Facilitator Authentication

pip install cryptography

# payai_auth.py
import base64
import json
import time
import uuid

from cryptography.hazmat.primitives.serialization import load_der_private_key


def base64url_encode(data: bytes) -> str:
    return base64.urlsafe_b64encode(data).rstrip(b"=").decode("ascii")


def normalize_secret(secret: str) -> str:
    s = secret.strip()
    return s.removeprefix("payai_sk_")


def generate_payai_jwt(api_key_id: str, api_key_secret: str) -> str:
    now = int(time.time())

    header = json.dumps(
        {"alg": "EdDSA", "typ": "JWT", "kid": api_key_id},
        separators=(",", ":"),
    )
    payload = json.dumps(
        {
            "sub": api_key_id,
            "iss": "payai-merchant",
            "iat": now,
            "exp": now + 120,
            "jti": str(uuid.uuid4()),
        },
        separators=(",", ":"),
    )

    header_b64 = base64url_encode(header.encode())
    payload_b64 = base64url_encode(payload.encode())
    message = f"{header_b64}.{payload_b64}"

    key_bytes = base64.b64decode(normalize_secret(api_key_secret))
    private_key = load_der_private_key(key_bytes, password=None)
    signature = private_key.sign(message.encode())

    return f"{message}.{base64url_encode(signature)}"


# --- Usage ---

if __name__ == "__main__":
    import requests

    jwt = generate_payai_jwt(
        "your-api-key-id",
        "payai_sk_your-api-key-secret",
    )

    response = requests.post(
        "https://facilitator.payai.network/verify",
        headers={
            "Content-Type": "application/json",
            "Authorization": f"Bearer {jwt}",
        },
        json={
            "x402Version": 2,
            "paymentPayload": {},   # ...
            "paymentRequirements": {},  # ...
        },
    )
    print(response.json())

package payaiauth

import (
	"crypto/ed25519"
	"crypto/x509"
	"encoding/base64"
	"encoding/json"
	"fmt"
	"strings"
	"time"

	"github.com/google/uuid"
)

func base64URLEncode(data []byte) string {
	return strings.TrimRight(
		base64.URLEncoding.EncodeToString(data), "=",
	)
}

func normalizeSecret(secret string) string {
	s := strings.TrimSpace(secret)
	return strings.TrimPrefix(s, "payai_sk_")
}

func GeneratePayAIJwt(apiKeyID, apiKeySecret string) (string, error) {
	now := time.Now().Unix()

	header, _ := json.Marshal(map[string]string{
		"alg": "EdDSA",
		"typ": "JWT",
		"kid": apiKeyID,
	})
	payload, _ := json.Marshal(map[string]interface{}{
		"sub": apiKeyID,
		"iss": "payai-merchant",
		"iat": now,
		"exp": now + 120,
		"jti": uuid.New().String(),
	})

	headerB64 := base64URLEncode(header)
	payloadB64 := base64URLEncode(payload)
	message := headerB64 + "." + payloadB64

	keyBytes, err := base64.StdEncoding.DecodeString(
		normalizeSecret(apiKeySecret),
	)
	if err != nil {
		keyBytes, err = base64.URLEncoding.DecodeString(
			normalizeSecret(apiKeySecret),
		)
		if err != nil {
			return "", fmt.Errorf("decode API key secret: %w", err)
		}
	}

	parsed, err := x509.ParsePKCS8PrivateKey(keyBytes)
	if err != nil {
		return "", fmt.Errorf("parse PKCS#8 key: %w", err)
	}

	privateKey, ok := parsed.(ed25519.PrivateKey)
	if !ok {
		return "", fmt.Errorf("key is not Ed25519")
	}

	signature := ed25519.Sign(privateKey, []byte(message))
	return message + "." + base64URLEncode(signature), nil
}

package main

import (
	"bytes"
	"encoding/json"
	"fmt"
	"net/http"

	payaiauth "your-module/payaiauth"
)

func main() {
	jwt, err := payaiauth.GeneratePayAIJwt(
		"your-api-key-id",
		"payai_sk_your-api-key-secret",
	)
	if err != nil {
		panic(err)
	}

	body, _ := json.Marshal(map[string]interface{}{
		"x402Version":         2,
		"paymentPayload":      map[string]interface{}{},
		"paymentRequirements": map[string]interface{}{},
	})

	req, _ := http.NewRequest(
		"POST",
		"https://facilitator.payai.network/verify",
		bytes.NewReader(body),
	)
	req.Header.Set("Content-Type", "application/json")
	req.Header.Set("Authorization", "Bearer "+jwt)

	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	fmt.Println("Status:", resp.Status)
}

[dependencies]
ed25519-dalek = { version = "2", features = ["pkcs8"] }
base64 = "0.22"
serde_json = "1"
uuid = { version = "1", features = ["v4"] }

use base64::engine::general_purpose::{STANDARD, URL_SAFE_NO_PAD};
use base64::Engine;
use ed25519_dalek::pkcs8::DecodePrivateKey;
use ed25519_dalek::{Signer, SigningKey};
use serde_json::json;
use std::time::{SystemTime, UNIX_EPOCH};
use uuid::Uuid;

fn normalize_secret(secret: &str) -> &str {
    let s = secret.trim();
    s.strip_prefix("payai_sk_").unwrap_or(s)
}

pub fn generate_payai_jwt(
    api_key_id: &str,
    api_key_secret: &str,
) -> Result<String, Box<dyn std::error::Error>> {
    let now = SystemTime::now()
        .duration_since(UNIX_EPOCH)?
        .as_secs();

    let header = json!({
        "alg": "EdDSA",
        "typ": "JWT",
        "kid": api_key_id,
    });
    let payload = json!({
        "sub": api_key_id,
        "iss": "payai-merchant",
        "iat": now,
        "exp": now + 120,
        "jti": Uuid::new_v4().to_string(),
    });

    let header_b64 = URL_SAFE_NO_PAD.encode(
        header.to_string().as_bytes(),
    );
    let payload_b64 = URL_SAFE_NO_PAD.encode(
        payload.to_string().as_bytes(),
    );
    let message = format!("{header_b64}.{payload_b64}");

    let key_bytes = STANDARD.decode(
        normalize_secret(api_key_secret),
    )?;
    let signing_key = SigningKey::from_pkcs8_der(&key_bytes)?;
    let signature = signing_key.sign(message.as_bytes());

    Ok(format!(
        "{message}.{}",
        URL_SAFE_NO_PAD.encode(signature.to_bytes()),
    ))
}

// Usage:
// let jwt = generate_payai_jwt("your-api-key-id", "payai_sk_...")?;
// Set header: Authorization: Bearer {jwt}