Secure blockchain transaction signing service with mandatory commission enforcement
Production-ready deployment for autonomous AI agent payments. Enables agents to make payments without exposing private keys in client code.
The TX Signing Service is an external transaction signing server that handles blockchain payments on behalf of AI agents. Instead of embedding wallet private keys in client applications, agents make API calls to this service which signs and submits transactions securely.
Key Features:
- 🔐 Owner Protection - Only your API key can access the service
- 💰 Automatic Commission - Server-enforced 0.5% commission (cannot be bypassed)
- 🌐 Multi-Chain - Ethereum, Base, Polygon, Arbitrum
- 🪙 Multi-Token - USDC, USDT, DAI
- 🚀 Easy Deploy - One-click Render, Docker, or Railway
- ⚡ Fast - Signs and submits transactions in seconds
When AI agents sign transactions directly, you must:
- ❌ Store private keys in client code (security risk)
- ❌ Expose keys in environment variables (can leak)
- ❌ Trust client applications to enforce commission (can be bypassed)
- ❌ Handle wallet management in every agent (complexity)
With the TX Signing Service:
- ✅ Private keys stay on secure server (never in client code)
- ✅ Commission automatically enforced by server (cannot bypass)
- ✅ Simple API call replaces complex wallet management
- ✅ Single deployment serves multiple agents
Choose your deployment method:
Fastest way to get started - 3 minutes from zero to production.
Setup:
- Click the button above
- Enter your
AGENTGATEPAY_API_KEY(get one here) - Enter your
WALLET_PRIVATE_KEY - Wait 2-3 minutes for deployment
- ✅ Done! Service running at
https://your-service.onrender.com
See: tx-signing-service/README.md for complete Render deployment guide.
Best for self-hosting - Full control over infrastructure.
# Pull from Docker Hub
docker pull agentgatepay/tx-signing-service:latest
# Run with docker-compose
docker-compose up -d
# Check health
curl http://localhost:3000/healthSee: docker/README.md for Docker deployment guide with Kubernetes and ECS examples.
Alternative one-click option - Similar to Render.
See: tx-signing-service/README.md for Railway-specific instructions.
1. AI Agent → Requests payment signing from TX Service
↓
2. TX Service → Verifies API key (owner protection)
↓
3. TX Service → Fetches commission config from AgentGatePay
↓
4. TX Service → Calculates split: 0.5% commission + 99.5% merchant
↓
5. TX Service → Signs TWO transactions:
• Commission → AgentGatePay wallet
• Payment → Merchant wallet
↓
6. TX Service → Returns both transaction hashes to agent
↓
7. AI Agent → Submits tx_hash to AgentGatePay for verification
Why This is Secure:
-
Owner Protection
- Only YOUR AgentGatePay API key can access the service
- Unauthorized API keys get 403 Forbidden
- Verified against AgentGatePay API on every request
-
Server-Controlled Commission
- Commission address fetched from AgentGatePay (not client env vars)
- Commission rate fetched from AgentGatePay (cannot be modified)
- Client CANNOT bypass or reduce commission
- Enforced at server level (atomic two-transaction split)
-
Private Key Isolation
- Wallet private key stored on server only
- Never sent to client
- Optional: Move to encrypted Secret Files for maximum security
-
Hardcoded API URL
- AgentGatePay API URL is hardcoded in service code
- Client cannot point to fake API
- All config comes from official AgentGatePay infrastructure
Health check endpoint (no authentication required).
Response:
{
"status": "healthy",
"version": "4.0.0",
"mode": "secure_server_fetched_config",
"owner_protection": "enabled",
"supported_chains": ["base", "ethereum", "polygon", "arbitrum"],
"supported_tokens": ["USDC", "USDT", "DAI"]
}Sign payment with automatic two-transaction commission enforcement.
Headers:
x-api-key: pk_live_your_api_key_here
Content-Type: application/json
Request:
{
"merchant_address": "0x742d35Cc6634C0532925a3b844Bc454e4438f44e",
"total_amount": "15000000",
"token": "USDC",
"chain": "base"
}Response:
{
"success": true,
"tx_hash": "0xabc...merchant",
"tx_hash_commission": "0xdef...commission",
"merchant_amount": "14925000",
"commission_amount": "75000",
"commission_rate": 0.005,
"commission_controlled_by": "agentgatepay",
"explorerUrl": "https://basescan.org/tx/0xabc...",
"explorerUrlCommission": "https://basescan.org/tx/0xdef..."
}What Happens:
- Service verifies your API key
- Service fetches commission config from AgentGatePay
- Service calculates split: commission (0.5%) + merchant (99.5%)
- Service signs TWO transactions atomically
- Service returns BOTH transaction hashes
| Variable | Description | Example |
|---|---|---|
WALLET_PRIVATE_KEY |
Your wallet private key | 0xabcd1234... |
AGENTGATEPAY_API_KEY |
Your AgentGatePay API key | pk_live_abc123... |
| Variable | Description | Default |
|---|---|---|
BASE_RPC |
Base RPC endpoint | https://mainnet.base.org |
ETHEREUM_RPC |
Ethereum RPC endpoint | https://cloudflare-eth.com |
POLYGON_RPC |
Polygon RPC endpoint | https://polygon-rpc.com |
ARBITRUM_RPC |
Arbitrum RPC endpoint | https://arb1.arbitrum.io/rpc |
PORT |
Service port | 3000 |
Note: Default RPC endpoints work great for most users. Only change if you have premium RPC providers (Alchemy/Infura).
| Chain | Chain ID | USDC | USDT | DAI | Settlement Speed |
|---|---|---|---|---|---|
| Base | 8453 | ✅ | ❌ | ✅ | 2-5 seconds |
| Polygon | 137 | ✅ | ✅ | ✅ | 3-8 seconds |
| Arbitrum | 42161 | ✅ | ✅ | ✅ | 3-8 seconds |
| Ethereum | 1 | ✅ | ✅ | ✅ | 15-60 seconds |
curl https://your-service.onrender.com/healthExpected: {"status": "healthy", ...}
# Test with WRONG API key (should fail)
curl -X POST https://your-service.onrender.com/sign-payment \
-H "x-api-key: pk_live_WRONG_KEY" \
-H "Content-Type: application/json" \
-d '{
"merchant_address": "0x742d35Cc6634C0532925a3b844Bc454e4438f44e",
"total_amount": "15000000",
"token": "USDC",
"chain": "base"
}'Expected: 403 Forbidden
# Test with CORRECT API key (should succeed with 2 TX)
curl -X POST https://your-service.onrender.com/sign-payment \
-H "x-api-key: YOUR_CORRECT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"merchant_address": "0x742d35Cc6634C0532925a3b844Bc454e4438f44e",
"total_amount": "15000000",
"token": "USDC",
"chain": "base"
}'Expected: Two transaction hashes (commission + merchant)
Visit block explorer to verify transactions:
Commission Transaction:
https://basescan.org/tx/TX_HASH_COMMISSIONVerify:
- Amount = 0.5% of total
- Recipient = AgentGatePay commission wallet
Merchant Transaction:
https://basescan.org/tx/TX_HASHVerify:
- Amount = 99.5% of total
- Recipient = Merchant wallet address
Cause: Environment variable not set.
Fix:
- Go to Render dashboard → Your service → Environment tab
- Add environment variable:
- Key:
WALLET_PRIVATE_KEY - Value: Your wallet private key (
0x...)
- Key:
- Save and wait for automatic redeploy
Cause: Wrong API key or API key not configured.
Fix:
- Verify
AGENTGATEPAY_API_KEYis set correctly in environment - Test API key:
curl -H "x-api-key: YOUR_KEY" https://api.agentgatepay.com/v1/users/me - Make sure you're using the same key in request header
Cause: API key invalid or AgentGatePay API unreachable.
Fix:
- Test API key validity:
curl -H "x-api-key: YOUR_KEY" https://api.agentgatepay.com/v1/users/me - Check if AgentGatePay API is accessible
- Verify
AGENTGATEPAY_API_KEYenv var is set
Cause: Wallet doesn't have enough USDC/USDT/DAI or native token for gas.
Fix:
- Fund wallet with USDC (for transfers)
- Fund wallet with native token for gas:
- Base: ETH
- Polygon: MATIC
- Arbitrum: ETH
- Ethereum: ETH
- Check balance:
https://basescan.org/address/YOUR_WALLET
For maximum security, move environment variables to Secret Files:
See: tx-signing-service/README.md#optional-use-secret-files-for-extra-security
Benefits:
- ✅ Secrets not visible in environment listings
- ✅ Not exposed in logs
- ✅ Encrypted at rest
Firewall Rules:
- Only allow HTTPS traffic on port 443
- Block direct HTTP access
- Use Render/Railway's built-in DDoS protection
Set up alerts:
- Low balance warning (< $100 worth of tokens)
- Unexpected large transactions
- Gas price spikes
Recommended: Rotate AgentGatePay API keys every 90 days
How:
- Generate new API key via
/v1/api-keys/create - Update
AGENTGATEPAY_API_KEYenvironment variable - Revoke old API key via
/v1/api-keys/revoke
- Runtime: Node.js 18+ (Alpine Linux in Docker)
- Blockchain: ethers.js v6
- API: Express.js
- Deployment: Render / Docker / Railway
- Security: API key verification, server-fetched config
- Docker Image: ~50MB (compressed)
- Memory: ~128MB (light usage)
- CPU: Minimal (only during signing)
- Disk: <100MB
| Platform | Free Tier | Paid Tier | Best For |
|---|---|---|---|
| Render | 750 hours/month | $7/month | Quick start |
| Railway | $5 credit/month | $5-20/month | Developer-friendly |
| Docker (AWS ECS) | Free tier available | $10-30/month | Full control |
| Docker (self-host) | Free | Server costs only | Maximum control |
Blockchain Gas Costs (separate):
- Base: ~$0.001 per transaction
- Polygon: ~$0.01 per transaction
- Arbitrum: ~$0.05 per transaction
- Ethereum: ~$1-5 per transaction
- Render Deployment Guide - One-click deploy with Secret Files
- Docker Deployment Guide - Self-hosting with Kubernetes & ECS examples
- AgentGatePay Main Docs - Complete platform documentation
- SDK Documentation - Python & JavaScript SDKs
- Examples Repository - 20+ integration examples
Scenario: LangChain agent needs to make autonomous payments
Without TX Service:
- Store wallet private key in environment variables (security risk)
- Expose keys to all client code
- Risk key leakage via logs or errors
With TX Service:
- Agent calls TX service API (no keys in client)
- Private keys isolated on secure server
- Simple API call replaces complex wallet management
Scenario: 10 different agents need to make payments
Without TX Service:
- Each agent manages own wallet (complexity)
- 10 different wallets to fund and monitor
- Commission logic duplicated 10 times
With TX Service:
- Single TX service serves all 10 agents
- One wallet to fund and monitor
- Commission enforcement centralized
Scenario: External developers integrate with AgentGatePay
Without TX Service:
- Developers must handle wallet management
- Commission enforcement relies on client honesty
- Complex blockchain integration required
With TX Service:
- Simple REST API call
- Commission automatically enforced
- No blockchain expertise needed
- ✅ Commission config fetched from AgentGatePay
- ✅ Owner API key verification
- ✅ Automatic Secret Files detection (Render)
- ✅ Two-transaction atomic split
- ✅ Multi-chain support (4 chains, 3 tokens)
- ❌ Deprecated - Commission could be modified by client
- Documentation: You're reading it!
- Email Support: support@agentgatepay.com
- GitHub Issues: Report bugs or request features
- Main Docs: AgentGatePay Documentation
Copyright (c) 2025 AgentGatePay. All Rights Reserved.
See LICENSE for full terms.
AgentGatePay TX Signing Service - Secure blockchain transaction signing for autonomous AI agents.
Current Version: v4.0.0 Security Model: Server-controlled commission enforcement Bypass Protection: Impossible ✅