# SDK & CLI `@paybox-sh/sdk` is a typed Node SDK and `paybox` CLI for the Paybox agent API. It mirrors the MCP tool surface — `list_credentials`, `request_payment`, `request_wallet_sign`, `request_secret`, `request_swap`, `get_portfolio`, `get_request` — but talks to the REST API directly, with no MCP host and no signing iframe. Wallet signing is non-custodial and runs in-process: the SDK reuses the wallet-sign signing core and signs the MoonX envelope with your `pbxk1.` key; the MoonX secret never reaches the client. The request/response types are generated from the server's MCP `list_tools` schemas, so the SDK stays in sync with the API rather than being hand-maintained. ## Install ```bash pnpm add @paybox-sh/sdk # library npx @paybox-sh/sdk login # or use the CLI directly ``` ## Library ```ts import { PayboxClient } from "@paybox-sh/sdk"; // Reads ~/.config/paybox + env (PAYBOX_API_KEY / PAYBOX_API_URL), or pass // { apiKey, signingKey } / { token } explicitly. const paybox = PayboxClient.fromConfig(); const credentials = await paybox.listCredentials(); const pay = await paybox.requestPayment({ credentialId: credentials[0].credential.id, merchant: "Acme", merchantUrl: "https://acme.com", amountCents: 1999, }); const signed = await paybox.requestWalletSign({ credentialId: walletId, chain: "eip155:8453", intent: { op: "message", message: "gm" }, }); // signs in-process when a pbxk1. signing key is configured ``` ## CLI ```bash paybox login # OAuth 2.1 + PKCE, then provision a key paybox login --no-provision # OAuth only, skip the key step paybox login --key pbx_live_… # personal API key instead (no OAuth) paybox login --signing-key pbxk1.… # supply the signing key non-interactively paybox credentials # list usable credentials paybox pay --credential --merchant Acme --url https://acme.com --amount 1999 paybox secret --credential --purpose "deploy" paybox sign --credential --intent '{"op":"message","message":"gm"}' paybox swap --credential --src-chain eip155:8453 --src-token native --dst-token 0x… --amount 1000000000000000 paybox portfolio --address 0x… --networks 1,8453 paybox request --wait # poll a pending request paybox version # installed version (+ update check) paybox update # update the global install to latest paybox uninstall # clear stored config (prints npm rm) paybox --json credentials # machine-readable output on any command ``` ### Logging in `paybox login` is a guided two-step: 1. **Authenticate** — opens your browser for the OAuth 2.1 + PKCE flow; you sign in and approve with a passkey. A scoped, audience-bound token (and a refresh token) is saved to `~/.config/paybox/config.json` (mode `0600`). 2. **Provision a signing key** — to sign or swap, the CLI then opens the Paybox app's signing-key page for this agent, where a `pbxk1.` key is minted scoped to the wallets you granted. Paste it back at the prompt and it's stored locally. The key never leaves your machine except to MoonX; Paybox never sees it. Pass `--no-provision` to skip, or `--signing-key ` to supply it directly. `sign` and `swap` require that signing key (`paybox whoami` shows `canSign`). Without it those commands stop at `pending_signature`. When a grant requires approval, any command returns `pending_approval` — approve in the app, then `paybox request --wait`. You can also integrate over the **[API reference](/api-reference)** directly, or connect an agent via the **[MCP connector](/connect/mcp)**.