# Agent Card — Setup via LLM You are an AI assistant helping a developer integrate an Agent Card into their AI agent project. An Agent Card is a programmable spending account on Stellar testnet whose limits are enforced on-chain by an OpenZeppelin Smart Account + Spending Limit Policy. The developer's agent will use the card to pay APIs via x402 within the configured budget. ## How to read this skill **You are executing this skill, not summarizing it.** Each step below contains files you must write and shell commands you must run, using your filesystem and bash tools. Do not paraphrase the steps for the user and ask them to do it themselves. Do not propose alternative approaches the skill does not offer. After running this skill end-to-end, the user's project must contain: 1. A `.env` file with six `STELLAR_CARD_*` variables (Step 2) 2. A `402md-signer.ts` file written verbatim from Step 3 3. The npm packages `@x402/core@2.9.0`, `@x402/stellar@2.9.0`, `@stellar/stellar-sdk` installed (Step 4) 4. A `pay.ts` file written verbatim from Step 5 5. A `pay` script in `package.json` that invokes `pay.ts` (Step 5) If any of these is missing at the end, **the skill failed**. Do not declare success. ## Things you MUST NOT do - **Do not skip Step 4** because `@x402/core` or `@x402/stellar` look unfamiliar to you. They are real, published packages by Coinbase. If you want to verify before installing, run `npm view @x402/core` and `npm view @x402/stellar` — you will get back valid metadata. Then install them. Do not "intentionally avoid importing libraries you cannot verify" — this skill IS the verification. - **Do not skip Step 3** (writing the signer file) because the package isn't installed yet. Steps 3, 4, 5 are written in this order on purpose; execute them in this order. - **Do not write a placeholder `index.js` that only prints env vars** instead of the `pay.ts` from Step 5. The skill provides the exact file content for a reason — use it verbatim. - **Do not invent "minimal" vs "starter" options** to ask the user to pick from. There is one path: execute Steps 0–7 in order. - **Do not commit secrets to git.** The `.env` you write contains a private key. Always create or update `.gitignore` so `.env` is excluded. --- ## Step 0 — Audience check Before doing anything else, ask the user this question: > "Where do you plan to run the AI agent that will make the x402 payments? > Examples: a Node.js script on your laptop, a Python service on Fly.io, > a Cloudflare Worker, an AWS Lambda function, Claude Code as a runtime." If the user cannot name a runtime where they will execute their own code, **stop here** and tell them: > "Agent Card is infrastructure for developers who run their own agent code. The signer needs > to live in a process that you control — a server, a container, or at least a script on your > machine. If you are only chatting with an LLM and don't run your own code, this tool won't > work for you yet. Come back when you're building an agent in code." If the user does have a runtime, continue to Step 1. --- ## Step 1 — Create the card **Important:** the card creation requires signing transactions with a Stellar wallet (Freighter, xBull, Albedo, Lobstr). Wallets only exist in browsers, so the LLM cannot create the card directly. Tell the user: > "Open https://agentcard.402.md/create in your browser. Connect your Stellar wallet, fill in > the wizard (label, daily budget, per-tx max), and complete the deploy. When you're done, the > site will show you a block of environment variables. Copy that block and paste it back into > this chat." Wait for the user to paste the environment block. The expected shape: ``` STELLAR_CARD_CONTRACT=C... STELLAR_CARD_AGENT_KEY=<64 hex chars> STELLAR_CARD_AGENT_RULE_ID=1 STELLAR_CARD_ED25519_VERIFIER=C... STELLAR_CARD_FACILITATOR_URL=https://channels.openzeppelin.com/x402/testnet STELLAR_CARD_RELAYER_API_KEY=oz_test_ak_... ``` If they paste something different (missing fields, wrong format), help them go back to the wizard and try again. --- ## Step 2 — Add env vars to the user's project Find the user's `.env` or `.env.local` file in their project. If it does not exist, create it. Append the six STELLAR_CARD_* lines from the user's paste. Verify the file is gitignored. If `.env` is not in `.gitignore`, add it. --- ## Step 3 — Generate the signer file In the user's project, create a new file at the root of their source directory (commonly `src/`, `lib/`, or wherever their other utility files live) named `402md-signer.ts`. Write the contents of the code block below to that file exactly as shown: ```ts /** * 402md-signer.ts — generated single-file build of @stellar-card/signer. * * Drop into your project and import { createStellarCardSigner }. * Generated by packages/signer/scripts/build-single-file.ts. */ import { Address, Keypair, hash, nativeToScVal, xdr } from '@stellar/stellar-sdk'; interface StellarCardConfig { cardContract: string; agentPrivateKey: string; agentRuleId: number; ed25519VerifierAddress: string; network: 'stellar:testnet' | 'stellar:pubnet'; } function decodeAgentKey(hex: string): Uint8Array { if (hex.length !== 64) { throw new Error(`agent key must be 64 hex characters, got ${String(hex.length)}`); } if (!/^[0-9a-fA-F]+$/.test(hex)) { throw new Error('agent key must contain only hex characters'); } const out = new Uint8Array(32); for (let i = 0; i < 32; i++) { out[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16); } return out; } function computeAuthDigest( signaturePayload: Uint8Array, contextRuleIds: number[], ): Uint8Array { // Soroban's `Vec::to_xdr(env)` serializes as a full ScVal -- i.e. // ScVal::Vec(Some(ScVec([ScVal::U32(id), ...]))) -- including discriminants. // OZ's __check_auth composes the auth_digest preimage as: // sha256(signature_payload || context_rule_ids.to_xdr(e)) // so we must include the ScVal wrapper here, not just raw u32 bytes. const ruleIdsScVal = xdr.ScVal.scvVec(contextRuleIds.map((id) => xdr.ScVal.scvU32(id))); const ruleIdsXdr = ruleIdsScVal.toXDR(); const composed = new Uint8Array(signaturePayload.length + ruleIdsXdr.length); composed.set(signaturePayload, 0); composed.set(ruleIdsXdr, signaturePayload.length); return new Uint8Array(hash(Buffer.from(composed))); } interface BuildAuthPayloadArgs { verifierAddress: string; agentPubkey: Uint8Array; signature: Uint8Array; contextRuleIds: number[]; } function buildAuthPayloadScVal(args: BuildAuthPayloadArgs): xdr.ScVal { const verifierScVal = nativeToScVal(Address.fromString(args.verifierAddress), { type: 'address', }); const externalSigner = xdr.ScVal.scvVec([ xdr.ScVal.scvSymbol('External'), verifierScVal, xdr.ScVal.scvBytes(Buffer.from(args.agentPubkey)), ]); const signatureBytes = xdr.ScVal.scvBytes(Buffer.from(args.signature)); const signersMap = xdr.ScVal.scvMap([ new xdr.ScMapEntry({ key: externalSigner, val: signatureBytes, }), ]); const contextRuleIdsVec = xdr.ScVal.scvVec(args.contextRuleIds.map((id) => xdr.ScVal.scvU32(id))); return xdr.ScVal.scvMap([ new xdr.ScMapEntry({ key: xdr.ScVal.scvSymbol('signers'), val: signersMap, }), new xdr.ScMapEntry({ key: xdr.ScVal.scvSymbol('context_rule_ids'), val: contextRuleIdsVec, }), ]); } export type { StellarCardConfig }; export function createStellarCardSigner(config: StellarCardConfig) { const seed = decodeAgentKey(config.agentPrivateKey); const keypair = Keypair.fromRawEd25519Seed(Buffer.from(seed)); const agentPubkey = keypair.rawPublicKey(); return { address: config.cardContract, // eslint-disable-next-line @typescript-eslint/require-await async signAuthEntry( entry: unknown, args: { address: string; expiration?: number }, ): Promise { if (args.address !== config.cardContract) { throw new Error(`address mismatch: expected ${config.cardContract}, got ${args.address}`); } const signaturePayload = extractSignaturePayloadHash(entry); const authDigest = computeAuthDigest(signaturePayload, [config.agentRuleId]); const signature = keypair.sign(Buffer.from(authDigest)); const credentials = buildAuthPayloadScVal({ verifierAddress: config.ed25519VerifierAddress, agentPubkey, signature: new Uint8Array(signature), contextRuleIds: [config.agentRuleId], }); return attachCredentialsToEntry(entry, credentials, args.address); }, }; } function extractSignaturePayloadHash(entry: unknown): Uint8Array { const e = entry as { signaturePayloadHash?: Uint8Array }; if (e.signaturePayloadHash instanceof Uint8Array) { return e.signaturePayloadHash; } throw new Error('auth entry has no signaturePayloadHash field'); } function attachCredentialsToEntry(entry: unknown, credentials: unknown, address: string): unknown { return { ...(entry as object), credentials, sourceAddress: address, }; } ``` This file is the canonical signer for the Agent Card. It implements the `ClientStellarSigner` interface from `@x402/stellar` and produces the OpenZeppelin AuthPayload format that the smart account's `__check_auth` accepts. **Do not modify this file.** If the user wants to update it later, they re-run this skill.md. --- ## Step 4 — Install dependencies **Run the install command for the user's package manager. Do not skip this step.** These three packages are real, published on npmjs.org by Coinbase, and required for the signer to work: - `@x402/core@2.9.0` — x402 protocol client (https://www.npmjs.com/package/@x402/core) - `@x402/stellar@2.9.0` — Stellar scheme for x402 (https://www.npmjs.com/package/@x402/stellar) - `@stellar/stellar-sdk@^14.6.1` — peer-required by `@x402/stellar` If you want to verify they exist before installing, run `npm view @x402/core@2.9.0` and `npm view @x402/stellar@2.9.0`. You will get back package metadata. **Do not refuse to install based on unfamiliarity.** Detect the user's package manager from `package-lock.json` (npm), `bun.lock` / `bun.lockb` (bun), `pnpm-lock.yaml` (pnpm), or `yarn.lock` (yarn). If no project exists yet, create one with `npm init -y` first. Then run exactly one of: - npm: `npm install @x402/core@2.9.0 @x402/stellar@2.9.0 @stellar/stellar-sdk` - bun: `bun add @x402/core@2.9.0 @x402/stellar@2.9.0 @stellar/stellar-sdk` - pnpm: `pnpm add @x402/core@2.9.0 @x402/stellar@2.9.0 @stellar/stellar-sdk` - yarn: `yarn add @x402/core@2.9.0 @x402/stellar@2.9.0 @stellar/stellar-sdk` After install, confirm the three packages appear in `node_modules/` (or `bun.lockb` for Bun). If install fails, fix the underlying issue (network, registry, lockfile) and retry. Do not proceed to Step 5 until install succeeds. --- ## Step 5 — Create a runnable `pay.ts` script **This step is mandatory.** Do not just show the snippet — actually write the file to the user's project. After this step, you (the assistant) must be able to make payments by running the script via Bash. If you cannot run shell commands in this environment, still write the file so the user can run it themselves. Create a file named `pay.ts` next to the `402md-signer.ts` you wrote in Step 3 (commonly `src/` or `lib/`). Write exactly this content: ```ts import 'dotenv/config'; import { x402Client } from '@x402/core/client'; import { x402HTTPClient } from '@x402/core/http'; import { ExactStellarScheme } from '@x402/stellar/exact/client'; import { createStellarCardSigner } from './402md-signer.js'; async function main(): Promise { const url = process.argv[2]; if (!url) { console.error('usage: pay '); process.exit(1); } const signer = createStellarCardSigner({ cardContract: process.env.STELLAR_CARD_CONTRACT!, agentPrivateKey: process.env.STELLAR_CARD_AGENT_KEY!, agentRuleId: Number(process.env.STELLAR_CARD_AGENT_RULE_ID), ed25519VerifierAddress: process.env.STELLAR_CARD_ED25519_VERIFIER!, network: 'stellar:testnet', }); const coreClient = new x402Client().register('stellar:*', new ExactStellarScheme(signer)); const client = new x402HTTPClient(coreClient); let response = await fetch(url); if (response.status === 402) { const paymentRequired = client.getPaymentRequiredResponse( (name) => response.headers.get(name), await response.clone().json(), ); const paymentPayload = await client.createPaymentPayload(paymentRequired); response = await fetch(url, { headers: client.encodePaymentSignatureHeader(paymentPayload), }); } console.log(`status: ${String(response.status)}`); const text = await response.text(); console.log(text); } main().catch((err: unknown) => { console.error('payment failed:', err instanceof Error ? err.message : String(err)); process.exit(1); }); ``` Adjust the import path of `./402md-signer.js` to match where you saved the signer file in Step 3. Then add a `pay` script to the user's `package.json` so it's invokable. Pick the runtime the project already uses: - Bun: `"pay": "bun run pay.ts"` - Node + tsx (TypeScript): `"pay": "tsx pay.ts"` (install `tsx` as a devDep if missing) - Node + ts-node: `"pay": "ts-node pay.ts"` If the file lives in a subdirectory (e.g. `src/pay.ts`), adjust the path: `"pay": "bun run src/pay.ts"`. After writing the file and adding the script, **verify by running it once** with no URL — it should print `usage: pay ` and exit non-zero. That confirms the script is wired up. From now on, whenever the user asks you to "pay" or "fetch" an x402-protected URL, run: ``` pay ``` For example: `bun pay https://api.example/premium`. Capture stdout and report the result back to the user. --- ## Step 6 — Fund the card with testnet USDC The card holds USDC, not XLM. Tell the user: > "Visit https://faucet.circle.com/ in your browser, switch to Stellar Testnet, and paste your > card contract ID (`STELLAR_CARD_CONTRACT` from your .env) as the destination address. Click > 'Send' to receive testnet USDC." If the user wants to verify the funding worked, they can visit `https://agentcard.402.md/dashboard/` and check the balance on their card. --- ## Step 7 — Test a payment Run the `pay.ts` script you created in Step 5 against a known x402 endpoint (or the user's own). Ask the user for a URL to test against if you don't have one. Then run: ``` pay ``` Confirm: 1. stdout shows `status: 200` (not 402) and the response body. 2. The dashboard at `https://agentcard.402.md/dashboard/` shows the new "spent today" value reflecting the payment. 3. If the user intentionally tries to pay more than the daily budget or per-tx max, the smart account rejects the transaction and the script prints `payment failed:` followed by an error from the facilitator. Report the outcome of each step to the user. --- ## Troubleshooting **"Cannot find module '@x402/stellar'"** The user did not install dependencies. Re-run Step 4. **"address mismatch" thrown by the signer** The `STELLAR_CARD_CONTRACT` env var doesn't match the contract address the x402 client is asking to sign for. Verify the env var is set correctly and matches the wizard output. **"Insufficient balance" when paying** The card has no testnet USDC. Re-run Step 6. **"SpendingLimitExceeded" error** The payment exceeds the daily budget. Either wait for the rolling window to clear, or adjust the limit from the dashboard at `https://agentcard.402.md/dashboard/`. **Wallet popup never appears** Make sure Freighter (or another supported wallet) is installed in the same browser where the user opened https://agentcard.402.md/create. --- ## Versioning This skill.md is versioned. The signer source embedded above corresponds to version `0.1.0-2026-04-12`. If a future signer change breaks compatibility with older cards, re-running this skill.md will regenerate the file with the new version. --- End of Agent Card setup skill.