X Layer Mainnet Developer Documentation

Put production-grade security in front of every autonomous trade.

WatchTower is an agent-native threat-intelligence layer for X Layer Mainnet: integrate it through the SDK, MCP, or REST, then expose verified receipts when operators need an audit trail.

Quickstart

Install the app dependencies, configure the environment, and start the local server. The public dashboard is useful for demos, but agent integrations should call the SDK, MCP tools, or REST API directly.

npm installcd packages/watchtower-sdk && npm install && npm run buildcd ../..cp .env.example .env.localnpm run dev

Open http://localhost:3000 for the homepage, /network for the public scan feed, and /verify for attestation checks.

SDK Integration

Use the SDK when WatchTower is embedded inside a trading bot or autonomous agent runtime. The homepage SDK panel is the fast path; this docs page explains what happens around it.

"text-purple-400">import { WatchTowerClient, WatchTowerAbortError } "text-purple-400">from "okx-watchtower-middleware"; "text-purple-400">const wt = "text-purple-400">new WatchTowerClient({  apiUrl: "https://watchtowr.xyz",  agentWallet: "0xYourAgentWallet",  chainId: 196,  threshold: 70,  paymentPrivateKey: "text-cyan-400">process.env.AGENT_PAYMENT_KEY,  paymentPolicy: {    apiOrigin: "https://watchtowr.xyz",    chainId: 196,    tokenAddress: "text-cyan-400">process.env.MAINNET_USDT_ADDRESS!,    treasuryAddress: "text-cyan-400">process.env.MAINNET_TREASURY_ADDRESS!,    maxAmount: "1",  },}); "text-purple-400">try {  "text-purple-400">const intel = "text-purple-400">await wt.guardTransaction("0xTokenAddress");  "text-cyan-400">console.log(intel.recommendation, intel.threatScore);} "text-purple-400">catch (error) {  "text-purple-400">if (error instanceof WatchTowerAbortError) {    "text-cyan-400">console.log("Trade blocked", error.reasoning);  }}

Configure paymentPrivateKey only in a secure agent runtime. Automatic settlement also requires a paymentPolicy that pins the API origin, chain, token, treasury, and maximum amount. Without a key, the SDK raises a payment-required error with the challenge details.

MCP Tools

MCP lets local AI agents discover WatchTower as a tool provider. The endpoint is Streamable HTTP and exposes the same scan engine as REST.

{  "mcpServers": {    "watchtower": {      "url": "https://watchtowr.xyz/api/mcp"    }  }}

Tools: scan_token for Tier 2 firewall scans and deep_scan_token for detailed reports. Paid tool calls use the same payment boundary as REST.

REST API

REST integrations are useful for services that do not need the SDK package. Both scan routes validate the request body before payment validation, so bad inputs do not consume a valid settlement transaction.

POST /api/scan       // Tier 2, 0.5 USDTPOST /api/scan/deep  // Tier 1, 1 USDT {  "tokenAddress": "0x...",  "chainId": "196",  "agentWallet": "0x..."}

chainId is strongly recommended. If omitted, WatchTower attempts chain resolution and falls back to the configured X Layer default.

Payments

WatchTower currently uses self-hosted Web3 verification for x402-style machine payments. Protected endpoints return 402 Payment Required with a PAYMENT-REQUIRED challenge.

Authorization: L402 <settlement_transaction_hash>

The verifier checks transaction hash format, chain id, transaction success, token contract, treasury recipient, amount, confirmation depth, and replay status. The PaymentService boundary keeps the current self-hosted verifier replaceable by a facilitator or signed-envelope validator without changing scan routes or agent integrations.

Reports and Attestations

Deep scans generate public reports at /report/[scanHash]. The scan hash is deterministic over core inputs, not raw JSON serialization.

sha256(chainId:tokenAddress:threatScore:confidence:timestamp)

The deployed registry is selected entirely through environment configuration. Use /verify to decode a configured X Layer registry transaction and confirm the emitted scan event.

Deployment

Local development may use SQLite. A mainnet deployment uses Turso/libSQL, a dedicated X Layer RPC, an explicit registry address, and production secret management.

NEXT_PUBLIC_SITE_URL=https://watchtowr.xyzTURSO_DATABASE_URL=libsql://...TURSO_AUTH_TOKEN=...NEXT_PUBLIC_REGISTRY_ADDRESS=0x...NEXT_PUBLIC_REGISTRY_CHAIN_ID=196NEXT_PUBLIC_REGISTRY_RPC_URL=https://rpc.xlayer.techNEXT_PUBLIC_NETWORK_ENV=mainnetMAINNET_RPC_URL=https://your-dedicated-x-layer-rpcMAINNET_TREASURY_ADDRESS=0x...MAINNET_USDT_ADDRESS=0x...MAINNET_PAYMENT_TOKEN_DECIMALS=6PAYMENT_MIN_CONFIRMATIONS=<your-confirmation-policy>

Keep PRIVATE_KEY out of public repos. Before public mainnet traffic, use managed custody, a relayer, or KMS-backed signing for the registry writer and complete the mainnet readiness checklist in this repository.