npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ghostypay

v0.1.2

Published

> **Private machine-to-machine payments for AI agents.** > Zero on-chain trace · No KYC · No credit cards · Instant USDC settlement

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

rishavmehrarishavmehra

Keywords

Readme

Ghostypay

Private machine-to-machine payments for AI agents. Zero on-chain trace · No KYC · No credit cards · Instant USDC settlement

The Problem We Solved

The AI agent economy has a payment problem — actually three of them.

1. AI agents have no way to pay for APIs

Today, if an AI agent needs to call a paid API — a hotel search service, a news feed, a flight database — it either:

  • Relies on the developer's hardcoded credit card (one card, shared by all agents, all users)
  • Gets a pre-issued API key (which can be stolen, shared, or rate-limited)
  • Simply cannot access the data at all

There is no native way for an AI agent to autonomously pay per call, from its own wallet, without a human in the loop.

2. Payments on Solana are public

Even if you build a workaround using Solana USDC transfers, the entire world can see:

  • Who paid (the agent's wallet address)
  • Who received (the merchant's wallet address)
  • How much was paid
  • When — giving observers a full timeline of every API call the agent made

For a competitor, regulator, or adversary, this is a complete map of what your agent is doing and who it's paying.

3. Monetising APIs for AI traffic is painful

Merchants who want to charge AI agents per call have to build authentication infrastructure, rate limiting, billing systems, and fraud detection — all before writing a single line of business logic.

What Ghostypay Does

Ghostypay is a private payment layer that lets AI agents pay APIs per call, with zero on-chain trace.

On-chain observer sees:    a program invocation
                           (nothing else)

What actually happened:    Agent paid Hotel API $0.002 USDC
                           to look up hotels in Tokyo

The amount, sender, and recipient are sealed inside Intel TDX Trusted Execution Environment — hardware-level encryption that even MagicBlock cannot read.

How It Works

The x402 Protocol Flow

We use the HTTP 402 Payment Required standard as the payment handshake:

Agent                    Merchant                  MagicBlock TEE
  │                          │                           │
  ├──── GET /hotels ─────────►│                          │
  │                          │                           │
  │◄─── 402 + { payTo, amt } ┤                           │
  │                          │                           │
  ├──── buildPrivateTransfer ──────────────────────────-►│
  │                          │      [ENCRYPTED IN TEE]   │
  │◄──── unsigned tx ──────────────────────────────--────┤
  │                          │                           │
  ├── sign + send via ephemeral RPC ────────────────────►|
  │                          │                           │
  ├──── GET /hotels ─────────►│                          │
  │     + X-Payment: <proof>  │                          │
  │                          ├── verify proof ──────────►│
  │                          │◄── ✓ ──────────────────-──┤
  │◄─── 200 + data ───────────┤                          │

What the Solana chain records: a call to the MagicBlock PER program. What it does NOT record: amount, sender identity, recipient, or purpose.

The Tech Stack

| Layer | Technology | What it does | |---|---|---| | Payment standard | x402 (HTTP 402) | Defines the request/response handshake | | Private transfer | MagicBlock PER | Ephemeral rollup that batches and obscures transfers | | Privacy engine | Intel TDX TEE | Hardware enclave — amount, sender, recipient encrypted | | Settlement | Solana USDC | Fast, low-fee, stable settlement | | Agent SDK | ghostypay npm package | Drop-in fetch() replacement for agents | | Merchant SDK | ghostypay/merchant | 3-line Express middleware for API publishers |

The ghostypay npm Package

npm i ghostypay

For AI Agents

import { GhostAgent } from "ghostypay";
import { Keypair } from "@solana/web3.js";

const agent = new GhostAgent({
  keypair:   Keypair.fromSecretKey(/* your key */),
  authToken: process.env.MAGICBLOCK_AUTH_TOKEN!,
  budget: {
    maxSpendUSDC:     0.05,   // session spending cap
    perCallLimitUSDC: 0.01,   // per-call cap
  },
});

// Drop-in replacement for fetch() — handles HTTP 402 automatically, privately
const { data } = await agent.fetch(
  "https://hotel.ghostypay.xyz/hotels?city=tokyo",
  "Hotel Search API",
  "/hotels?city=tokyo"
);

// Full session receipt — aggregate view of everything spent
console.log(agent.receipt());
// {
//   agent:      "7xKXtg...",
//   calls:      4,
//   totalSpent: 0.008,
//   budget:     { maxSpendUSDC: 0.05, perCallLimitUSDC: 0.01 },
//   transactions: [{ tx: "5J3mV...", merchant: "Hotel Search API", amount: 0.002 }, ...],
//   generatedAt: "2026-05-12T..."
// }

The agent never touches a credit card, API key, or account. It holds USDC in its MagicBlock private balance and pays per call.

For Merchants (API Publishers)

import express from "express";
import { require402 } from "ghostypay/merchant";

const app = express();

app.get(
  "/hotels",
  require402({
    payTo:      "YourWalletAddress",
    amountUSDC: 0.002,
    mint:       "4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU", // devnet USDC
  }),
  (req, res) => {
    res.json({ results: [{ name: "Hotel Tokyo", price: 120 }] });
  }
);

Three lines of middleware. Any existing Express API becomes instantly payable by any AI agent using the x402 standard.

The Platform

The Ghostypay web app demonstrates the full system end-to-end with real payments on Solana devnet.

Pages

| Page | Path | What it shows | |---|---|---| | Landing | / | The privacy problem, how x402 works, live install chip, registry teaser | | Live Demo | /dashboard | Watch an AI agent make real paid API calls in real-time | | Fund Agent | /fund | Deposit devnet USDC into the agent's MagicBlock private balance | | Registry | /registry | Directory of x402-compatible APIs the agent can pay for | | Merchant | /merchant | Integration guide for API publishers | | Receipt | /receipt | Session receipt after a demo run — calls made, amounts, tx signatures |

Live Demo Flow

The dashboard page runs a real agent session streaming over Server-Sent Events:

  1. Agent wallet loaded from AGENT_PRIVATE_KEY environment variable
  2. Queries its private USDC balance from the TEE
  3. Makes 4 paid API calls: hotel search (Tokyo), crypto news, hotel search (London), DeFi news
  4. Each payment streams live — merchant name, amount paid, tx signature
  5. Shows what a blockchain observer actually sees vs. what really happened
  6. Final receipt with total spent, calls made, and remaining budget

Privacy Proof

Here is what a Solana explorer shows for a Ghostypay payment:

Program:   SPLxh1LVZzEkX99H6rqYizhytLWPZVV296zyYDPagv2
Accounts:  [vault PDA]  [transfer queue PDA]  [shuttle PDA]
Amount:    [ENCRYPTED IN TEE]
Sender:    [ENCRYPTED IN TEE]
Recipient: [ENCRYPTED IN TEE]

Compare that to a standard SPL token transfer, which exposes everything:

From:     7xKXtgMcQCZe7K4MrHLqAqbqTGr8ns6VLJF...
To:       HN7cABqLq46Es1jh92dQQisAq662SmxELLLsRVe...
Amount:   0.002 USDC
Memo:     hotel-search-tokyo-agent-session-42

Ghostypay eliminates the information leak entirely at the hardware level.

Running Locally

Prerequisites

  • Node.js 18+ or Bun
  • A MagicBlock auth token (from magicblock.xyz)
  • A Solana devnet keypair funded with devnet USDC

Setup

git clone https://github.com/rishavmehra/ghostypay
cd ghostypay
bun install

Create .env.local:

# Solana
NEXT_PUBLIC_SOLANA_RPC=https://api.devnet.solana.com
NEXT_PUBLIC_SOLANA_NETWORK=devnet

# Agent wallet
AGENT_PRIVATE_KEY=[your keypair as JSON array, e.g. [1,2,3,...]]
NEXT_PUBLIC_AGENT_PUBLIC_KEY=your_agent_pubkey_base58

# MagicBlock
AGENT_AUTH_TOKEN=your_magicblock_auth_token
MAGICBLOCK_API_URL=https://payments.magicblock.app
MAGICBLOCK_VALIDATOR_URL=https://devnet-tee.magicblock.app

# Merchant APIs
HOTEL_API_URL=http://localhost:4000
NEWS_API_URL=http://localhost:4001

Start everything

# Next.js frontend
bun run dev

# Hotel Search API (demo merchant on port 4000)
# News Feed API (demo merchant on port 4001)

Open http://localhost:3000.

Project Structure

private-mpp/
├── app/
│   ├── page.tsx              # Landing page
│   ├── dashboard/page.tsx    # Live demo dashboard
│   ├── fund/page.tsx         # Fund agent wallet
│   ├── registry/page.tsx     # x402 API registry
│   ├── merchant/page.tsx     # Merchant integration guide
│   ├── receipt/page.tsx      # Session receipt viewer
│   └── api/
│       ├── agent/run/        # SSE endpoint powering the live demo
│       └── magicblock/       # Balance, deposit, withdraw API routes
├── lib/
│   ├── magicblock.ts         # MagicBlock PER API client (low-level)
│   └── x402.ts              # x402 fetch implementation
├── packages/
│   └── ghostypay/            # Published npm package (npm i ghostypay)
│       └── src/
│           ├── agent.ts      # GhostAgent class
│           ├── x402.ts       # x402Fetch + proof encoding/decoding
│           ├── merchant.ts   # require402 Express middleware
│           └── magicblock.ts # MagicBlock API client
└── agent/
    └── index.ts              # Standalone CLI agent (run without the UI)

What Makes This Different

vs. API keys

API keys are static, shared, and revocable. They give the holder a persistent identity that can be tracked, blocked, or leaked. Ghostypay payments have no persistent identity — each call is a private transfer with no linkage to prior calls and no account to compromise.

vs. Standard Solana payments

A standard SPL transfer is fully public. Anyone watching the chain can see sender, recipient, amount, and timestamp. For competitive or sensitive AI workloads, this is a complete audit trail of your agent's behavior. Ghostypay shows nothing.

vs. Credit cards and Stripe

Credit cards require human accounts, KYC, and manual approval flows. They are fundamentally incompatible with autonomous agents making hundreds of sub-cent payments per minute. Ghostypay is designed for machines — instant, frictionless, no human required.