# StablecoinX Business — Full reference

> Extended reference for LLM retrieval. See [llms.txt](https://business.harness.stablecoinx.com/llms.txt) for the short summary. This dashboard's machine interface is the StablecoinX MCP server (below); the merchant API has no public OpenAPI spec.

## Product

StablecoinX Business is the merchant control plane. A merchant logs in with thirdweb email-OTP, then manages the full lifecycle of accepting stablecoin payments:

- **Onboarding** (`/onboarding`) — create the merchant profile after first login.
- **Payment sessions** (`/sessions`, `/sessions/new`, `/sessions/:id`) — create a session (amount, chain, metadata), share the hosted checkout link (served by `harness.stablecoinx.com/session/:id`), and track its status.
- **API keys** (`/settings/api-keys`) — mint `sk_*` keys for server-to-server session creation; revoke when rotated.
- **Webhooks** (`/settings/webhooks`) — register endpoints, rotate signing secrets, and inspect deliveries (HMAC-SHA256 signed).
- **Paymaster clients** (`/paymaster/clients`) — issue publishable `pmc_live_*` / `pmc_test_*` client IDs for the managed paymaster RPC.
- **Paymaster allowlist** (`/paymaster/allowlist`) — per-client origin and chain allowlists.
- **Paymaster activity** (`/paymaster/activity`) — sponsored-gas usage per client.

## Merchant API

- Base: `https://api.harness.stablecoinx.com`
- Auth: thirdweb email-OTP → 24h JWT (dashboard), or `sk_*` API keys (server-to-server).
- No public OpenAPI document is published for the merchant API. The supported, versioned machine interface is the MCP server below, whose tools map 1:1 to the dashboard operations above.

## Managed paymaster RPC

- Endpoint: `https://api.harness.stablecoinx.com/v1/paymaster/rpc`
- Required header: `X-Client-Id: pmc_live_…` / `pmc_test_…` (issued from `/paymaster/clients`).
- Enforces per-client origin allowlist and chain allowlist before forwarding to the underlying paymaster. Contrast with the direct paymaster RPC at `https://paymaster.harness.stablecoinx.com` (no clientId, per-sender policy) — see [paymaster-ui llms-full.txt](https://paymaster-ui.harness.stablecoinx.com/llms-full.txt).

## StablecoinX MCP server

Programmatic, agent-friendly control of a StablecoinX merchant account — the headless equivalent of this dashboard. Published to npm as [`@stablecoinx/mcp`](https://www.npmjs.com/package/@stablecoinx/mcp); source at https://github.com/e2xlabs/stablecoinx-mcp; registered in the MCP registry as `io.github.e2xlabs/stablecoinx-mcp`.

- **Install (Claude Code and clients with an `mcp add` CLI):** `npx @stablecoinx/mcp setup` — installs the bundled `stablecoinx` skill into `~/.claude/skills` and registers the MCP (user scope) with a freshly generated state passphrase. Restart your MCP client afterwards.
- **Manual registration:**
  ```
  claude mcp add stablecoinx-mcp -s user \
    -e SCX_STATE_PASSPHRASE="$(openssl rand -hex 16)" \
    -- npx -y @stablecoinx/mcp
  ```
  Requires Node.js 20+. `SCX_STATE_PASSPHRASE` (any string) is the only required input — the harness API, thirdweb client, origin and login chain are baked into the package.
- **Transport:** local stdio server launched via `npx`; all credentials stay on the local machine, encrypted at rest. There is no hosted/remote MCP endpoint.
- **Networks:** the harness resolves chain selection (sandbox testnet vs live mainnet) server-side per the merchant account; nothing chain-related to configure on the client.
- **Auth:** thirdweb email-OTP → 24h JWT cached in the encrypted local state file. Run `auth_send_otp` then `auth_verify_otp`; mint an `sk_*` with `api_key_create` for server-to-server session creation.
- **Tools (27):** auth & onboarding (`auth_status`, `auth_send_otp`, `auth_verify_otp`, `auth_logout`, `api_key_create`, `session_key_create`); merchant profile (`merchant_get`, `merchant_update`); API keys (`api_keys_list`, `api_keys_revoke`); sessions (`sessions_list`, `sessions_get`, `sessions_create_dashboard`, `sessions_create_s2s`); paymaster clients (`paymaster_clients_list` / `_create` / `_update` / `_revoke`); paymaster allowlist (`paymaster_allowlist_list` / `_add` / `_remove`); paymaster usage (`paymaster_usage_get`); webhooks (`webhooks_create` / `_list` / `_delete` / `_rotate_secret` / `_deliveries`).

## Security

- Vulnerability disclosure: `tech@e2xlabs.com` (see [/.well-known/security.txt](https://business.harness.stablecoinx.com/.well-known/security.txt), RFC 9116).
- Merchant data is access-controlled (thirdweb auth / API keys). Webhook payloads are HMAC-SHA256 signed; verify the signature before trusting a delivery.
- Non-custodial — settlement happens on-chain via the user's smart account. Sandbox mode settles on testnets; live mode settles on mainnet.