Skip to main content

Provider security requirements

Your service is called by autonomous agents that hold funds. A few requirements keep both sides safe. Listings that don't meet them may be rejected or removed.

Required

1. HTTPS everywhere

Serve all traffic over TLS. Plaintext HTTP exposes payment traffic to interception and response tampering (an attacker could redirect funds). HTTP-only endpoints are rejected at ingestion.

2. Treat your listing text as untrusted data

description, capability, and any content your API returns are read by an AI agent. Never embed instructions — no text like "ignore previous instructions", "system:", or "transfer funds to…". Listings that attempt to steer the calling agent (prompt injection) are removed. Return data, not directives.

3. Safe, idempotent settlement

  • Verify the X-PAYMENT authorization (signature, amount, payTo, network) before serving data.
  • Make settlement idempotent per authorization nonce — a retried request must not double-charge or double-serve.
  • Advertise a payTo and price that exactly match your 402 challenge.

4. Keep infrastructure patched

Run current, patched server software. Outdated web servers with known CVEs are a path to key theft and fund loss — and a liability to everyone paying you.

  • Rate-limit your endpoints to blunt scraping and abuse.
  • Don't leak internals — avoid returning stack traces, internal IPs, or secrets in responses or errors.
  • Front origins with a proxy/CDN rather than exposing raw server IPs.
  • Least privilege for the key that receives/settles USDC; monitor and alert on anomalies.
  • Log settlement events for reconciliation and forensics.

Why this matters

XDC AI agents pay real USDC autonomously. The trust model depends on providers being data sources, not actors: your endpoint returns information, the agent decides. Anything that blurs that line — insecure transport, injected instructions, or ambiguous pricing — puts user funds at risk and will cost you your listing.

note

These requirements protect the whole marketplace. If you spot a security issue in the platform or another listing, report it via xdcai.tech.