@primitivedotdev/sdk 1.3.0 → 1.5.0

package/dist/x402/index.d.ts

@@ -0,0 +1,263 @@
+import { Address, Hex } from "viem";
+
+//#region src/x402/sign.d.ts
+interface NonceBinding {
+  /** The interaction id, including its `@domain`. Lowercased before hashing. */
+  interactionId: string;
+  /** The challenge step id (a UUID). Lowercased before hashing. */
+  challengeStepId: string;
+  /** The challenger's per-challenge random nonce: 64 lowercase hex chars. */
+  challengeNonce: string;
+}
+/**
+ * Derive the EIP-3009 nonce bound to a specific interaction step:
+ *
+ *   keccak256( utf8(lower(interaction_id)) || 0x00
+ *            || utf8(lower(challenge_step_id)) || 0x00
+ *            || hexdecode(challenge_nonce) )
+ *
+ * The `0x00` separators pin the field boundaries (undelimited concatenation of
+ * variable-length strings is collision-ambiguous), and the challenge nonce is
+ * decoded to its 32 raw bytes before hashing. The platform recomputes this and
+ * rejects a mismatch.
+ */
+declare function deriveEip3009Nonce(input: NonceBinding): Hex;
+/**
+ * The EIP-3009 `TransferWithAuthorization` EIP-712 type. The field order and
+ * types are part of the on-chain contract and MUST NOT change.
+ */
+declare const TRANSFER_WITH_AUTHORIZATION_TYPES: {
+  readonly TransferWithAuthorization: readonly [{
+    readonly name: "from";
+    readonly type: "address";
+  }, {
+    readonly name: "to";
+    readonly type: "address";
+  }, {
+    readonly name: "value";
+    readonly type: "uint256";
+  }, {
+    readonly name: "validAfter";
+    readonly type: "uint256";
+  }, {
+    readonly name: "validBefore";
+    readonly type: "uint256";
+  }, {
+    readonly name: "nonce";
+    readonly type: "bytes32";
+  }];
+};
+/**
+ * The token's EIP-712 domain. `name`/`version` MUST be the actual token's domain
+ * params (Base mainnet USDC reports `name: "USD Coin"`, Base Sepolia `"USDC"`;
+ * both `version: "2"`); they come from the challenge's payment requirements
+ * `extra`. A wrong name/version produces a signature the verifier rejects.
+ */
+interface TokenDomain {
+  name: string;
+  version: string;
+  chainId: number;
+  verifyingContract: Address;
+}
+interface TransferAuthorization {
+  from: Address;
+  to: Address;
+  /** Token base units (USDC has 6 decimals), as a bigint. */
+  value: bigint;
+  validAfter: bigint;
+  validBefore: bigint;
+  nonce: Hex;
+}
+interface TransferWithAuthorizationTypedData {
+  domain: {
+    name: string;
+    version: string;
+    chainId: number;
+    verifyingContract: Address;
+  };
+  types: typeof TRANSFER_WITH_AUTHORIZATION_TYPES;
+  primaryType: "TransferWithAuthorization";
+  message: TransferAuthorization;
+}
+declare function transferWithAuthorizationTypedData(domain: TokenDomain, auth: TransferAuthorization): TransferWithAuthorizationTypedData;
+/**
+ * A customer-held signer. A viem `LocalAccount` satisfies this directly; any
+ * key source (hardware wallet, injected provider) can be adapted. The key never
+ * leaves the caller.
+ */
+interface X402Signer {
+  address: Address;
+  signTypedData(typedData: TransferWithAuthorizationTypedData): Promise<Hex>;
+  /**
+   * `personal_sign` over a UTF-8 string. Only needed for
+   * `registerPayoutAddress()` (the ownership proof); a viem `LocalAccount`
+   * provides it directly.
+   */
+  signMessage?(args: {
+    message: string;
+  }): Promise<Hex>;
+}
+interface PayoutRegistrationMessageInput {
+  /** The org id the address is being authorized for. Bound into the signature. */
+  org: string;
+  /** The payout address (the signer's own address). Lowercased in the message. */
+  address: string;
+  network: string;
+  /** ISO-8601 timestamp; the server enforces a freshness window against replay. */
+  issuedAt: string;
+}
+/**
+ * Build the payout-address ownership message. This MUST be byte-identical to the
+ * platform's `buildPayoutRegistrationMessage`, or registration fails the
+ * ownership proof. The org id is in the signed bytes, so a captured signature
+ * can never register the address under a different org.
+ */
+declare function buildPayoutRegistrationMessage(input: PayoutRegistrationMessageInput): string;
+/** The x402 wire payload (validated server-side against the x402 schema). */
+interface X402PaymentPayload {
+  x402Version: 1;
+  scheme: "exact";
+  network: string;
+  payload: {
+    signature: Hex;
+    authorization: {
+      from: Address;
+      to: Address;
+      value: string;
+      validAfter: string;
+      validBefore: string;
+      nonce: Hex;
+    };
+  };
+}
+/** Assemble the wire payload from a signed authorization. */
+declare function toPaymentPayload(network: string, auth: TransferAuthorization, signature: Hex): X402PaymentPayload;
+//#endregion
+//#region src/x402/client.d.ts
+interface X402PaymentRequirements {
+  scheme: string;
+  network: string;
+  maxAmountRequired: string;
+  payTo: string;
+  asset: string;
+  extra: {
+    name: string;
+    version: string;
+  };
+}
+/** A request for payment, as returned by `charge()` / the platform. */
+interface X402Challenge {
+  id: string;
+  network: string;
+  amount: string;
+  pay_to: string;
+  nonce_binding: {
+    interaction_id: string;
+    challenge_step_id: string;
+    challenge_nonce: string;
+  };
+  payment_requirements: X402PaymentRequirements;
+  expires_at: string;
+}
+interface X402Receipt {
+  id: string;
+  status: string;
+  settle_tx: string | null;
+}
+/** A registered payout address (read shape; mirrors the platform response). */
+interface X402PayoutAddress {
+  id: string;
+  address: string;
+  network: string;
+  label: string | null;
+  is_default: boolean;
+  verified_at: string | null;
+}
+/** The org's spend policy (read shape; also accepted by `setSpendPolicy`). */
+interface X402SpendPolicy {
+  /** Kill-switch: when true, all outbound payments are refused. */
+  paused: boolean;
+  /** Per-payment cap in token base units, or null for no cap. */
+  max_per_payment: string | null;
+  /** Daily cap in token base units, or null for no cap. */
+  max_per_day: string | null;
+  /** Allowed payee org ids; null = any on-net payee, [] = deny all. */
+  allowlist: string[] | null;
+}
+interface X402ChargeInput {
+  /** Amount in token base units (USDC has 6 decimals, so "10000" = 0.01). */
+  amount: string;
+  /** Defaults to "base-sepolia". */
+  network?: string;
+  /** The org id allowed to pay this challenge (on-net binding). */
+  payerOrg?: string;
+  description?: string;
+  /** A URL identifying the thing being paid for. */
+  resource?: string;
+  /** Seconds until the challenge expires (default 1h). */
+  expiresIn?: number;
+}
+declare class X402Error extends Error {
+  /** HTTP status, or 0 for a client-side / transport error that never reached the server. */
+  readonly status: number;
+  readonly body: unknown;
+  /** The `Retry-After` response header, if the server sent one. */
+  readonly retryAfter: string | null;
+  constructor(message: string, status: number, body?: unknown, options?: {
+    cause?: unknown;
+    retryAfter?: string | null;
+  });
+}
+interface X402ClientOptions {
+  /** API key. Defaults to `process.env.PRIMITIVE_API_KEY`. */
+  apiKey?: string;
+  /** API base URL. Defaults to the production host. */
+  baseUrl?: string;
+  /** Override the fetch implementation (e.g. for testing). */
+  fetch?: typeof fetch;
+  /** Per-request timeout in milliseconds. Defaults to 30000. */
+  timeoutMs?: number;
+}
+declare class X402Client {
+  #private;
+  constructor(options?: X402ClientOptions);
+  /** Request a payment (payee side). Returns the challenge to hand to the payer. */
+  charge(input: X402ChargeInput): Promise<X402Challenge>;
+  /**
+   * Pay a challenge (payer side). Derives the interaction-bound authorization,
+   * signs it locally with the caller's key, and submits it for settlement.
+   */
+  pay(challenge: X402Challenge, options: {
+    signer: X402Signer;
+  }): Promise<X402Receipt>;
+  /** Fetch a challenge by id (scoped to the challenger org that created it). */
+  getChallenge(id: string): Promise<X402Challenge>;
+  /**
+   * Register a payout address for your org (payee side). The signer proves
+   * control of its own address with an org-bound `personal_sign`; the proven
+   * address becomes (or updates to) the default payout destination for the
+   * network. `charge()` resolves its `pay_to` from this directory, so a payee
+   * must register before requesting payments.
+   */
+  registerPayoutAddress(input: {
+    org: string;
+    network?: string;
+    issuedAt?: string;
+  }, options: {
+    signer: X402Signer;
+  }): Promise<X402PayoutAddress>;
+  /** List your org's registered payout addresses. */
+  listPayoutAddresses(): Promise<X402PayoutAddress[]>;
+  /** Read your org's spend policy (kill-switch + caps + allowlist). */
+  getSpendPolicy(): Promise<X402SpendPolicy>;
+  /**
+   * Update your org's spend policy. The endpoint is a PUT, but the server
+   * applies it as a merge: only the fields you include are changed and omitted
+   * fields keep their current value, so a partial update can't silently reset
+   * the kill-switch. Pass `null` to clear a cap.
+   */
+  setSpendPolicy(update: Partial<X402SpendPolicy>): Promise<X402SpendPolicy>;
+}
+declare function createX402Client(options?: X402ClientOptions): X402Client;
+//#endregion
+export { NonceBinding, PayoutRegistrationMessageInput, TRANSFER_WITH_AUTHORIZATION_TYPES, TokenDomain, TransferAuthorization, TransferWithAuthorizationTypedData, X402Challenge, X402ChargeInput, X402Client, X402ClientOptions, X402Error, X402PaymentPayload, X402PaymentRequirements, X402PayoutAddress, X402Receipt, X402Signer, X402SpendPolicy, buildPayoutRegistrationMessage, createX402Client, deriveEip3009Nonce, toPaymentPayload, transferWithAuthorizationTypedData };

package/dist/x402/index.js

@@ -0,0 +1,320 @@
+import { concat, hexToBytes, keccak256, stringToBytes } from "viem";
+//#region src/x402/sign.ts
+/**
+* x402 client-side signing.
+*
+* The payer signs an EIP-3009 `transferWithAuthorization` over the customer's
+* own key; the key never leaves them. This module derives the interaction-bound
+* nonce and assembles the EIP-712 typed data and the wire payload. The byte
+* layout here MUST match the platform verifier exactly; a normative test vector
+* (see sign.test.ts) locks the nonce derivation to the same value the server
+* recomputes.
+*/
+/** A challenge nonce is 32 bytes rendered as 64 lowercase hex chars, no 0x. */
+const CHALLENGE_NONCE_RE = /^[0-9a-f]{64}$/;
+/** Single-byte domain separator between the variable-length string fields. */
+const FIELD_SEPARATOR = new Uint8Array([0]);
+/**
+* Derive the EIP-3009 nonce bound to a specific interaction step:
+*
+*   keccak256( utf8(lower(interaction_id)) || 0x00
+*            || utf8(lower(challenge_step_id)) || 0x00
+*            || hexdecode(challenge_nonce) )
+*
+* The `0x00` separators pin the field boundaries (undelimited concatenation of
+* variable-length strings is collision-ambiguous), and the challenge nonce is
+* decoded to its 32 raw bytes before hashing. The platform recomputes this and
+* rejects a mismatch.
+*/
+function deriveEip3009Nonce(input) {
+	if (!CHALLENGE_NONCE_RE.test(input.challengeNonce)) throw new Error("challengeNonce must be exactly 64 lowercase hex chars (32 bytes), no 0x prefix");
+	return keccak256(concat([
+		stringToBytes(input.interactionId.toLowerCase()),
+		FIELD_SEPARATOR,
+		stringToBytes(input.challengeStepId.toLowerCase()),
+		FIELD_SEPARATOR,
+		hexToBytes(`0x${input.challengeNonce}`)
+	]));
+}
+/**
+* The EIP-3009 `TransferWithAuthorization` EIP-712 type. The field order and
+* types are part of the on-chain contract and MUST NOT change.
+*/
+const TRANSFER_WITH_AUTHORIZATION_TYPES = { TransferWithAuthorization: [
+	{
+		name: "from",
+		type: "address"
+	},
+	{
+		name: "to",
+		type: "address"
+	},
+	{
+		name: "value",
+		type: "uint256"
+	},
+	{
+		name: "validAfter",
+		type: "uint256"
+	},
+	{
+		name: "validBefore",
+		type: "uint256"
+	},
+	{
+		name: "nonce",
+		type: "bytes32"
+	}
+] };
+function transferWithAuthorizationTypedData(domain, auth) {
+	return {
+		domain: {
+			name: domain.name,
+			version: domain.version,
+			chainId: domain.chainId,
+			verifyingContract: domain.verifyingContract
+		},
+		types: TRANSFER_WITH_AUTHORIZATION_TYPES,
+		primaryType: "TransferWithAuthorization",
+		message: auth
+	};
+}
+/**
+* Build the payout-address ownership message. This MUST be byte-identical to the
+* platform's `buildPayoutRegistrationMessage`, or registration fails the
+* ownership proof. The org id is in the signed bytes, so a captured signature
+* can never register the address under a different org.
+*/
+function buildPayoutRegistrationMessage(input) {
+	return [
+		"Primitive x402 payout address authorization",
+		"",
+		"I authorize this address as a payout destination for my Primitive organization.",
+		"",
+		`org: ${input.org}`,
+		`address: ${input.address.toLowerCase()}`,
+		`network: ${input.network}`,
+		`issued: ${input.issuedAt}`
+	].join("\n");
+}
+/** Assemble the wire payload from a signed authorization. */
+function toPaymentPayload(network, auth, signature) {
+	return {
+		x402Version: 1,
+		scheme: "exact",
+		network,
+		payload: {
+			signature,
+			authorization: {
+				from: auth.from,
+				to: auth.to,
+				value: auth.value.toString(),
+				validAfter: auth.validAfter.toString(),
+				validBefore: auth.validBefore.toString(),
+				nonce: auth.nonce
+			}
+		}
+	};
+}
+//#endregion
+//#region src/x402/client.ts
+const CHAIN_IDS = {
+	"base-sepolia": 84532,
+	base: 8453
+};
+const CLOCK_SKEW_SEC = 300;
+const SETTLEMENT_MARGIN_SEC = 300;
+const DEFAULT_BASE_URL = "https://api.primitive.dev";
+const CHARGE_INPUT_KEYS = {
+	amount: true,
+	network: true,
+	payerOrg: true,
+	description: true,
+	resource: true,
+	expiresIn: true
+};
+var X402Error = class extends Error {
+	/** HTTP status, or 0 for a client-side / transport error that never reached the server. */
+	status;
+	body;
+	/** The `Retry-After` response header, if the server sent one. */
+	retryAfter;
+	constructor(message, status, body, options) {
+		super(message, options?.cause !== void 0 ? { cause: options.cause } : void 0);
+		this.name = "X402Error";
+		this.status = status;
+		this.body = body;
+		this.retryAfter = options?.retryAfter ?? null;
+	}
+};
+/**
+* Assert a challenge is fully hydrated before signing, so a missing field fails
+* with a named X402Error instead of an opaque viem/BigInt error mid-sign.
+*/
+function validateChallenge(c) {
+	const bad = (field) => {
+		throw new X402Error(`challenge is missing or malformed: ${field}`, 0);
+	};
+	if (!c || typeof c !== "object") bad("challenge");
+	if (!c.id) bad("id");
+	if (!c.network) bad("network");
+	if (!c.expires_at) bad("expires_at");
+	const nb = c.nonce_binding;
+	if (!nb?.interaction_id || !nb.challenge_step_id || !nb.challenge_nonce) bad("nonce_binding");
+	const pr = c.payment_requirements;
+	if (!pr) bad("payment_requirements");
+	if (!pr.maxAmountRequired) bad("payment_requirements.maxAmountRequired");
+	if (!/^0x[0-9a-fA-F]{40}$/.test(pr.payTo ?? "")) bad("payment_requirements.payTo (expected a 0x address)");
+	if (!/^0x[0-9a-fA-F]{40}$/.test(pr.asset ?? "")) bad("payment_requirements.asset (expected a 0x address)");
+	if (!pr.extra?.name || !pr.extra.version) bad("payment_requirements.extra (name/version)");
+}
+var X402Client = class {
+	#apiKey;
+	#baseUrl;
+	#fetch;
+	#timeoutMs;
+	constructor(options = {}) {
+		this.#apiKey = options.apiKey ?? process.env.PRIMITIVE_API_KEY ?? "";
+		this.#baseUrl = (options.baseUrl ?? DEFAULT_BASE_URL).replace(/\/+$/, "");
+		this.#fetch = options.fetch ?? fetch;
+		this.#timeoutMs = options.timeoutMs ?? 3e4;
+	}
+	async #request(method, path, body, init) {
+		if (!this.#apiKey) throw new X402Error("no API key configured; set PRIMITIVE_API_KEY or pass { apiKey } to the client", 0);
+		const timeout = AbortSignal.timeout(this.#timeoutMs);
+		const signal = init?.signal ? AbortSignal.any([timeout, init.signal]) : timeout;
+		let res;
+		try {
+			res = await this.#fetch(`${this.#baseUrl}${path}`, {
+				method,
+				headers: {
+					authorization: `Bearer ${this.#apiKey}`,
+					"content-type": "application/json"
+				},
+				body: body === void 0 ? void 0 : JSON.stringify(body),
+				signal
+			});
+		} catch (cause) {
+			throw new X402Error(cause instanceof Error && cause.name === "TimeoutError" ? `request to ${path} timed out after ${this.#timeoutMs}ms` : `request to ${path} failed: ${cause instanceof Error ? cause.message : String(cause)}`, 0, void 0, { cause });
+		}
+		const retryAfter = res.headers.get("retry-after");
+		const text = await res.text().catch(() => "");
+		let json;
+		if (text) try {
+			json = JSON.parse(text);
+		} catch {
+			throw new X402Error(`non-JSON response (${res.status}) from ${path}: ${text.slice(0, 200)}`, res.status, text.slice(0, 500), { retryAfter });
+		}
+		if (!res.ok || json?.success === false) throw new X402Error(json?.error?.message ?? `request failed with ${res.status}`, res.status, json ?? text.slice(0, 500), { retryAfter });
+		if (!json || json.success !== true || json.data === void 0) throw new X402Error(`unexpected response shape (${res.status}) from ${path}: missing success/data envelope`, res.status, json ?? text.slice(0, 500), { retryAfter });
+		return json.data;
+	}
+	/** Request a payment (payee side). Returns the challenge to hand to the payer. */
+	async charge(input) {
+		for (const key of Object.keys(input)) if (!(key in CHARGE_INPUT_KEYS)) throw new X402Error(`unknown charge() option "${key}"; expected one of: ${Object.keys(CHARGE_INPUT_KEYS).join(", ")}`, 0);
+		if (!input.amount || !/^[1-9][0-9]{0,38}$/.test(input.amount)) throw new X402Error("charge() requires `amount` as a positive integer string in token base units, e.g. \"10000\"", 0);
+		const body = {
+			amount: input.amount,
+			network: input.network ?? "base-sepolia"
+		};
+		if (input.payerOrg) body.payer_org = input.payerOrg;
+		if (input.description) body.description = input.description;
+		if (input.resource) body.resource = input.resource;
+		if (input.expiresIn !== void 0) body.expires_in = input.expiresIn;
+		return this.#request("POST", "/v1/x402/challenges", body);
+	}
+	/**
+	* Pay a challenge (payer side). Derives the interaction-bound authorization,
+	* signs it locally with the caller's key, and submits it for settlement.
+	*/
+	async pay(challenge, options) {
+		if (!options?.signer?.address || typeof options.signer.signTypedData !== "function") throw new X402Error("pay() requires options.signer with { address, signTypedData } (e.g. a viem LocalAccount)", 0);
+		validateChallenge(challenge);
+		const chainId = CHAIN_IDS[challenge.network];
+		if (chainId === void 0) throw new X402Error(`unsupported network: ${challenge.network}`, 0);
+		const pr = challenge.payment_requirements;
+		if (pr.network !== challenge.network) throw new X402Error(`challenge network mismatch: ${challenge.network} vs payment_requirements ${pr.network}`, 0);
+		if (pr.scheme !== "exact") throw new X402Error(`unsupported payment scheme: ${pr.scheme}`, 0);
+		const nonce = deriveEip3009Nonce({
+			interactionId: challenge.nonce_binding.interaction_id,
+			challengeStepId: challenge.nonce_binding.challenge_step_id,
+			challengeNonce: challenge.nonce_binding.challenge_nonce
+		});
+		const nowSec = Math.floor(Date.now() / 1e3);
+		const expiresAtMs = Date.parse(challenge.expires_at);
+		if (Number.isNaN(expiresAtMs)) throw new X402Error(`challenge has an invalid expires_at: ${challenge.expires_at}`, 0);
+		const expiresAtSec = Math.floor(expiresAtMs / 1e3);
+		if (expiresAtSec <= nowSec) throw new X402Error(`challenge has already expired (expires_at ${challenge.expires_at}); not signing`, 0);
+		const validAfter = BigInt(nowSec - CLOCK_SKEW_SEC);
+		const validBefore = BigInt(expiresAtSec + SETTLEMENT_MARGIN_SEC);
+		const auth = {
+			from: options.signer.address,
+			to: pr.payTo,
+			value: BigInt(pr.maxAmountRequired),
+			validAfter,
+			validBefore,
+			nonce
+		};
+		const signature = await options.signer.signTypedData(transferWithAuthorizationTypedData({
+			name: pr.extra.name,
+			version: pr.extra.version,
+			chainId,
+			verifyingContract: pr.asset
+		}, auth));
+		return this.#request("POST", `/v1/x402/challenges/${challenge.id}/pay`, { payment: toPaymentPayload(challenge.network, auth, signature) });
+	}
+	/** Fetch a challenge by id (scoped to the challenger org that created it). */
+	async getChallenge(id) {
+		if (!id) throw new X402Error("getChallenge() requires a challenge id", 0);
+		return this.#request("GET", `/v1/x402/challenges/${encodeURIComponent(id)}`);
+	}
+	/**
+	* Register a payout address for your org (payee side). The signer proves
+	* control of its own address with an org-bound `personal_sign`; the proven
+	* address becomes (or updates to) the default payout destination for the
+	* network. `charge()` resolves its `pay_to` from this directory, so a payee
+	* must register before requesting payments.
+	*/
+	async registerPayoutAddress(input, options) {
+		if (!input?.org) throw new X402Error("registerPayoutAddress() requires an org id", 0);
+		if (typeof options?.signer?.signMessage !== "function") throw new X402Error("registerPayoutAddress() requires a signer with signMessage (e.g. a viem LocalAccount)", 0);
+		const network = input.network ?? "base-sepolia";
+		const issuedAt = input.issuedAt ?? (/* @__PURE__ */ new Date()).toISOString();
+		const address = options.signer.address;
+		const message = buildPayoutRegistrationMessage({
+			org: input.org,
+			address,
+			network,
+			issuedAt
+		});
+		const signature = await options.signer.signMessage({ message });
+		return this.#request("POST", "/v1/x402/payout-addresses", {
+			address,
+			network,
+			signature,
+			issued_at: issuedAt
+		});
+	}
+	/** List your org's registered payout addresses. */
+	async listPayoutAddresses() {
+		return this.#request("GET", "/v1/x402/payout-addresses");
+	}
+	/** Read your org's spend policy (kill-switch + caps + allowlist). */
+	async getSpendPolicy() {
+		return this.#request("GET", "/v1/x402/spend-policy");
+	}
+	/**
+	* Update your org's spend policy. The endpoint is a PUT, but the server
+	* applies it as a merge: only the fields you include are changed and omitted
+	* fields keep their current value, so a partial update can't silently reset
+	* the kill-switch. Pass `null` to clear a cap.
+	*/
+	async setSpendPolicy(update) {
+		return this.#request("PUT", "/v1/x402/spend-policy", update);
+	}
+};
+function createX402Client(options = {}) {
+	return new X402Client(options);
+}
+//#endregion
+export { TRANSFER_WITH_AUTHORIZATION_TYPES, X402Client, X402Error, buildPayoutRegistrationMessage, createX402Client, deriveEip3009Nonce, toPaymentPayload, transferWithAuthorizationTypedData };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/sdk",
-  "version": "1.3.0",
+  "version": "1.5.0",
   "description": "Official Primitive Node.js SDK: webhook, api, openapi, contract, and parser runtime modules.",
   "type": "module",
   "module": "./dist/index.js",
@@ -40,6 +40,11 @@
       "types": "./dist/parser/address.d.ts",
       "import": "./dist/parser/address.js",
       "default": "./dist/parser/address.js"
+    },
+    "./x402": {
+      "types": "./dist/x402/index.d.ts",
+      "import": "./dist/x402/index.js",
+      "default": "./dist/x402/index.js"
     }
   },
   "sideEffects": false,