Merchant registration, login, OTP verification, token refresh, and session management for the x402 payment protocol.
Use this skill when the user needs to register as an x402 merchant, log in, manage merchant sessions, or complete OTP verification for merchant registration.
The default API base URL is https://payment-api-dev.aiotnetwork.io. All endpoints are relative to this URL.
To override (e.g. for local development):
export AIOT_API_BASE_URL="http://localhost:8080"
If AIOT_API_BASE_URL is not set, use https://payment-api-dev.aiotnetwork.io as the base for all requests.
merchant_send_otp — Send a one-time password to a merchant email address | POST /api/v1/x402/auth/otp/sendmerchant_verify_otp — Verify an OTP code and receive a verification token (expires in 15 minutes) | POST /api/v1/x402/auth/otp/verifymerchant_register — Register a new merchant account with first product and API key | POST /api/v1/x402/auth/registermerchant_login — Login with email and password, receive JWT access and refresh tokens | POST /api/v1/x402/auth/loginmerchant_refresh_token — Refresh an expired access token using a refresh token | POST /api/v1/x402/auth/refreshmerchant_logout — Invalidate all sessions for the merchant account | POST /api/v1/x402/auth/logout | Requires authmerchant_get_me — Get the current merchant's profile | GET /api/v1/x402/merchants/me | Requires authImportant: The API key in the registration response is shown only once — save it immediately. The pay_to_address must be a valid Ethereum address (0x followed by 40 hex characters). Password must be 8-128 characters.
Follow these instructions when executing this skill:
Always follow the documented flow order. Do not skip steps.
If a tool requires authentication, verify the session has a valid bearer token before calling it.
If a tool requires a transaction PIN, ask the user for it fresh each time. Never cache or log PINs.
Never expose, log, or persist secrets (passwords, tokens, full card numbers, CVVs).
If the user requests an operation outside this skill's scope, decline and suggest the appropriate skill.
If a step fails, check the error and follow the recovery guidance below before retrying.
To register a new merchant: first call merchant_send_otp, then merchant_verify_otp, then merchant_register with the verification token. Never skip OTP verification.
Registration requires: name, email, password (8-128 chars), product_name, pay_to_address (0x + 40 hex), verification_token.
The API key in the registration response (first_product.api_key) is shown only once. Instruct the user to save it immediately. This key is needed for the x402-merchant-payments skill (X-API-Key header).
The proxy_base_url in the registration response is the base URL for x402 proxy endpoints.
When the access token expires, call merchant_refresh_token with the refresh_token. Do not ask the user to log in again.
Logout invalidates all active sessions. The user must log in again after logout.
OTP send errors: COOLDOWN_ACTIVE (wait before resending), RATE_LIMIT_EXCEEDED (too many requests), EMAIL_SUPPRESSED (email cannot receive messages — use a different address).
If a request returns HTTP 429, wait before retrying.
merchant_get_me returns the merchant's profile {id, name, email, status}. Use it to confirm the logged-in merchant's identity.
Never log, store, or repeat the user's password or API key back to them.