Provider security requirements
Your service is called by autonomous agents that hold funds. A few requirements keep both sides safe. Listings that don't meet them may be rejected or removed.
Required
1. HTTPS everywhere
Serve all traffic over TLS. Plaintext HTTP exposes payment traffic to interception and response tampering (an attacker could redirect funds). HTTP-only endpoints are rejected at ingestion.
2. Treat your listing text as untrusted data
description, capability, and any content your API returns are read by an AI agent. Never embed instructions — no text like "ignore previous instructions", "system:", or "transfer funds to…". Listings that attempt to steer the calling agent (prompt injection) are removed. Return data, not directives.
3. Safe, idempotent settlement
- Verify the
X-PAYMENTauthorization (signature, amount,payTo, network) before serving data. - Make settlement idempotent per authorization nonce — a retried request must not double-charge or double-serve.
- Advertise a
payToand price that exactly match your402challenge.
4. Keep infrastructure patched
Run current, patched server software. Outdated web servers with known CVEs are a path to key theft and fund loss — and a liability to everyone paying you.
Recommended
- Rate-limit your endpoints to blunt scraping and abuse.
- Don't leak internals — avoid returning stack traces, internal IPs, or secrets in responses or errors.
- Front origins with a proxy/CDN rather than exposing raw server IPs.
- Least privilege for the key that receives/settles USDC; monitor and alert on anomalies.
- Log settlement events for reconciliation and forensics.
Why this matters
XDC AI agents pay real USDC autonomously. The trust model depends on providers being data sources, not actors: your endpoint returns information, the agent decides. Anything that blurs that line — insecure transport, injected instructions, or ambiguous pricing — puts user funds at risk and will cost you your listing.
These requirements protect the whole marketplace. If you spot a security issue in the platform or another listing, report it via xdcai.tech.