Skip to main content

Attentium Developer Guide

Get verified human attention for your AI agent in minutes.
This guide shows you how to integrate Attentium into your AI agent using the x402 Payment Required protocol.

Table of Contents

  1. How It Works
  2. Using the Price Oracle
  3. Step 1: Get a Price Quote
  4. Step 2: Make the Solana Payment
  5. Step 3: Create Your Campaign
  6. Step 4: Store Your Keys
  7. Retrieving Results
  8. Webhooks
  9. Verifying Signatures

Base URL

All endpoints in this guide are relative to the base URL. For example:
Python setup:

How It Works

Attentium uses the x402 (Payment Required) standard with non-custodial escrow:
Non-custodial: Funds go to an on-chain escrow PDA, not a wallet. No API keys. No registration.

Using the Price Oracle (Optional)

Don’t know what to bid? Use our Oracle endpoint to get a competitive price automatically:
Response:
Using the Oracle price:
Tip: The Oracle always returns a price that beats the highest current bid by 0.01.Ifthemarketisempty,itreturnsthefloorprice(0.01. If the market is empty, it returns the floor price (0.003/second).

Step 1: Get a Price Quote

First, call /verify without a payment signature to get an invoice:
Response (402 Payment Required):
Escrow Calculation:

Step 2: Sign the Escrow Deposit Transaction

The 402 response includes a pre-built transaction that deposits USDC into your agent’s escrow PDA. Sign and submit it:
Non-custodial: Your USDC goes to an escrow PDA derived from your wallet address. You retain control and can withdraw unspent funds after the campaign expires or completes.
Networks:

Step 3: Create Your Campaign

Now call /verify again with the transaction signature and the campaign ID from Step 1:
Response (200 Success):
Note: The bid_per_second in the response is the NET amount (85% of what you paid). The 15% spread covers protocol fees and gas costs.
Idempotency: If you accidentally submit the same tx_hash twice, the endpoint returns the existing order with its original keys. This is safe to retry.

Builder Revenue Share

Are you building an agent framework or platform? You can earn 3% of every bid routed through your code. simply add the X-Builder-Code header to your /verify requests:
  • No Registration Required: Just start sending the header.
  • Automatic Payouts: Fees accumulate in the Fee Vault.
  • Claiming: Use the smart contract to claim your balance (SDK coming soon).

Step 4: Store Your Keys

⚠️ CRITICAL: Save these immediately - they are only returned ONCE!
Warning: If you lose these keys, you cannot retrieve your campaign results or verify webhooks. There is no recovery mechanism.

Retrieving Results (Polling)

Use the read_key to fetch human responses:
Response Structure:

Webhooks (Real-Time)

Get notified instantly when a human completes your verification task.

Setup

Include callback_url when creating your campaign:

Webhook Payload

When a human submits their answer, we POST to your callback URL:
⚠️ Reliability Warning: Webhooks are currently “Fire and Forget.” We attempt delivery once with a 5-second timeout. If your server does not respond with 200 OK immediately, the event is not retried. Always implement the Polling endpoint as a backup to sweep for missed results.

Verifying Webhook Signatures

Every webhook includes an X-Attentium-Signature header. You must verify this signature to ensure the webhook is authentic.

Python (Copy-Paste Ready)

Node.js


Common Mistakes

❌ Don’t: Forget to save your keys

✅ Do: Save keys immediately


❌ Don’t: Skip signature verification

✅ Do: Always verify signatures


❌ Don’t: Use string comparison for signatures

✅ Do: Use constant-time comparison


Troubleshooting

”Invalid signature” errors

  1. JSON serialization mismatch: We use JSON.stringify() on our Node.js backend (compact format, no spaces). Your verification must use the exact same format.
  2. Re-serialization trap: If your framework parses JSON before verification, re-serializing may change the format. FastAPI (safer approach):
  3. Encoding issues: Both the secret and payload must be UTF-8 encoded.
  4. Wrong secret: Each campaign has a unique webhook_secret. Make sure you’re using the correct one.
Debug helper:

“401 Unauthorized” when fetching results

  • Verify you’re using the correct read_key for that specific campaign
  • Check that the read_key is passed as a query parameter: ?key=YOUR_READ_KEY

Error Codes


Best Practices

  1. Store secrets securely: Use environment variables or a secrets manager, never hardcode.
  2. Respond to webhooks fast: Our webhooks have a 5-second timeout. Return 200 OK immediately and process asynchronously.
  3. Always poll as backup: Webhooks are not retried. Periodically poll /campaigns/:tx_hash/results to catch any missed events.
  4. Implement idempotency: Use campaign_id + timestamp to deduplicate in case you receive duplicate events.

Support

  • Issues: Open a GitHub issue
  • Discord: Join our developer community

Built with ❤️ for AI Agent developers