/** * Authentication handler for MCP paywall using X402 tokens */ import type { Payments } from '../../payments.js'; import { AuthResult } from '../types/paywall.types.js'; /** * Handles authentication and authorization for MCP requests */ export declare class PaywallAuthenticator { private payments; constructor(payments: Payments); /** * Extract authorization header from extra context or AsyncLocalStorage. * Tries SDK's extra context first, then falls back to HTTP request context. * * @param extra - MCP extra context from SDK * @returns Authorization header value or undefined */ private extractAuthHeaderFromContext; /** * Build HTTP endpoint URL from request context. * * @returns HTTP endpoint URL or undefined if context is not available */ private buildHttpUrlFromContext; /** * Core verification logic shared by authenticate and authenticateMeta. * Tries logical URL first, falls back to HTTP URL if available. */ private verifyWithFallback; /** * Build a spec-shaped {@link PaymentRequiredError} from the agent's plans. * * Fetches the agent's plans (best-effort) to populate the `accepts` array of * the `PaymentRequired` object and a human-readable list of plan names in the * error message. Falls back to an empty plan id when no plans can be resolved * so the structured shape is still valid. * * @param agentId - Agent identifier used to look up purchasable plans. * @param endpoint - Logical resource URL placed in `PaymentRequired.resource`. * @param message - Leading human-readable message (e.g. "Authorization required."). * @returns A `PaymentRequiredError` carrying the `PaymentRequired` object. */ private buildPaymentRequiredError; /** * Verify permissions against a single endpoint URL. * Resolves planId from the token or from the agent's plans as fallback. */ private verifyWithEndpoint; /** * Authenticate an MCP request */ authenticate(extra: any, options: { planId?: string; maxAmount?: bigint; } | undefined, agentId: string | undefined, serverName: string, name: string, kind: 'tool' | 'resource' | 'prompt', argsOrVars: any): Promise; /** * Authenticate generic MCP meta operations (e.g., initialize, tools/list, resources/list, prompts/list). * Returns an AuthResult compatible with paywall flows (without redeem step). */ authenticateMeta(extra: any, options: { planId?: string; maxAmount?: bigint; } | undefined, agentId: string | undefined, serverName: string, method: string): Promise; } //# sourceMappingURL=auth.d.ts.map