npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

cronos-merchant-payment-middleware

v1.1.3

Published

Express middleware to enforce x402 payments for APIs on Cronos

Downloads

523

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

varada_bogeswara_raovarada_bogeswara_rao

Keywords

Readme

Cronos Merchant Payment Middleware (x402)

Turn any Express API into a paid, on-chain–verified endpoint using the x402 payment protocol on Cronos.

This middleware enforces 402 Payment Required semantics, verifies on-chain payments via a trusted Facilitator, and attaches a verified payment receipt to the request — all with one line of code.

✨ What This Does

  • 💰 Converts normal APIs into paid APIs
  • 🔐 Enforces on-chain payment verification
  • 🔁 Prevents replay attacks using nonce binding
  • 🤖 Works seamlessly with AI agents
  • 🧱 Abstracts blockchain complexity away from merchants
  • Lightweight, framework-native Express middleware

How It Works (High Level)

  1. Client calls your API
  2. Middleware checks the price via the Gateway
  3. If unpaid → returns 402 Payment Required with payment instructions
  4. Client submits on-chain payment (USDC / CRO)
  5. Client retries request with txHash + nonce
  6. Middleware verifies payment via Facilitator
  7. Request proceeds with req.payment attached

📦 Installation

npm install cronos-merchant-payment-middleware

🚀 Quick Start

import express from "express";
import { paymentMiddleware } from "cronos-merchant-payment-middleware";

const app = express();

app.use(
  paymentMiddleware({
    merchantId: "merchant_123",
    gatewayUrl: "https://cronos-x-402.onrender.com",
    facilitatorUrl: "https://cronos-x-402.onrender.com",
    network: "cronos-testnet"
  })
);

app.get("/premium-data", (req, res) => {
  res.json({
    message: "Paid access granted",
    payment: req.payment
  });
});

app.listen(3000);

🔐 Payment Receipt

After successful verification, the middleware injects a trusted payment receipt into the request.

interface PaymentReceipt {
  txHash: string;
  payer: string;     // Derived from chain (never trusted from headers)
  amount: number;
  currency: string;
}

Usage:

const receipt = req.payment;
console.log(receipt.txHash);

⚠️ 402 Payment Required Response

When payment is missing or invalid, the middleware responds with:

HTTP Status 402 Payment Required

Headers (discoverable by agents & browsers)

X-Payment-Required: true
X-Payment-Amount: 1.5
X-Payment-Currency: USDC
X-Payment-Network: cronos-testnet
X-Payment-PayTo: 0xMerchantWallet
X-Merchant-ID: merchant_123
X-Facilitator-URL: https://cronos-x-402.onrender.com
X-Nonce: abc123...
X-Chain-ID: 338
X-Route: GET /premium-data

JSON Body

{
  "error": "PAYMENT_REQUIRED",
  "message": "Payment required. Sign and broadcast transaction with provided nonce.",
  "paymentRequest": {
    "chainId": 338,
    "merchantId": "merchant_123",
    "amount": 1.5,
    "currency": "USDC",
    "payTo": "0xMerchantWallet",
    "nonce": "abc123",
    "route": "GET /premium-data"
  }
}

🔁 Replay Protection (Critical)

This middleware enforces strict replay protection:

  1. Every payment request includes a nonce
  2. The Facilitator binds: merchantId + method + path + nonce
  3. Reusing a transaction or nonce results in: 402 REPLAY_DETECTED

⚠️ Nonce must match the transaction — the middleware never mutates it after payment starts.

🧠 Fail Mode (Merchant Safety)

You can choose how your API behaves if the Gateway or Facilitator is unreachable.

failMode?: "open" | "closed";

| Mode | Behavior | Use Case | |------|----------|----------| | Default (closed) | API is blocked if payment cannot be verified | Safest option (recommended) | | Optional (open) | API continues if the payment infrastructure is temporarily unavailable | Protects merchant uptime during outages |

Configuration:

interface PaymentMiddlewareConfig {
  merchantId: string;
  gatewayUrl: string;
  facilitatorUrl: string;
  network: "cronos-mainnet" | "cronos-testnet";

  // Optional
  cacheTTLms?: number;       // Default: 30s
  failMode?: "open" | "closed"; // Default: closed
}

🌐 Browser & CORS Support

All required payment headers are exposed automatically:

Access-Control-Expose-Headers:
x-nonce,
x-payment-required,
x-payment-amount,
x-payment-currency,
x-payment-payto,
x-merchant-id,
x-facilitator-url,
x-chain-id,
x-route

Works seamlessly with:

  • Browsers
  • Agent SDKs
  • Server-to-server calls

⚡ Performance Notes

  • Price checks are cached in memory (default: 30s)
  • Retry logic handles transient network failures
  • Designed for low overhead, high throughput

⚠️ For clustered deployments (PM2 / Kubernetes), consider a shared cache strategy.

🧪 Supported Payments

| Asset | Network | |-------|---------| | USDC | Cronos | | CRO / TCRO | Cronos |

🔒 Security Guarantees

  • No trust in client-supplied payer
  • On-chain verification only
  • Replay-safe
  • Route-bound payments
  • Merchant-bound payments
  • Fail-closed by default

🧩 Who Is This For?

  • API Providers who want instant monetization
  • AI Agents that pay for data/tools autonomously
  • Web2 Developers who don’t want to touch blockchain logic
  • Hackathon teams building agent economies

🧠 Philosophy

  1. Merchants shouldn’t learn crypto to get paid.
  2. Agents shouldn’t care how APIs are billed.
  3. Protocols should be invisible when they work.

This middleware exists to make that true.

📄 License

MIT