authCapture TS sdk

[A1igator]

authCapture EVM Scheme — TypeScript SDK

At x402r.org, we've been working on refundable payments for x402. This PR is the TypeScript implementation of the authCapture scheme whose spec was merged in #1425. It builds on the audited base/commerce-payments contract stack, so no new contracts ship with this PR.

Scheme implementation: key design decisions

authCapture is single-shot and stateless. Each paid request signs one authorization (ERC-3009 or Permit2) carrying universal canonical collector + escrow addresses. The facilitator then submits a single tx that invokes AuthCaptureEscrow.authorize() or AuthCaptureEscrow.charge() (per extra.autoCapture), either calling escrow directly or routing through a passthrough captureAuthorizer contract.

Notable choices:

• captureAuthorizer is merchant-set, never facilitator-injected — the facilitator's getExtra() returns undefined for this scheme. Per spec, captureAuthorizer is the only address allowed to call authorize / capture / void / refund / charge against the escrow, gated on-chain by onlySender(paymentInfo.operator). That address can be the facilitator's submitter EOA, or a smart contract that ultimately calls escrow as msg.sender (e.g., a refund arbiter). The facilitator advertises its submitter address via getSigners() so merchants can decide.
• EOA vs. contract captureAuthorizer auto-detection — the facilitator probes getCode(captureAuthorizer). Empty bytecode → EOA path, direct call to escrow with msg.sender == captureAuthorizer. Non-empty → contract path, call routed through the contract.
• assetTransferMethod is per-request — defaults to "eip3009"; set to "permit2" for tokens that lack ERC-3009 (e.g., BSC's Binance-Peg USDC, some L2 USD stablecoins). The server does not auto-pick based on chain; the merchant declares the method explicitly.

Spec observations from implementation

Small clarifications a follow-up doc pass could pick up:

1. Verify step 13 / Settlement step 5. captureAuthorizer can be the facilitator EOA (call goes to escrow directly) or a passthrough contract (call goes to the contract, which forwards to escrow). The spec's "call AUTH_CAPTURE_ESCROW.authorize/charge" wording is technically correct for both since the contract path reaches escrow underneath, but a revert in the contract case can originate in the passthrough before reaching escrow.

   Relatedly, invalid_capture_authorizer (escrow's InvalidSender) only fires when onlySender(operator) fails — i.e., when the address that called escrow (the facilitator EOA or passthrough contract) doesn't match operator (= extra.captureAuthorizer from PaymentInfo).

   Spelling these out in the verification/settlement logic steps would make the contract path easier to reason about.

2. Scheme names are inconsistent. Existing schemes are lowercase or kebab-case (exact, upto, batch-settlement); authCapture is camelCase. This breaks tooling that assumes one case.

   The e2e CLI --schemes filter, for instance, lowercases user input and silently dropped all authCapture matches — the case-insensitive compare added in this PR (e2e/src/cli/filters.ts) works around it.

   Picking one convention and applying it backwards (e.g., renaming authCapture to auth-capture if kebab-case wins) would make scheme identifiers uniform.

3. Reference links are dead. scheme_authCapture.md lines 84-85 link to issues on the legacy github.com/coinbase/x402 repo that no longer resolve; canonical repo is github.com/x402-foundation/x402.

   The org segment should be swapped to x402-foundation to fix them.

What's included

• @x402/evm/authCapture/{client,server,facilitator} — new subdirectory under the existing @x402/evm package, alongside exact/, upto/, and batch-settlement/. Three new subpath exports added to tsup.config.ts and package.json.
• Unit tests — 5 files under test/unit/authCapture/, covering client payload construction, server parsePrice / enhancePaymentRequirements, facilitator verify + settle paths for both EIP-3009 and Permit2, nonce / salt derivation, type guards, and the EOA vs. contract captureAuthorizer routing. All 735 package tests pass.
• Integration test — test/integrations/authCapture-evm.test.ts, Base Sepolia live-testnet style matching the batch-settlement-evm.test.ts pattern. Skips with describe.skip unless CLIENT_PRIVATE_KEY and FACILITATOR_PRIVATE_KEY are set. Covers ERC-3009 + Permit2 × autoCapture: false / true.
• Examples under examples/typescript/{clients,servers,facilitator}/authCapture/ — three standalone apps mirroring the batch-settlement example layout.
• E2E harness wiring — scheme registered on the proxy, express, fastify, hono servers and on the TypeScript facilitator. Route files added under e2e/servers/next/app/api/authCapture/evm/{eip3009,permit2}/withx402/. Endpoint entries added to test configs. PaymentScheme type extended in e2e/src/types.ts and PaymentSchemeKind in e2e/src/cli/filters.ts. EVM_AUTHCAPTURE_CAPTURE_AUTHORIZER declared in optional env vars, with conditional registration: when unset, authCapture routes are skipped (matching the EVM_RECEIVER_AUTHORIZER_PRIVATE_KEY pattern used by batch-settlement). AuthCaptureEvmScheme also registered on the fetch and axios e2e clients alongside the existing schemes.
• NOTICE — paragraph added crediting the x402r team (proposal issue [Proposal] Escrow Scheme for x402 using Base Commerce Payments Protocol #1011, spec PR Add authCapture scheme specification #1425) and propagating the MIT attribution for the Agentokratia "x402-escrow" proposal (issue [Proposal] escrow scheme using Base Commerce Payments Protocol #834) whose code the implementation incorporates.
• Changeset fragment — @x402/evm: minor, "Implemented authCapture mechanism".

Disclosure

This PR was written with AI assistance (Claude Code). Output was reviewed before submission per the AI guidance in CONTRIBUTING.md.

Links

Spec: #1425
Original proposals: #1011, #834

Tests

• Unit tests (735/735 passing)
• Integration tests (4/4 passing on Base Sepolia, ERC-3009 + Permit2 × autoCapture: false / true)
• Examples flow exercised end-to-end on Base Sepolia (facilitator + server + client; real settle tx confirmed)
• E2E harness (4 server frameworks × 2 transfer methods = 8 scenarios, 8/8 passing on Base Sepolia for express / fastify / hono with fetch and axios clients; next server skipped due to a pre-existing Next 16 + Aptos SDK transitive build issue affecting all schemes, not specific to this PR — not surfaced by CI since .github/workflows/ only runs unit tests, no e2e workflow exists upstream)

Checklist

• I have formatted and linted my code
• All new and existing tests pass
• My commits are signed (required for merge)
• I added a changelog fragment for user-facing changes

[vercel]

@A1igator is attempting to deploy a commit to the Coinbase Team on Vercel.

A member of the Team first needs to authorize it.

[phdargen]

this should be done in enhancePaymentRequirements, so its fresh for each request

[A1igator]

Added *Seconds variants of them that are filled by enhancePaymentRequirements. Let me know if that was not the intention.

[phdargen]

For the permit2 branch we should add support for the ERC-20 approval gas sponsoring extension

[phdargen]

Is there a base commerce deposit collector that supports EIP-2612?

[A1igator]

I don't believe so. I can build one and include here/contribute to base commerce-payments repo but not sure how audits and stuff work for that.

[phdargen]

Thanks a lot for the contribution @A1igator, made a first pass and looks good! Please have a look at my comments above