This document outlines security best practices for using x402-agent-sdk.
The x402-agent-sdk implements multiple security layers:
- Input Validation: Sanitize all user inputs
- Address Validation: Verify wallet addresses are valid
- Rate Limiting: Prevent abuse and DoS attacks
- Signature Verification: Ensure payment authenticity
- Token Expiration: Prevent replay attacks
Always validate payment addresses before use:
use x402_agent_sdk::InputValidator;
// Validate Ethereum address
InputValidator::validate_address(
"0x742d35Cc6634C0532925a3b844Bc9e7595f0fB1E",
"ethereum"
)?;
// Validate Solana address
InputValidator::validate_address(
"Gk7sh8NBJ2sVEzYWqGDhJqY7J2Z3F4g5h6i7j8k9l0",
"solana"
)?;use x402_agent_sdk::InputValidator;
// Validate payment amount
InputValidator::validate_amount("100")?; // ✅
InputValidator::validate_amount("0")?; // ❌ Error - zero amount
InputValidator::validate_amount("-10")?; // ❌ Error - negative
InputValidator::validate_amount("abc")?; // ❌ Error - not a numberInputValidator::validate_network("eip155:1")?; // ✅ Ethereum
InputValidator::validate_network("eip155:8453")?; // ✅ Base
InputValidator::validate_network("solana:101")?; // ✅ Solana
InputValidator::validate_network("invalid")?; // ❌ ErrorProtect your API from abuse with built-in rate limiting:
use x402_agent_sdk::{RateLimiter, RateLimitConfig};
let limiter = RateLimiter::new(RateLimitConfig {
max_requests: 100, // Max requests per window
window_seconds: 60, // Time window in seconds
});
// Check rate limit before processing
limiter.check(&client_address).await?;use x402_agent_sdk::{RateLimiter, RateLimitConfig};
let limiter = RateLimiter::new(RateLimitConfig {
max_requests: 10,
window_seconds: 60,
});
// Different limits for different users
limiter.check(&premium_user).await?; // Higher priority
limiter.check(&free_user).await?; // Lower priorityAlways verify payments server-side:
use x402_agent_sdk::PaymentToken;
async fn verify_payment(token: &str) -> Result<PaymentToken, X402Error> {
let payment = PaymentToken::decode(token)?;
// Verify on-chain
verify_on_chain(&payment).await?;
// Check expiration
if payment.is_expired() {
return Err(X402Error::TokenExpired(...));
}
Ok(payment)
}use x402_agent_sdk::EvmPayment;
let payment = EvmPayment::new(...);
// Verify signature
payment.verify_signature(&signature, &message)?;Always use HTTPS in production:
// ❌ Wrong - HTTP
app.listen(3000);
// ✅ Correct - HTTPS
import https from 'https';
import fs from 'fs';
const options = {
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem'),
};
https.createServer(options, app).listen(3000);Never commit secrets:
# ✅ Correct - Environment variables
export X402_RECIPIENT="0x742d..."
export STRIPE_SECRET="sk_live_..."
# ❌ Wrong - Hardcoded secrets
const recipient = "0x742d..."; // Don't do this!// ✅ Recommended - Known networks
EvmNetwork::Ethereum,
EvmNetwork::Base,
SolanaNetwork::Mainnet,
// ⚠️ Caution - Verify custom network
EvmNetwork::from_chain_id(12345),let pr = PaymentRequired::new(...)
.with_expiry(chrono::Utc::now() + chrono::Duration::minutes(5));use tracing::{info, warn, error};
if let Err(e) = limiter.check(&address).await {
warn!("Rate limit exceeded for {}", address);
// Alert security team
}// Temporarily disable payments if fraud detected
if fraud_detected {
disable_payments();
// Alert and investigate
}- Don't store payment tokens unnecessarily
- Clear sensitive data after verification
- Comply with GDPR, CCPA requirements
- Implement KYC for high-value transactions
- Monitor for suspicious patterns
- Report large transactions as required
Before production:
- HTTPS enabled
- Rate limiting configured
- Input validation on all endpoints
- Payment verification implemented
- Secrets in environment variables
- Logging and monitoring active
- SSL/TLS certificates valid
- Dependencies updated
- Security audit completed
If you find a security vulnerability:
- Don't open a public issue
- Email security@example.com
- Include detailed reproduction steps
- Wait for acknowledgment before disclosure
We appreciate responsible disclosure!