknown;
+		};
+		const exp = parseNumber(json.exp);
+		return exp != null ? exp * 1000 : null;
+	} catch {
+		return null;
+	}
+}
+
+function resolveExpiresAt(payload: WalletTokenResponse, token: string): number {
+	const expiresAt = parseNumber(payload.expiresAt ?? payload.expires_at);
+	if (expiresAt != null) {
+		return expiresAt > 1_000_000_000_000 ? expiresAt : expiresAt * 1000;
+	}
+
+	const expiresIn = parseNumber(payload.expiresIn ?? payload.expires_in);
+	if (expiresIn != null) {
+		return Date.now() + expiresIn * 1000;
+	}
+
+	return parseJwtExpiry(token) ?? Date.now() + DEFAULT_TOKEN_TTL_MS;
+}
+
+async function exchangeWalletToken(
+	wallet: WalletContext,
+	baseURL: string,
+	baseFetch: FetchFunction,
+): Promise<AccessTokenState> {
+	const walletHeaders = await (
+		wallet.buildWalletAuthHeaders ?? wallet.buildHeaders
+	)();
+	const response = await baseFetch(
+		`${trimTrailingSlash(baseURL)}/v1/auth/wallet-token`,
+		{
+			method: 'POST',
+			headers: walletHeaders,
+		},
+	);
+
+	if (!response.ok) {
+		const body = await response.text().catch(() => '');
+		throw new Error(
+			`Setu: wallet token exchange failed (${response.status})${body ? `: ${body}` : ''}`,
+		);
+	}
+
+	const payload = (await response.json()) as WalletTokenResponse;
+	const token = payload.accessToken ?? payload.access_token ?? payload.token;
+	if (!token) {
+		throw new Error(
+			'Setu: wallet token exchange response missing access token.',
+		);
+	}
+
+	return {
+		token,
+		expiresAt: resolveExpiresAt(payload, token),
+	};
+}
+
+export function createAccessTokenManager(
+	options: CreateAccessTokenManagerOptions,
+): AccessTokenManager {
+	const {
+		wallet,
+		baseURL,
+		fetch: customFetch,
+		tokenRefreshSkewMs = DEFAULT_TOKEN_REFRESH_SKEW_MS,
+	} = options;
+	const baseFetch = customFetch ?? globalThis.fetch.bind(globalThis);
+	let state: AccessTokenState | null = null;
+	let inFlight: Promise<string> | null = null;
+
+	const hasValidToken = () =>
+		state != null && Date.now() + tokenRefreshSkewMs < state.expiresAt;
+
+	const refresh = async () => {
+		const next = await exchangeWalletToken(wallet, baseURL, baseFetch);
+		state = next;
+		return next.token;
+	};
+
+	return {
+		async getToken(forceRefresh = false) {
+			if (!forceRefresh && hasValidToken() && state) {
+				return state.token;
+			}
+
+			if (!inFlight) {
+				inFlight = refresh().finally(() => {
+					inFlight = null;
+				});
+			}
+
+			return inFlight;
+		},
+		invalidate() {
+			state = null;
+		},
+	};
+}