API gateway, metering, and billing backend for the AgentPay protocol (machine-to-machine payments on Stellar).
- Stack: Node.js, Express, TypeScript
- Endpoints: Health check, version, and placeholders for usage/billing APIs
- Node.js 18.18+
- npm
-
Clone the repo (or add remote and pull):
git clone <repo-url> && cd agentpay-backend
-
Install dependencies:
npm install
-
Verify setup:
npm run build npm test -
Run locally:
npm run dev
Server runs at
http://localhost:3001. TryGET /healthandGET /api/v1/version.
agentpay-backend/
├── src/
│ ├── index.ts # Thin Express composition root that exports app
│ ├── events.ts # Bounded in-memory audit event log helpers
│ ├── middleware/ # CORS, security headers, request id, pause, rate limit
│ ├── routes/ # Feature routers for admin, usage, services, keys, webhooks
│ ├── store/ # In-memory stores and shared state helpers
│ ├── health.test.ts # App-level regression tests
│ └── services.test.ts # Service registry tests
├── package.json
├── tsconfig.json
└── .github/workflows/
└── ci.yml # CI: build, test
| Command | Description |
|---|---|
npm run build |
Compile TypeScript to dist/ |
npm run lint |
Run ESLint over TypeScript source and tests |
npm run format |
Check formatting with Prettier |
npm test |
Build and run tests |
npm run dev |
Run with ts-node |
npm start |
Run production build |
- Billing units and settlement semantics explains
stroops,
priceStroops,billedStroops,/api/v1/billing/*, and whyPOST /api/v1/settledrains backend counters without moving funds.
Start a local backend on http://localhost:3001 with the checked-in
dependencies:
npm run build
npm startThe API is currently open for local development and demos. You do not need an
API key for the metering flow until API-key enforcement lands. Add your own
X-Request-Id header when you want to correlate client logs with backend
responses. The backend echoes the value on success and structured errors.
Set a shell variable for the local base URL:
BASE_URL=http://localhost:3001-
Register a billable service.
curl -sS -X POST "$BASE_URL/api/v1/services" \ -H "Content-Type: application/json" \ -H "X-Request-Id: quickstart-register" \ -d '{"serviceId":"embedding-v1","priceStroops":25}'
Expected status:
201 Created{ "serviceId": "embedding-v1", "priceStroops": 25 }Bulk registration is available at
POST /api/v1/services/bulkwith anitemsarray of 1-50 services. The endpoint keeps its partial-success response contract: valid unique items are applied, invalid items reportinvalid_item, and later occurrences of a duplicateserviceIdin the same batch reportduplicate_in_batchwithout overwriting the first item. -
Record usage for an agent.
curl -sS -X POST "$BASE_URL/api/v1/usage" \ -H "Content-Type: application/json" \ -H "X-Request-Id: quickstart-usage-1" \ -d '{"agent":"agent-alpha","serviceId":"embedding-v1","requests":3}'
Expected status:
201 Created{ "agent": "agent-alpha", "serviceId": "embedding-v1", "total": 3 } -
Record more usage for the same agent and service.
curl -sS -X POST "$BASE_URL/api/v1/usage" \ -H "Content-Type: application/json" \ -H "X-Request-Id: quickstart-usage-2" \ -d '{"agent":"agent-alpha","serviceId":"embedding-v1","requests":7}'
Expected status:
201 Created{ "agent": "agent-alpha", "serviceId": "embedding-v1", "total": 10 } -
Read the current accumulator.
curl -sS "$BASE_URL/api/v1/usage/agent-alpha/embedding-v1" \ -H "X-Request-Id: quickstart-read"
Expected status:
200 OK{ "agent": "agent-alpha", "serviceId": "embedding-v1", "total": 10 } -
Quote the current bill.
curl -sS "$BASE_URL/api/v1/billing/agent-alpha/embedding-v1" \ -H "X-Request-Id: quickstart-quote"
Expected status:
200 OK{ "agent": "agent-alpha", "serviceId": "embedding-v1", "requests": 10, "priceStroops": 25, "billedStroops": 250 } -
Settle the bill and drain the accumulator.
curl -sS -X POST "$BASE_URL/api/v1/settle" \ -H "Content-Type: application/json" \ -H "X-Request-Id: quickstart-settle" \ -d '{"agent":"agent-alpha","serviceId":"embedding-v1"}'
Expected status:
200 OK{ "agent": "agent-alpha", "serviceId": "embedding-v1", "requests": 10, "priceStroops": 25, "billedStroops": 250 } -
Confirm the accumulator is now zero.
curl -sS "$BASE_URL/api/v1/usage/agent-alpha/embedding-v1" \ -H "X-Request-Id: quickstart-drained"
Expected status:
200 OK{ "agent": "agent-alpha", "serviceId": "embedding-v1", "total": 0 }
On push/PR to main, GitHub Actions runs:
| Step | Command | Notes |
|---|---|---|
| Install | npm ci |
Clean, reproducible install |
| Audit | npm audit --audit-level=high |
Fails on high or critical advisories |
| Lint | npm run lint |
ESLint over TS source and tests |
| Build | npm run build |
TypeScript compile |
| Test | npm test |
Node built-in test runner |
Node.js is pinned to 20.x LTS in CI, which satisfies the engines >= 18.18 requirement declared in package.json.
Every CI run executes npm audit --audit-level=high. A high or critical advisory blocks the build and must be resolved before merging.
Triage process for unfixable advisories:
- Confirm no patched version exists (
npm auditoutput or the advisory page). - Assess actual exploitability in context (e.g. is the vulnerable code path reachable?).
- If the risk is accepted temporarily, document the advisory ID, rationale, and target resolution date in
.github/audit-allowlist.mdand lower the threshold to--audit-level=criticalinci.ymlas a short-term exception. - Re-evaluate on every Dependabot PR or at most every 30 days.
Low/moderate advisories are surfaced in the output but do not block the build. They should be reviewed periodically and resolved when a fix is available.
Dependabot is configured in .github/dependabot.yml and runs every Monday at 06:00 UTC for both ecosystems:
| Ecosystem | Grouping | Separate PRs for |
|---|---|---|
npm |
Minor + patch bundled into one PR | Major version bumps |
github-actions |
All action updates in one PR | — |
- PRs are labelled
dependencies+security(npm) orci(actions). - Major version bumps get individual PRs so breaking changes receive explicit review.
- The open-PR cap is 10 (npm) and 5 (actions) to keep the queue manageable.
- Fork the repo and create a branch.
- Make changes; ensure
npm run lint,npm run build, andnpm testpass. - Run
npm auditlocally and resolve any high/critical findings before opening a PR. - Open a pull request. CI (including the audit step) must pass before merge.
MIT