npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@pqsafe/mastra

v0.1.1

Published

Mastra integration for PQSafe AgentPay — post-quantum safe payments for AI workflows

Downloads

218

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

rayc0rayc0

Keywords

mastrapqsafepaymentsai-agentspost-quantumml-dsa

Readme

@pqsafe/mastra

npm License: Apache-2.0

Post-quantum signed payments for Mastra workflows — drop one step into your workflow and every payment is FIPS 204 enforced.

Part of the PQSafe AgentPay ecosystem. Built on @pqsafe/agent-pay.

What it does

@pqsafe/mastra wraps PQSafe AgentPay as a Mastra-native integration. A Mastra workflow step calls pqsafe.pay() with a signed SpendEnvelope — a post-quantum (ML-DSA-65) token issued by the human wallet owner — and PQSafe enforces the policy constraints before routing the payment across the configured rail.

Your Mastra workflows get cryptographically-scoped, time-bounded, quantum-resistant payment authorization with no long-lived API keys or plaintext credentials in the workflow definition. The envelope travels with the workflow trigger and is self-verifying.

Install

npm install @pqsafe/mastra
# or
pnpm add @pqsafe/mastra

Quickstart

import { createPQSafeIntegration } from '@pqsafe/mastra'

const pqsafe = createPQSafeIntegration()

// Inside any Mastra step or action:
const result = await pqsafe.pay(signedEnvelope, {
  recipient: 'supplier.example.com/billing',
  amount: 150,
  memo: 'Invoice #42',
})

console.log(result.txId)    // e.g. "airwallex-tx-abc123"
console.log(result.status)  // "success"
console.log(result.rail)    // "airwallex"

Mastra workflow example

import { Workflow, Step } from '@mastra/core'
import { createPQSafeIntegration } from '@pqsafe/mastra'

const pqsafe = createPQSafeIntegration()

const paySupplierWorkflow = new Workflow({ name: 'pay-supplier' })
  .step(
    new Step({
      id: 'execute-payment',
      execute: async ({ context }) => {
        // signedEnvelope comes from the workflow trigger — issued by the wallet owner
        const result = await pqsafe.pay(context.triggerData.signedEnvelope, {
          recipient: context.triggerData.recipient,
          amount: context.triggerData.amount,
          memo: context.triggerData.memo,
        })
        return {
          txId: result.txId,
          status: result.status,
          rail: result.rail,
        }
      },
    }),
  )
  .commit()

// Trigger the workflow
const run = paySupplierWorkflow.createRun()
await run.start({
  triggerData: {
    signedEnvelope: {
      envelopeJson: '{"version":1,"issuer":"pq1...","agent":"supplier-bot-v1",...}',
      signature: 'deadbeef...',
      dsaPublicKey: 'cafebabe...',
    },
    recipient: 'supplier.example.com/billing',
    amount: 150,
    memo: 'Invoice #42',
  },
})

How it works

  1. A human wallet owner issues a signed SpendEnvelope using @pqsafe/agent-pay (or the PQSafe wallet extension). The envelope encodes: agent ID, max amount, allowed recipients, currency, and validity window — all bound by an ML-DSA-65 signature.
  2. The envelope is passed as workflow trigger data — it travels with the job, not stored in the workflow definition.
  3. Inside a Mastra step, pqsafe.pay() verifies the post-quantum signature server-side, enforces all policy constraints, and routes the payment to the cheapest available rail (Airwallex, Wise, Stripe, USDC/Base, or x402).
  4. The step receives { txId, status, rail } and can branch on the result or pass it downstream.

What you get

  • Zero config for most workflowscreatePQSafeIntegration() with no arguments connects to https://api.pqsafe.xyz/v1
  • FIPS 204 ML-DSA-65 enforcement — PQSafe rejects any payment that violates the signed envelope policy
  • Multi-rail routing — Airwallex (live sandbox), Wise, Stripe, USDC on Base, x402
  • Mastra-native — returns structured data that Mastra workflows can branch on
  • ESM + CJS builds — works in Node.js, edge runtimes, and bundlers
  • No long-lived credentials in workflow code — only the short-lived signed envelope is needed at runtime

API

createPQSafeIntegration(config?)

| Option | Type | Default | Description | |---|---|---|---| | apiUrl | string | https://api.pqsafe.xyz/v1 | PQSafe REST API base URL | | timeoutMs | number | 30000 | Fetch timeout in milliseconds |

Returns a PQSafeIntegration object.

pqsafe.pay(signedEnvelope, request)

| Parameter | Type | Description | |---|---|---| | signedEnvelope | SignedEnvelope | { envelopeJson, signature, dsaPublicKey } — issued by the wallet owner | | request.recipient | string | Recipient address (IBAN, crypto addr, domain, etc.) | | request.amount | number | Amount in the envelope's currency | | request.memo | string? | Optional human-readable reference |

Returns Promise<{ txId: string, status: string, rail: string }>.

Part of PQSafe AgentPay

Links

License

Apache-2.0 — see LICENSE