Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.credprotocol.com/llms.txt

Use this file to discover all available pages before exploring further.

Installation

npm install @cred-protocol/nextjs @cred-protocol/sdk

Quick Start

Create middleware.ts in your project root: 
// middleware.ts
import { credGates } from '@cred-protocol/nextjs'

export const middleware = credGates({
  apiKey: process.env.CRED_API_KEY!,
  policy: 'standard',
  matcher: ['/api/:path*'],
})

export const config = {
  matcher: ['/api/:path*'],
}
Every request to /api/* is evaluated before reaching your route handler. Wallets that fail the trust check receive a 402 or 403 response at the edge — your API handlers only see trusted traffic.

Configuration

credGates({
  // Required
  apiKey: process.env.CRED_API_KEY!,

  // Policy (pick one)
  policy: 'standard',
  // gates: ['human', 'verified'],
  // operator: 'AND',

  // Route matching
  matcher: ['/api/:path*'],        // Only gate these routes

  // Dynamic pricing
  pricing: {
    enabled: true,
    curve: 'step',
    basePriceUsdc: 0.01,
  },

  // Failure handling
  on402: 'challenge',              // 'challenge' (402), 'deny' (403), 'pass'

  // Custom wallet extraction
  extractWallet: (req) => req.headers.get('x-agent-wallet'),
})

Wallet Address Extraction

By default the middleware checks:
  1. X-Wallet-Address request header
  2. ?wallet= query parameter
Override with extractWallet: 
credGates({
  apiKey: process.env.CRED_API_KEY!,
  policy: 'standard',
  matcher: ['/api/:path*'],
  extractWallet: (req) => {
    return req.headers.get('x-agent-wallet')
      || req.nextUrl.searchParams.get('address')
  },
})

Response Headers

Requests that pass trust checks get these headers set on the response:
HeaderExampleDescription
X-Cred-Trust-Score750–100 composite score
X-Cred-Trust-TierverifiedTrust tier classification
X-Cred-Request-Ida1b2c3d4-...Request ID for debugging
X-Cred-Price-Multiplier0.25Price multiplier (if pricing enabled)
Read these in your API route handlers: 
// app/api/resource/route.ts
import { NextRequest, NextResponse } from 'next/server'

export async function GET(req: NextRequest) {
  const trustScore = req.headers.get('x-cred-trust-score')
  const trustTier = req.headers.get('x-cred-trust-tier')

  return NextResponse.json({
    data: '...',
    trustScore,
    trustTier,
  })
}

Route Matching

The matcher option controls which routes are trust-gated. Routes that don’t match pass through without evaluation. 
credGates({
  apiKey: process.env.CRED_API_KEY!,
  policy: 'standard',
  matcher: [
    '/api/:path*',          // All API routes
    '/protected/:path*',    // Protected pages
  ],
})
Also set config.matcher in your middleware.ts export so Next.js only runs the middleware on matching routes. This avoids unnecessary edge function invocations.

Failure Responses

ResponseWhen
400No wallet address found on the request
402Gates failed, on402: 'challenge' — includes challenge body
403Gates failed with on402: 'deny', or wallet is blocked
429Cred API rate limit exceeded
502Upstream gate provider error