exactly · nfmelendez · Apr 17, 2026
@@ -0,0 +1,5 @@
+---
+"@exactly/server": patch
+---
+
+✨ add panda signature
@@ -47,14 +47,23 @@ import {
 } from "@exactly/common/generated/chain";
 import MIN_BORROW_INTERVAL from "@exactly/common/MIN_BORROW_INTERVAL";
 import revertReason from "@exactly/common/revertReason";
-import { Address, type Hash, type Hex } from "@exactly/common/validation";
+import { Address, Hex, type Hash } from "@exactly/common/validation";
 import { MATURITY_INTERVAL, splitInstallments } from "@exactly/lib";
 
 import database, { cards, credentials, transactions } from "../database/index";
 import t, { f } from "../i18n";
 import keeper from "../utils/keeper";
 import { sendPushNotification } from "../utils/onesignal";
-import { collectors, createMutex, getMutex, getUser, headerValidator, signIssuerOp, updateUser } from "../utils/panda";
+import {
+  collectors,
+  createMutex,
+  getMutex,
+  getUser,
+  headerValidator,
+  signIssuerOp,
+  updateUser,
+  verifyPandaSignature,
+} from "../utils/panda";
 import publicClient from "../utils/publicClient";
 import revertFingerprint from "../utils/revertFingerprint";
 import risk, { feedback } from "../utils/sardine";
@@ -87,6 +96,8 @@ const BaseTransaction = v.object({
     authorizedAmount: v.nullish(v.number()),
     authorizationMethod: v.optional(v.string()),
     userId: v.string(),
+    signature: v.optional(Hex),
+    timestamp: v.optional(v.number()),
   }),
 });
 
@@ -510,6 +521,32 @@ export default new Hono().post(
             Math.floor(new Date(payload.body.spend.authorizedAt).getTime() / 1000) -
             Number(BigInt(`0x${payload.id.replaceAll(/[^0-9a-f]/g, "")}`) % 3600n);
           const signature = await signIssuerOp({ account, amount: -refundAmount, timestamp }); // TODO replace with payload signature
+          if (payload.body.spend.signature) {
+            await startSpan(
+              {
+                name: "panda.signature",
+                op: "panda.signature",
+                attributes: {
+                  "signature.account": account,
+                  "signature.amount": String(-refundAmount),
+                  "signature.timestamp": String(payload.body.spend.timestamp ?? 0),
+                },
+              },
+              (span) => {
+                if (!payload.body.spend.signature) throw new Error("signature not found");
+                if (!payload.body.spend.timestamp) throw new Error("timestamp not found");
+                return verifyPandaSignature({
+                  account,
+                  amount: -refundAmount,
+                  timestamp: payload.body.spend.timestamp,
+                  signature: payload.body.spend.signature,
+                }).then((valid) => {
+                  span.setAttribute("signature.valid", valid);
+                  if (!valid) captureException(new Error("invalid panda signature"), { level: "error" });
+                });
+              },
+            ).catch((error: unknown) => captureException(error, { level: "error" }));
+          }
           try {
             await keeper.exaSend(
               { name: "exa.refund", op: "exa.refund", attributes: { account } },
@@ -1097,6 +1134,33 @@ async function prepareCollection(
       (payload.body.spend.authorizedAt ? new Date(payload.body.spend.authorizedAt) : new Date()).getTime() / 1000, // TODO remove fallback
     );
     const signature = await signIssuerOp({ account, amount, timestamp }); // TODO replace with payload signature
+    if (payload.body.spend.signature) {
+      await startSpan(
+        {
+          name: "panda.signature",
+          op: "panda.signature",
+          attributes: {
+            "signature.account": account,
+            "signature.amount": String(amount),
+            "signature.timestamp": String(payload.body.spend.timestamp ?? 0),
+          },
+        },
+        (span) => {
+          if (!payload.body.spend.signature) throw new Error("signature not found");
+          if (!payload.body.spend.timestamp) throw new Error("timestamp not found");
+          return verifyPandaSignature({
+            account,
+            amount,
+            timestamp: payload.body.spend.timestamp,
+            signature: payload.body.spend.signature,
+          }).then((valid) => {
+            span.setAttribute("signature.valid", valid);
+            if (!valid) captureException(new Error("invalid panda signature"), { level: "error" });
+          });
+        },
+      ).catch((error: unknown) => captureException(error, { level: "error" }));
+    }
+
     if (card.mode === 0) {
       return { functionName: "collectDebit", args: [amount, BigInt(timestamp), signature] } as const;
     }