feat: add delegation flow for x402 token generation#274
Merged
Conversation
Replace plan-specific session-key permissions with delegation-based flow. Both erc4337 and card-delegation schemes now use delegations for token generation, supporting explicit create+reuse and auto-create patterns. Breaking changes: - getX402AccessToken() signature simplified to (planId, agentId?, tokenOptions?) - Removed redemptionLimit, orderLimit, expiration params (sessionKeyConfig) - erc4337 scheme now requires delegationConfig in tokenOptions New APIs: - DelegationAPI.createDelegation() for POST /api/v1/delegation/create - DelegationConfig type (replaces CardDelegationConfig, alias kept) - CreateDelegationPayload / CreateDelegationResponse types Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Update openclaw plugin (tools.ts, index.ts), CLI command, and openclaw tests to use the simplified 3-param signature instead of the old 6-param one with undefined placeholders. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add guidance about markdown docs workflow (generate-docs.sh validates structure but doesn't auto-update code examples), and note that openclaw/cli are in-tree consumers that must be updated with signature changes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
No backward compatibility needed per plan — remove the type alias and keep only DelegationConfig. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove agent creation (agentId is optional for token generation) - Filter payment methods by type='card' instead of using first item - Add auto-delegation test (Pattern A: inline creation during token gen) - Add settle test with balance verification - Pass agentId as undefined to demonstrate it's optional Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Test that token generation works when delegation is auto-created inline via spendingLimitCents + durationSecs (without an explicit delegationId). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CLI: - Remove dead --redemption-limit, --order-limit, --expiration flags - Add crypto delegation support (--spending-limit-cents, --delegation-duration-secs) - Update description from session-key to delegation language OpenClaw: - Filter payment methods by type='card' instead of using first item Both: - Update CLAUDE.md with in-tree consumer documentation and checklist Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The openclaw workflow was missing the symlink step that the CLI workflow already had. Without it, openclaw installs @nevermined-io/payments from npm (old published version) instead of using the local build, causing type errors when SDK signatures change. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The testing.yml workflow has a second openclaw job (openclaw_check) that was also missing the local SDK symlink. Both openclaw CI jobs now match the CLI pattern. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- prepare-release.yml now updates @nevermined-io/payments dependency version in cli/package.json and openclaw/package.json alongside the root version bump, so published packages reference the exact SDK version they were built with - release.yml build job: add missing local SDK symlink for openclaw - release.yml publish-openclaw job: add local SDK symlink to avoid npm propagation delay issues - Update CLAUDE.md with complete release flow documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The variable was typed as { id: string }[] which lacks the 'type'
field needed to filter by payment method type.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The mock was missing type: 'card', causing the new card-type filter to find no matches and throw. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The error message was changed from "No enrolled payment methods" to "No enrolled card found" when we added type-based filtering. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The backend now requires delegationConfig for erc4337 token generation. Update all remaining E2E tests that called getX402AccessToken without delegation config: - test_payments_e2e: create delegation before token generation - test_a2a_e2e: create delegation, pass delegationId to token calls - test_mcp_oauth_e2e: create delegation before MCP token generation - test_a2a_client_e2e: pass delegationConfig through getClient() Also thread delegationConfig through ClientRegistryOptions and ClientRegistry.getClient() to PaymentsClient.create(). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
aaitor
approved these changes
Mar 19, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Implements the SDK-side “delegation flow” for X402 token generation, aligning token issuance with the new delegation-based backend model and updating in-tree consumers/tests accordingly.
Changes:
- Simplifies
x402.getX402AccessToken()to accept(planId, agentId?, tokenOptions?)and shifts configuration totokenOptions.delegationConfig. - Adds
DelegationAPI.createDelegation()plus new delegation-related types (DelegationConfig,CreateDelegationPayload/Response). - Updates E2E tests, OpenClaw, CLI, and CI workflows to exercise and validate the new delegation flows.
Reviewed changes
Copilot reviewed 23 out of 23 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/e2e/test_x402_e2e.test.ts | Updates X402 E2E to create/reuse delegations and generate tokens via delegationId or auto-create config. |
| tests/e2e/test_x402_card_delegation_e2e.test.ts | Adds new (env-gated) Stripe card-delegation E2E coverage for explicit + auto delegation patterns. |
| tests/e2e/test_payments_e2e.test.ts | Updates token generation to include delegation creation + delegationId usage. |
| tests/e2e/test_mcp_oauth_e2e.test.ts | Updates MCP OAuth E2E to create delegation before token generation. |
| tests/e2e/test_express_middleware_e2e.test.ts | Updates Express middleware E2E to generate token using delegation flow. |
| tests/e2e/test_a2a_e2e.test.ts | Updates A2A E2E to create/reuse delegation for token generation. |
| tests/e2e/test_a2a_client_e2e.test.ts | Updates A2A client E2E to pass delegationConfig into client creation. |
| src/x402/token.ts | Simplifies token API signature and sends delegationConfig for delegation-based token generation. |
| src/x402/index.ts | Updates exports to include new delegation types and API surface. |
| src/x402/delegation-api.ts | Extends Delegation API with createDelegation() and updates module framing to include crypto + card delegations. |
| src/common/types.ts | Introduces DelegationConfig + create delegation payload/response types; updates X402TokenOptions. |
| src/a2a/types.ts | Extends A2A client options to accept delegationConfig. |
| src/a2a/paymentsClient.ts | Updates A2A PaymentsClient to pass delegation options through the simplified token API. |
| openclaw/tests/plugin.test.ts | Updates OpenClaw mocks/assertions for new signature and payment-method typing. |
| openclaw/src/tools.ts | Updates OpenClaw tool token generation calls to new signature; improves card selection by type. |
| openclaw/src/index.ts | Updates OpenClaw autopay flow to select a card method by type === 'card' and use new signature. |
| cli/src/commands/x402token/get-x402-access-token.ts | Updates CLI command flags/logic for delegation-based token generation and new signature. |
| CLAUDE.md | Adds explicit guidance about updating docs and in-tree consumers (OpenClaw/CLI) when SDK interfaces change. |
| .github/workflows/testing.yml | Ensures OpenClaw builds/tests against the locally-built SDK via symlink. |
| .github/workflows/release.yml | Ensures OpenClaw release builds use the local SDK via symlink. |
| .github/workflows/prepare-release.yml | Updates release preparation to bump CLI/OpenClaw dependency versions alongside SDK. |
| .github/workflows/openclaw-sync-and-test.yml | Ensures OpenClaw sync workflow links local SDK before build/test. |
Comments suppressed due to low confidence (1)
src/common/types.ts:528
- PR description mentions keeping a backward-compatible
CardDelegationConfigalias, but this file now only exportsDelegationConfig. This will break existing imports ofCardDelegationConfig(including in repo docs). Consider re-addingexport type CardDelegationConfig = DelegationConfig(or equivalent) to preserve compatibility.
export interface DelegationConfig {
/** PaymentMethod entity UUID — preferred way to reference an enrolled card */
cardId?: string
/** Existing delegation UUID to reuse instead of creating a new one */
delegationId?: string
/** Stripe payment method ID (e.g., 'pm_...'). Required only for new delegations. */
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| */ | ||
| export interface CreateDelegationPayload { | ||
| /** Delegation provider: 'stripe' for card, 'erc4337' for crypto */ | ||
| provider?: 'stripe' | 'erc4337' |
Comment on lines
+36
to
+38
| * For erc4337 scheme, you must pass `tokenOptions.delegationConfig` with either: | ||
| * - `delegationId` to reuse an existing delegation, or | ||
| * - `spendingLimitCents` + `durationSecs` to auto-create a new one. |
Comment on lines
81
to
+92
| const scheme = await resolveScheme(this.payments, this.planId) | ||
| if (scheme === 'nvm:card-delegation' && !this.delegationConfig) { | ||
| throw PaymentsError.internal( | ||
| 'Card delegation scheme requires delegationConfig. Pass it to PaymentsClient.create().', | ||
| ) | ||
| } | ||
| const tokenOptions: X402TokenOptions | undefined = | ||
| scheme !== 'nvm:erc4337' | ||
| ? { scheme, delegationConfig: this.delegationConfig } | ||
| : undefined | ||
| let tokenOptions: X402TokenOptions | undefined | ||
| if (scheme !== 'nvm:erc4337') { | ||
| tokenOptions = { scheme, delegationConfig: this.delegationConfig } | ||
| } else if (this.delegationConfig) { | ||
| tokenOptions = { delegationConfig: this.delegationConfig } | ||
| } |
Comment on lines
+33
to
+39
| export type { | ||
| X402SchemeType, | ||
| DelegationConfig, | ||
| CreateDelegationPayload, | ||
| CreateDelegationResponse, | ||
| X402TokenOptions, | ||
| } from '../common/types.js' |
aaitor
reviewed
Mar 19, 2026
Member
aaitor
left a comment
aaitor
left a comment
There was a problem hiding this comment.
PR Review: feat: add delegation flow for x402 token generation (TS SDK)
Clean, well-structured migration from session keys to delegation model — consistent with the parallel Python SDK PR (#167). The in-tree consumer updates (openclaw + CLI) are solid. A few issues, some already merged:
🔴 CRITICAL — Missing backward-compat alias for CardDelegationConfig
Same issue as the Python PR: the description says "backward-compat CardDelegationConfig alias kept", but no alias exists. The interface was renamed to DelegationConfig and all exports updated — any downstream code importing CardDelegationConfig from @nevermined-io/payments will break.
Fix (follow-up needed since merged):
// src/common/types.ts — add after DelegationConfig interface
/** @deprecated Use DelegationConfig instead */
export type CardDelegationConfig = DelegationConfigAnd re-export from src/x402/index.ts.
🔴 CRITICAL — markdown/x402.md and markdown/querying-an-agent.md still reference CardDelegationConfig
The source code was updated but the markdown docs were not touched in this PR:
markdown/x402.md:77— "passX402TokenOptionswith aCardDelegationConfig"markdown/x402.md:80—import { X402TokenOptions, CardDelegationConfig } from '@nevermined-io/payments'markdown/x402.md:175—### CardDelegationConfig Referencemarkdown/querying-an-agent.md:56— same stale reference
These code examples will fail at runtime since CardDelegationConfig is no longer exported. The CLAUDE.md correctly notes "generate-docs.sh only validates structure — it does NOT auto-update code examples" — so this needs a manual fix.
🟡 MEDIUM — PaymentsClient._getAccessToken() same logic gap as Python PR
if (scheme !== 'nvm:erc4337') {
tokenOptions = { scheme, delegationConfig: this.delegationConfig }
} else if (this.delegationConfig) {
tokenOptions = { delegationConfig: this.delegationConfig }
}When scheme !== 'nvm:erc4337' (any non-crypto scheme), delegationConfig is always included even when undefined. This is functionally OK today but fragile if the backend starts validating the presence of delegationConfig.
🟡 MEDIUM — CreateDelegationPayload.provider is optional
provider?: 'stripe' | 'erc4337'The backend needs to know which provider to use. Making this optional means users can omit it and get a cryptic server error instead of a clear type error. Should be required.
🟢 LOW — CLI buildCryptoTokenOptions always sends delegation config
The new buildCryptoTokenOptions() in the CLI always builds a delegationConfig with spendingLimitCents and durationSecs defaults (1000 cents / 3600 secs). This means every CLI crypto token request creates a new delegation, even if the user just wants a simple token. Consider only including delegationConfig when the user explicitly passes --spending-limit-cents or --delegation-duration-secs.
✅ Looks Good
- Breaking change on
getX402AccessToken()— clean removal ofredemptionLimit,orderLimit,expirationparams DelegationAPI.createDelegation()— clean, usesfetchJSONhelper (much simpler than the Python version's manual error handling)- In-tree consumer updates — openclaw + CLI both updated correctly with the new 3-param signature
- Payment method filtering —
methods.find((m) => m.type === 'card')is a nice improvement overmethods[0]— prevents accidentally selecting a non-card payment method - CI workflow improvements — symlink approach for local SDK in openclaw/CLI, version sync in
prepare-release.yml - E2E coverage — comprehensive tests for both Pattern A and B, card delegation gated behind
CARD_DELEGATION_E2E - OpenClaw mock updates — properly added
type: 'card'to mock payment methods - CLAUDE.md documentation — excellent additions about in-tree consumers, release flow, and CI jobs
📝 Follow-up Items (since PR is merged)
- Add
CardDelegationConfigtype alias for backward compat - Update
markdown/x402.mdandmarkdown/querying-an-agent.mdto useDelegationConfig - Consider making
CreateDelegationPayload.providerrequired
3 tasks
r-marques
added a commit
to nevermined-io/docs
that referenced
this pull request
Mar 19, 2026
Update all documentation to reflect the delegation-based token generation flow that replaces the old session-key permissions model. Key changes across all files: - getX402AccessToken / get_x402_access_token now requires delegationConfig - CardDelegationConfig renamed to DelegationConfig - sessionKeyConfig, redemptionLimit, orderLimit, expiration removed - New createDelegation API documented for both stripe and erc4337 - Both crypto and card schemes now use the unified delegation model Docs updated (5 files): - specs/x402-card-delegation.mdx → renamed to "Delegation Extension" - integrate/patterns/stablecoin-payments.mdx → delegation replaces session keys - integrate/patterns/fiat-payments.mdx → DelegationConfig shared model - development-guide/nevermined-x402.mdx → updated token gen examples - products/x402-facilitator/how-it-works.mdx → updated step 2 flow Skills updated (5 files): - SKILL.md → all getX402AccessToken calls include delegationConfig - references/client-integration.md → 6 calls updated - references/a2a-integration.md → 1 call updated - references/mcp-paywall.md → 1 call updated - references/strands-integration.md → 1 call updated Related PRs: - nevermined-io/nvm-monorepo#1102 (backend) - nevermined-io/payments#274 (TypeScript SDK) - nevermined-io/payments-py#167 (Python SDK) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2 tasks
r-marques
added a commit
to nevermined-io/docs
that referenced
this pull request
Mar 20, 2026
Update all documentation to reflect the delegation-based token generation flow that replaces the old session-key permissions model. Key changes across all files: - getX402AccessToken / get_x402_access_token now requires delegationConfig - CardDelegationConfig renamed to DelegationConfig - sessionKeyConfig, redemptionLimit, orderLimit, expiration removed - New createDelegation API documented for both stripe and erc4337 - Both crypto and card schemes now use the unified delegation model Docs updated (5 files): - specs/x402-card-delegation.mdx → renamed to "Delegation Extension" - integrate/patterns/stablecoin-payments.mdx → delegation replaces session keys - integrate/patterns/fiat-payments.mdx → DelegationConfig shared model - development-guide/nevermined-x402.mdx → updated token gen examples - products/x402-facilitator/how-it-works.mdx → updated step 2 flow Skills updated (5 files): - SKILL.md → all getX402AccessToken calls include delegationConfig - references/client-integration.md → 6 calls updated - references/a2a-integration.md → 1 call updated - references/mcp-paywall.md → 1 call updated - references/strands-integration.md → 1 call updated Related PRs: - nevermined-io/nvm-monorepo#1102 (backend) - nevermined-io/payments#274 (TypeScript SDK) - nevermined-io/payments-py#167 (Python SDK) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the SDK side of the delegation flow for Issue #1118 (PR #1102 backend changes).
getX402AccessToken()simplified from 6 params to 3 — removedredemptionLimit,orderLimit,expiration(sessionKeyConfig is gone)DelegationAPI.createDelegation()method forPOST /api/v1/delegation/createDelegationConfigtype (backward-compatCardDelegationConfigalias kept)CreateDelegationPayload/CreateDelegationResponsetypesnvm:erc4337andnvm:card-delegationschemes now usedelegationConfigin token generationTwo Usage Patterns
Pattern A — Auto-create:
Pattern B — Explicit create + reuse:
Test plan
CARD_DELEGATION_E2Eenv var set)🤖 Generated with Claude Code