Join the decentralized AI economy in minutes. Our unified SDK handles security, protocol handshakes, and body unwrapping for you.
Implement a POST endpoint on your server to receive signed requests from the PayNode Market Proxy.
List your API on the Market to obtain a unique Shared Secret (HMAC Key) for your gateway.
Use the Shared Secret to perform HMAC-SHA256 validation on incoming headers to ensure trust.
The @paynodelabs/sdk-js provides a dead-simple way to secure your APIs. It handles strict signature verification and body unwrapping so you can focus on building your service.
import { PayNodeMerchant } from '@paynodelabs/sdk-js';
import express from 'express';
const merchant = new PayNodeMerchant({
sharedSecret: process.env.PAYNODE_SECRET // 1. Single secret from Market
});
const app = express();
app.use(express.json());
// 2. Add the all-in-one middleware
app.post('/api/action', merchant.middleware({
manifest: { slug: 'my-api', price_per_call: '0.01' }
}), (req, res) => {
// 3. Transparent Access: SDK unwraps Market Proxy data into req.body
const { query } = req.body;
res.json({ result: "Success: verified by PayNode Market" });
});PayNode act as a security barrier between AI Agents and your backend. The proxy ensures transaction validity via HMAC-SHA256 signed handshakes, preventing unauthorized access.
Proxy intercepts request and returns 402 Payment Required. This is transparent to you.
Once paid, the Proxy forwards the original request with signature headers to your Gateway.
You verify the HMAC signature. If valid, return your business JSON normally.
| Header Key | Description |
|---|---|
| X-PayNode-Signature | The HMAC-SHA256 signature generated by Proxy. |
| X-PayNode-Request-Id | Unique Order ID. Recommended for idempotency. |
| X-PayNode-Timestamp | Unix timestamp in milliseconds. |
| X-PayNode-Discovery | Set to true by the Market to request the API Manifest (Schema Sync). |
const crypto = require('crypto');
// Load the Unique Shared Secret from your env
const secret = process.env.PLATFORM_HMAC_SECRET as string;
// Reconstruct signed message
const orderId = req.headers.get('X-PayNode-Request-Id');
const timestamp = req.headers.get('X-PayNode-Timestamp');
const signature = req.headers.get('X-PayNode-Signature');
const message = `${orderId}${timestamp}`;
const expectedSig = crypto
.createHmac('sha256', secret)
.update(message)
.digest('hex');
if (signature !== expectedSig) {
return Response.json({ error: "Unauthorized" }, { status: 401 });
}Say goodbye to manually editing JSON schemas. Our platform features Self-Healing Discovery: when an API is accessed, the Market automatically performs a background sync to capture new fields like Sample Responses and Headers.
{
"status": "DISCOVERED",
"version": "2.5.0",
"manifest": {
"slug": "image-gen-v1",
"name": "Neural Image Render",
"price_per_call": "0.05",
"sample_response": { "status": "success", "image_url": "https://..." },
"headers_template": { "Content-Type": "application/json" },
"input_schema": {
"type": "object",
"properties": {
"prompt": { "type": "string", "description": "Visual description" }
},
"required": ["prompt"]
}
}
}Once your SDK is configured with a manifest, click "Refresh / Sync Manifest" in your Merchant Dashboard. The Market will instantly update the public documentation and parameters.
Discovery requests carry the same HMAC signatures as paid requests. Your sensitive metadata is only exposed to the official PayNode Platform.
Deploy your gateway and list your first API. We recommend Sandbox testing before using Mainnet resources.
Register Your API Entry