📚 API Documentation

NPM Package Security Scanner with x402 Payment

Back to Scanner

💰 Pay-Per-Scan with x402

This scanner uses the x402 payment protocol for pay-per-scan functionality. You only pay for packages that haven't been scanned before - cached results are returned for free.

Dynamic Pricing

  • ✓ Cost based on actual token count of packages
  • ✓ Already-scanned packages are free (cached)
  • ✓ Payment in USDC on Base network
  • ✓ Payment only collected after successful scan

💡 How It Works

  1. Upload your package-lock.json
  2. Server calculates the exact cost based on packages to scan
  3. Sign the payment with your wallet
  4. Scan completes and payment is settled on-chain

🔌 POST /api/paid-scan

⚠️ x402 Payment Required

This is the only endpoint that performs security scans. Payment is required.

Upload your package-lock.json file. The server will return a 402 Payment Required response with the calculated cost. Use x402-compatible client libraries to handle payment automatically.

# First request returns 402 with cost

curl -X POST http:/security.togoder.click/api/paid-scan \
-F "[email protected]"

x402-fetch (Node.js)

npm install x402-fetch

x402-axios (Node.js)

npm install x402-axios

📋 Example Usage 

import { wrapFetchWithPayment402 } from 'x402-fetch';
import { createWalletClient, http } from 'viem';
import { baseSepolia } from 'viem/chains';
import { privateKeyToAccount } from 'viem/accounts';
import * as fs from 'fs';

// Set up wallet
const account = privateKeyToAccount('0xYourPrivateKey');
const walletClient = createWalletClient({
  account,
  chain: baseSepolia,
  transport: http(),
});

// Wrap fetch with x402 payment handler
const fetchWithPayment = wrapFetchWithPayment402(fetch, walletClient);

// Upload and scan
const formData = new FormData();
formData.append('file', fs.createReadStream('package-lock.json'));

const response = await fetchWithPayment('https://security.togoder.click/api/paid-scan', {
  method: 'POST',
  body: formData
});

const results = await response.json();
console.log(results);

🆓 Free Endpoints

These endpoints don't require payment - they only read cached data or estimate costs.

GET /api/package/:name/:version

Query previously-scanned packages. Returns cached scan results.

POST /api/analyze

Analyze package-lock.json to see which packages are cached vs need scanning.

POST /api/upload

Parse package-lock.json and show dependencies (htmx endpoint).

POST /api/estimate-cost

Download packages and calculate token count for cost estimation (htmx endpoint).

🔒 Security Notice

  • Scan Requires Payment: All security scans require x402 payment to prevent abuse
  • Server-Verified Pricing: Cost is calculated from actual token counts - cannot be spoofed by clients
  • Payment Before Service: Payment is verified before any scan is performed
  • Settlement After Success: Payment only settles on-chain after scan completes successfully