pay

The missing payment layer for HTTP. pay handles x402 and MPP payment challenges with user-authorized stablecoin signing.

Wrap your CLI (curl, claude, codex, etc.) -- when a stablecoin-gated API returns 402, pay detects the payment protocol, prepares the stablecoin transaction, asks the local wallet to authorize and sign it, then retries with the payment proof.

Install · Quick Start · Docs

---

# Without pay — you get a 402
curl https://payment-debugger.vercel.app/mpp/quote/AAPL

# With pay -- it handles the 402 challenge and returns the response
pay --sandbox curl https://payment-debugger.vercel.app/mpp/quote/AAPL

Key Features

💵 Transparent 402 Handling

Wrap your CLI (curl, claude, codex, etc.) -- when an API returns 402, pay detects the payment protocol, prepares the stablecoin transaction, asks the local wallet to authorize and sign it, then retries with the payment proof.

Supports both live payment standards on Solana:

• MPP — Machine Payments Protocol
• x402 — x402 Payment Protocol

Stablecoins deployed to Solana are supported out of the box.

🗺️ Skills — Discover Paid APIs

Browse, search, and install catalogs of paid API providers directly from the CLI.

pay skills search "gemini"          # find providers by keyword
pay skills endpoints stableenrich   # list all endpoints for a service
pay skills add org/catalog          # add a provider source (GitHub or URL)
pay skills update                   # refresh the local cache

🤖 AI-Native with MCP

pay ships with a built-in MCP server, letting AI assistants request paid API calls through the same local wallet-approval flow.

# Run Claude Code or Codex with pay injected into the agent session
pay --sandbox claude
pay --sandbox codex

🛠️ Payment debugging and simulations

pay ships with an embedded Payment Debugger — a local web UI that visualizes every 402 challenge-response cycle as a sequence diagram. See exactly which headers were sent, which protocol was used (MPP or x402), and where things went wrong.

Everything runs locally — no data leaves your machine.

# Start a gateway with the debugger on any API spec
pay server start --debugger spec.yml

# Or run the bundled demo (sandbox + debugger + sample endpoints)
pay server demo

A public debugger is also available.

🔐 Secure Key Storage

Your keys never touch disk in plaintext. pay stores keypairs in secure local credential stores:

• macOS Keychain with optional Touch ID biometric prompt (macOS)
• Windows Credential Manager with optional Windows Hello prompt (Windows)
• GNOME Keyring via Secret Service / polkit prompt (Linux)
• 1Password vault via op CLI — auth handled by 1Password itself (cross-platform)
• File-based keypair for CI and scripting

For protected accounts, payment signing requires local user approval, such as Touch ID on macOS. The biometric/password prompt is controlled per-account by the auth_required setting -- defaults to true on mainnet, false elsewhere.

pay setup    # Touch ID on macOS, Windows Hello on Windows, GNOME Keyring on Linux, or choose 1Password

Installation

Prebuilt Binaries

brew install pay

From Source

git clone https://github.com/solana-foundation/pay.git
cd pay
just install-pay

Verify

pay --version

Quick Start

# 1. Generate a keypair (Touch ID protected on macOS)
pay setup

# 2. Make a paid API call (--sandbox uses an ephemeral funded keypair)
pay --sandbox curl https://payment-debugger.vercel.app/mpp/quote/AAPL

# 3. Or let your AI agent handle it
pay --sandbox claude

Contributing

cd rust
just build   # release binary
just test    # all tests
just lint    # clippy (warnings = errors)

We welcome contributions — check open issues to get started.

Troubleshooting

Linux: pay topup or pay curl errors with "auth failed"

GNOME Keyring auth uses polkit, which requires a one-time setup step:

sudo cp rust/config/polkit/sh.pay.unlock-keypair.policy /usr/share/polkit-1/actions/

This grants pay the right to prompt for your password or fingerprint before accessing the keypair.

License

Apache-2.0 — see LICENSE.