← Back to Skills Marketplace
mirni

x402 Merchant Starter Kit: Deploy Your Own Crypto-Native Storefront

by mirni · GitHub ↗ · v1.3.1 · MIT-0
cross-platform ⚠ suspicious
173
Downloads
0
Stars
0
Active Installs
5
Versions
Install in OpenClaw
/install greenhelix-x402-merchant-starter-kit
Description
x402 Merchant Starter Kit: Deploy Your Own Crypto-Native Storefront. Comprehensive x402 paywall + MCP server + product catalog guide. Deploy in 15 minutes. I...
README (SKILL.md)

x402 Merchant Starter Kit: Deploy Your Own Crypto-Native Storefront

Notice: This is an educational guide with illustrative code examples. It does not execute code or install dependencies. All examples use the GreenHelix sandbox (https://sandbox.greenhelix.net) which provides 500 free credits — no API key required to get started.

Referenced credentials (you supply these in your own environment):

  • GITHUB_TOKEN: GitHub Personal Access Token for private repo content delivery (read-only, scoped to a single repository)
  • WALLET_ADDRESS: Blockchain wallet address for receiving payments (public address only — no private keys)
  • DASHBOARD_SECRET: Admin dashboard authentication secret (local admin panel access only)

This starter kit gives you a production-ready x402 storefront — the same architecture powering claw.greenhelix.net. Deploy in 15 minutes. Sell digital products to both humans (HTML storefront + Gumroad/Polar checkout) and AI agents (MCP server + x402 paywall + machine-readable catalog).

Getting started: All examples in this guide work with the GreenHelix sandbox (https://sandbox.greenhelix.net) which provides 500 free credits — no API key required.

What You'll Learn

  • What You Get
  • Architecture Overview
  • Quick Start (15 Minutes)
  • Project Structure
  • Configuration Reference
  • Adding Products
  • Payment Flows
  • Agent Discovery Layer
  • MCP Server
  • Deployment

Full Guide

x402 Merchant Starter Kit: Deploy Your Own Crypto-Native Storefront

This starter kit gives you a production-ready x402 storefront — the same architecture powering claw.greenhelix.net. Deploy in 15 minutes. Sell digital products to both humans (HTML storefront + Gumroad/Polar checkout) and AI agents (MCP server + x402 paywall + machine-readable catalog).

Getting started: All examples in this guide work with the GreenHelix sandbox (https://sandbox.greenhelix.net) which provides 500 free credits — no API key required.

Table of Contents

  1. What You Get
  2. Architecture Overview
  3. Quick Start (15 Minutes)
  4. Project Structure
  5. Configuration Reference
  6. Adding Products
  7. Payment Flows
  8. Agent Discovery Layer
  9. MCP Server
  10. Deployment
  11. Security Hardening
  12. Customization Guide

What You Get

Component File Purpose
Express.js app src/app.js Routes, x402 paywall, rate limiting
SQLite catalog src/db.js Product storage, transactions, revenue stats
HTML storefront src/storefront.js Product listing, detail pages, JSON-LD SEO
Product enrichment src/catalog.js Merge DB rows with CATALOG.json metadata
MCP server src/mcp-server.js AI agent interface (list, get, buy)
Auth middleware src/auth.js Bearer token admin auth
GitHub content delivery src/github.js Fetch paid content from private repos
Sitemap generator src/sitemap.js SEO sitemap.xml
Agent discovery Routes in app.js /llms.txt, /products.json, /.well-known/agent.json
CI/CD pipeline deploy.sh One-command deployment via SSH
nginx config Generated by deploy.sh Reverse proxy with security headers
Test suite tests/ 183 tests covering all routes and rendering

Architecture Overview

                    ┌─────────────────────────────────────────┐
                    │              nginx (443/80)              │
                    │  TLS termination, security headers,     │
                    │  Cloudflare real-IP trust                │
                    └────────────────┬────────────────────────┘
                                     │ proxy_pass :3000
                    ┌────────────────▼────────────────────────┐
                    │           Express.js (port 3000)         │
                    │                                          │
                    │  /products          → HTML storefront    │
                    │  /products/:slug    → x402 paywall       │
                    │  /products.json     → machine catalog    │
                    │  /llms.txt          → AI discovery       │
                    │  /.well-known/agent.json → agent manifest│
                    │  /robots.txt        → crawlers + Llms-txt│
                    │  /sitemap.xml       → SEO                │
                    │  /health            → uptime check       │
                    │  /  (admin)         → dashboard          │
                    │  /metrics (admin)   → revenue JSON       │
                    │  POST /products     → admin product CRUD │
                    └──────┬─────────────────────┬────────────┘
                           │                     │
                    ┌──────▼──────┐       ┌──────▼──────┐
                    │   SQLite    │       │   GitHub    │
                    │  (catalog,  │       │  (content   │
                    │   revenue)  │       │   delivery) │
                    └─────────────┘       └─────────────┘

     MCP Server (stdio, separate process)
     ┌─────────────────────────────────────────┐
     │  list_products  → browse catalog        │
     │  get_product    → single product detail  │
     │  buy_product    → purchase instructions  │
     │  Uses db.js + catalog.js directly        │
     └─────────────────────────────────────────┘

Quick Start (15 Minutes)

Prerequisites

  • Node.js >= 22
  • A Base wallet address (for receiving USDC payments)
  • A GitHub personal access token (for content delivery from a private repo)

Step 1: Clone and configure

git clone \x3Cyour-repo>
cd your-storefront
cp .env.example .env

Edit .env:

DASHBOARD_SECRET=your-strong-random-secret-here
AGENT_WALLET_ADDRESS=0xYourBaseWalletAddress
GITHUB_TOKEN=ghp_your_github_pat
GITHUB_REPO=your-org/your-content-repo
NETWORK=base-sepolia          # or base-mainnet for production

Step 2: Install and run

npm install
node src/index.js

Your storefront is live at http://localhost:3000.

Step 3: Add your first product

curl -X POST http://localhost:3000/products \
  -H "Authorization: Bearer your-strong-random-secret-here" \
  -H "Content-Type: application/json" \
  -d '{
    "path": "/products/my-first-guide",
    "price_usd": 9.99,
    "description": "My first digital product",
    "github_slug": "my-first-guide"
  }'

Step 4: Test the x402 flow

# Get payment requirements
curl http://localhost:3000/products/my-first-guide
# Returns 402 with payment requirements JSON

# Check the machine-readable catalog
curl http://localhost:3000/products.json | jq .total

# Check agent discovery
curl http://localhost:3000/llms.txt

Project Structure

your-storefront/
├── src/
│   ├── index.js          # Server entry point (starts Express on port 3000)
│   ├── app.js            # Routes, middleware, x402 paywall logic
│   ├── db.js             # SQLite schema, product CRUD, revenue tracking
│   ├── auth.js           # Bearer token authentication middleware
│   ├── github.js         # Fetch content from GitHub with LRU cache
│   ├── storefront.js     # HTML rendering (listing, detail, admin, JSON-LD)
│   ├── catalog.js        # Enrich DB rows with CATALOG.json metadata
│   ├── sitemap.js        # Generate sitemap.xml
│   └── mcp-server.js     # MCP server (stdio transport)
├── tests/                # Jest test suite (183 tests)
├── deploy.sh             # One-command SSH deployment
├── .env.example          # Environment variable template
├── package.json          # Dependencies + bin entry for MCP server
├── server.json           # Official MCP Registry metadata
└── smithery.yaml         # Smithery registry metadata

Configuration Reference

Variable Required Default Description
DASHBOARD_SECRET Yes Admin auth token (must be strong)
AGENT_WALLET_ADDRESS Yes (for paid) Base wallet for receiving USDC
GITHUB_TOKEN Yes PAT for fetching content from GitHub
GITHUB_REPO Yes owner/repo containing product .md files
NETWORK No base-sepolia base-sepolia or base-mainnet
X402_FACILITATOR_URL No https://x402.org/facilitator x402 facilitator endpoint
SQLITE_PATH No ./dashboard.db Path to SQLite database
PORT No 3000 Server listen port

Adding Products

Via API (recommended for automation)

curl -X POST https://your-store.com/products \
  -H "Authorization: Bearer $DASHBOARD_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "path": "/products/my-product",
    "price_usd": 29.00,
    "description": "A great digital product",
    "github_slug": "my-product",
    "gumroad_url": "https://you.gumroad.com/l/my-product"
  }'

Via seed script (bulk)

Create *.meta.json files in seed-products/ and run the seeder:

bash seed-dashboard-incremental.sh http://localhost:3000

Free products

Set price_usd: 0. Free products bypass the x402 paywall and serve content directly from GitHub.

Payment Flows

x402 Flow (Agent Buyers)

  1. Agent sends GET /products/my-product
  2. Server returns 402 with payment requirements: 
    {
  "x402Version": 1,
  "accepts": [{
    "scheme": "exact",
    "network": "eip155:84532",
    "maxAmountRequired": "2900000",
    "payTo": "0xYourWallet",
    "asset": "0x036CbD53842c5426634e7929541eC2318f3dCF7e"
  }]
}
  3. Agent constructs payment and sends GET /products/my-product with x-payment header
  4. Server verifies payment via facilitator
  5. Server fetches content from GitHub and delivers it
  6. Server settles payment and logs transaction

Fiat Flow (Human Buyers)

  • Products with a gumroad_url show a "Buy with Card" button on the HTML storefront
  • Buyers click through to Gumroad/Polar for card/PayPal checkout
  • Content is delivered via the third-party platform

Agent Discovery Layer

Your storefront is automatically discoverable by AI agents through four endpoints:

Endpoint Format Purpose
/products.json JSON Machine-readable product catalog
/llms.txt Plain text LLM-friendly store description
/.well-known/agent.json JSON Agent capability manifest
/robots.txt Plain text Includes Llms-txt: directive

Plus Schema.org JSON-LD markup in all HTML pages for search engine rich results.

MCP Server

The MCP server exposes your catalog to AI agents via the Model Context Protocol.

Running standalone

node src/mcp-server.js

Tools

Tool Parameters Description
list_products tag? (string) Browse catalog, optional tag filter
get_product slug (string) Get single product details
buy_product slug (string) Get purchase URL + x402 instructions

Claude Desktop config

{
  "mcpServers": {
    "your-store": {
      "command": "node",
      "args": ["/path/to/src/mcp-server.js"],
      "env": {
        "SQLITE_PATH": "/path/to/dashboard.db"
      }
    }
  }
}

Deployment

One-command deploy

SSH_KEY=~/.ssh/your_key bash deploy.sh user@your-server

This will:

  1. Upload all source files via SCP
  2. Run npm install --omit=dev
  3. Configure systemd service
  4. Set up nginx reverse proxy with security headers
  5. Enable HTTPS (auto-detects existing SSL certs)

CI/CD

The included GitHub Actions workflow (deploy.yml) runs tests and deploys on every push to main.

Security Hardening

The starter kit includes security measures from a production audit:

  • F-01: Rate limiting on admin routes (30 req/15 min)
  • F-02: Bearer token authentication on admin endpoints
  • F-06: Startup guard — refuses to start with weak/default secrets
  • F-07: JSON body size limit (10KB)
  • F-08: Async error handler catches unhandled promise rejections
  • F-09: Settlement response logging for payment audit trail
  • nginx: X-Frame-Options, X-Content-Type-Options, CSP, HSTS, Permissions-Policy

Customization Guide

Changing the payment network

Edit .env:

NETWORK=base-mainnet  # switches to mainnet USDC

Adding a new discovery endpoint

Add a route in src/app.js following the pattern of /products.json:

app.get('/your-endpoint', (_req, res) => {
  const products = db.getAllProducts();
  const enriched = enrichAll(products);
  res.setHeader('Cache-Control', 'public, max-age=300');
  res.json({ /* your data */ });
});

Custom HTML themes

Edit src/storefront.js. The CSS is inline in template literals — replace the \x3Cstyle> blocks with your brand colors.

Multiple storefronts

Run multiple instances with different SQLITE_PATH and PORT values behind the same nginx.

What's Next

  • Polar.sh integration: Run python3 create-polar-products.py to bulk-create products on Polar.sh
  • MCP registry: Register your server on mcp.so, smithery.ai, and the official MCP registry
  • Bundle products: Create bundle meta.json files with an includes array
  • Analytics: Check /metrics (admin) for revenue, costs, and P&L

Built with the x402 protocol. Payments in USDC on Base.

Usage Guidance
Treat this as an educational guide but do not hand over secrets blindly. Before providing any env vars: 1) Ask the author why GITHUB_TOKEN and DASHBOARD_SECRET are required for an instruction-only guide that claims the sandbox needs no key. 2) If you must supply a GitHub token, create a new token with the minimum scope (repo:read for a single repository) or use a deploy key limited to a single repo, and revoke it after use. 3) Never provide private wallet keys—only a public address—and avoid using any admin dashboard secret stored in a shared skill; instead create the admin secret locally after deployment. 4) Inspect deploy.sh and any CI/CD instructions locally (offline) to ensure they don't POST secrets to external endpoints or create accounts you don't control. 5) Prefer running the guide on your own machine or CI environment rather than supplying secrets to the skill/agent. If the publisher cannot justify why these env vars are mandatory, treat the requirement as unnecessary and risky.
Capability Analysis
Type: OpenClaw Skill Name: greenhelix-x402-merchant-starter-kit Version: 1.3.1 The bundle is a documentation-only 'Merchant Starter Kit' for the x402 protocol, providing a comprehensive guide for deploying a crypto-native storefront. While it defines requirements for sensitive environment variables like GITHUB_TOKEN and DASHBOARD_SECRET, these are contextually appropriate for the described functionality (private repository access and admin authentication). The SKILL.md explicitly states it is an educational guide and does not execute code, and the metadata confirms it is non-executable. No malicious logic, data exfiltration, or prompt injection attempts were detected.
Capability Tags
cryptorequires-walletcan-make-purchasesrequires-oauth-tokenrequires-sensitive-credentials
Capability Assessment
Purpose & Capability
The skill is an instruction-only storefront guide. Requiring a GITHUB_TOKEN (declared as the primary credential) and a DASHBOARD_SECRET is unexpected for a read-only guide that claims the GreenHelix sandbox needs no API key. GITHUB_TOKEN is plausible for a deploy workflow that fetches private repo content, but the SKILL.md presents the guide as educational and sandbox-first; making the GitHub token mandatory is disproportionate unless the skill actually automates repo operations.
Instruction Scope
SKILL.md is large and describes deployment scripts, GitHub content delivery, an admin dashboard, and a deploy.sh. The guide states it does not execute code, but the presence of deploy instructions that reference GitHub fetching and an admin dashboard suggests the author expects the user to run scripts that will need secrets. The instructions as presented do not appear to ask the agent to read unrelated system files, but the truncated content prevents a full audit of all referenced steps.
Install Mechanism
No install spec and no code files — instruction-only content — so nothing is written to disk by the skill itself. This is the lowest-risk install pattern.
Credentials
Requires three env variables: GITHUB_TOKEN (primary), WALLET_ADDRESS, and DASHBOARD_SECRET. WALLET_ADDRESS (public address) is low-risk. However, mandating a GitHub PAT and an admin secret for a guide is disproportionate: if the guide is merely instructional (and the sandbox is usable without a key), requiring these secrets appears unnecessary and raises risk of credential exposure. The SKILL.md's justification for these env vars is minimal; DASHBOARD_SECRET in particular is sensitive and should not be handed to a third party without clear need.
Persistence & Privilege
The skill is not marked always:true and does not request system-level persistence. It is user-invocable and permits autonomous invocation (platform default). There is no evidence it modifies other skills or system-wide settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install greenhelix-x402-merchant-starter-kit
  3. After installation, invoke the skill by name or use /greenhelix-x402-merchant-starter-kit
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.3.1
- Added `metadata.openclaw` section to SKILL.md specifying required environment variables for OpenClaw integration. - Declared primary required environment variable as `GITHUB_TOKEN`. - No changes to source code or user-facing features. - Incremented version to 1.3.1.
v1.3.0
- Added GreenHelix sandbox integration with 500 free credits—no API key required for examples. - Updated guide examples and intro to reference sandbox usage for easier onboarding. - Removed SSH_DEPLOY_KEY from required credentials, simplifying environment setup. - Minor wording improvements for clarity in the Quick Start and Table of Contents.
v1.2.0
**Credentials reference and clarity improvements in documentation** - Added a credentials field to the skill metadata for easier reference: `GITHUB_TOKEN`, `WALLET_ADDRESS`, `DASHBOARD_SECRET`, `SSH_DEPLOY_KEY`. - Expanded documentation to explicitly describe the role and usage of each required credential. - Improved notices to clarify the guide's educational purpose and credential supply requirements. - No logic or implementation changes; documentation only.
v1.1.0
Version 1.1.0 of greenhelix-x402-merchant-starter-kit - Clarified that the guide is educational-only, with no executable code, required credentials, or installation steps. - Added metadata fields: `executable: false`, `credentials: none`, `install: none`. - Included a notice about the illustrative nature of code examples at the start of the documentation.
v1.0.0
Initial release of the x402 Merchant Starter Kit. - Deploy a production-ready crypto-native storefront in 15 minutes. - Includes Express.js storefront, x402 paywall, SQLite product catalog, and MCP server for AI agent integration. - Supports both human (HTML+Gumroad/Polar checkout) and agent (x402/MCP API) buyers. - Features built-in CI/CD pipeline, nginx config, Schema.org JSON-LD SEO, and agent discovery endpoints. - The same technology powering claw.greenhelix.net.
Metadata
Slug greenhelix-x402-merchant-starter-kit
Version 1.3.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 5
Frequently Asked Questions

What is x402 Merchant Starter Kit: Deploy Your Own Crypto-Native Storefront?

x402 Merchant Starter Kit: Deploy Your Own Crypto-Native Storefront. Comprehensive x402 paywall + MCP server + product catalog guide. Deploy in 15 minutes. I... It is an AI Agent Skill for Claude Code / OpenClaw, with 173 downloads so far.

How do I install x402 Merchant Starter Kit: Deploy Your Own Crypto-Native Storefront?

Run "/install greenhelix-x402-merchant-starter-kit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is x402 Merchant Starter Kit: Deploy Your Own Crypto-Native Storefront free?

Yes, x402 Merchant Starter Kit: Deploy Your Own Crypto-Native Storefront is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does x402 Merchant Starter Kit: Deploy Your Own Crypto-Native Storefront support?

x402 Merchant Starter Kit: Deploy Your Own Crypto-Native Storefront is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created x402 Merchant Starter Kit: Deploy Your Own Crypto-Native Storefront?

It is built and maintained by mirni (@mirni); the current version is v1.3.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463942 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259883 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200739 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191401 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190375 · by oswalpalash

💬 Comments