Skip to Content
DocsGuidesCDN Gating with Receipts

CDN Gating with Receipts

FX402 JWT receipts can be used to gate CDN content (such as S3, Cloudflare Workers, or Next.js middleware).
This allows you to deliver large media files or premium assets only to users with valid, unexpired receipts.

⚙️ 1. Concept

Receipts are standard JWT tokens that can be verified by CDNs, edge functions, or backend middleware.

Example HTTP request:

GET /premium/video.mp4
Authorization: Bearer <r402-jwt>
  • If the JWT is valid and not expired, access is granted.
  • Otherwise, return a 402 Payment Required response.

🧑‍💻 2. Example: Cloudflare Worker

import { verifyReceipt } from "@fx402/verify";
 
export default {
  async fetch(req, env) {
    const auth = req.headers.get("Authorization");
    if (!auth)
      return new Response("Payment Required", { status: 402 });
 
    const token = auth.split(" ")[1];
    const valid = await verifyReceipt(token, { jwksUrl: env.JWKS_URL });
 
    if (!valid)
      return new Response("Invalid or expired receipt", { status: 403 });
 
    return fetch(req); // Proxy to origin
  }
};

💾 3. Example: S3 or Next.js Middleware

import { verifyReceipt } from "@fx402/verify";
import { NextResponse } from "next/server";
 
export async function middleware(req) {
  const token = req.headers.get("authorization")?.replace("Bearer ", "");
  if (!token)
    return new Response("402 Payment Required", { status: 402 });
 
  const isValid = await verifyReceipt(token);
  if (!isValid)
    return new Response("403 Forbidden", { status: 403 });
 
  return NextResponse.next();
}

🔒 4. Best Practices

  • Validate JWT on every CDN edge request.
  • Cache verified responses for up to 5 minutes to reduce verification overhead.
  • Keep facilitator’s JWKS key URL updated for receipt validation.
  • Return 402 Payment Required instead of 401, as it’s the correct semantic for paid access.

💡 5. Common Usage Patterns

Use CaseDescription
Video PlatformsGate premium videos by license duration/tier.
Download StoresAllow file downloads for paid tiers only.
Dynamic APIsProtect endpoints that return premium datasets.
AI ModelsServe inference output only to valid JWT holders.

📚 Next Steps

Last updated on
IntroductionAgentic Payments with FX402