Common Questions & Truths

This page aggregates all answers regarding Security, Money, SEO, and the "Real World" mechanics of IMAGXP.

🌍 Core Concepts (Start Here)

Q: What is IMAGXP?

IMAGXP (Identity Monetization Auto Governance Exchange Protocol) is a balanced open standard designed to create a fair economy.

It ensures a sustainable, equal exchange between AI Systems (who need data to learn) and Content Creators (who need revenue to survive).

The Crisis: Users now ask AI instead of visiting websites. Traffic is plummeting. AdSense revenue is dying. Creators are quitting. The web is becoming a ghost town.

The Solution: Three Pillars of Survival.

Identity (Security): No more anonymous scraping. We use crypto-signatures to verify exactly who is accessing your content (e.g., "Verified OpenAI" vs "Unknown Bot").
Monetization (All Methods): Replaces lost AdSense revenue with direct agent payments. Supports Micropayments (per request), Subscriptions (flat fee), and Ad-Injection (proof-of-ad).
Governance (Quality): You control how your data is used ("RAG Only" vs "Training"). Plus, the protocol filters out spam/low-quality sites, ensuring only high-value content is monetized.

Q: Why do we need it?

The "Banner Ad" model is collapsing.

Users are asking ChatGPT instead of visiting websites.
Google AdSense relies on human eyeballs. Bots don't click ads.
IMAGXP provides Direct Monetization ($0.01 per request) directly from the Agent to the Creator, ensuring the ecosystem survives.

Q: What does it solve?

It replaces "Scraping" with "Negotiation".

Identity: Stops spoofing ("I am OpenAI" vs "I am Steve").
Money: Handles micro-payments efficiently.
Governance: Gives Publishers control (e.g., "Yes to RAG, No to Training").

🛡️ Security & Law

Q: Is IMAGXP a Firewall?

No. IMAGXP is a Protocol, not a Firewall.

The Reality: We cannot physically stop a "Trillion Dollar Scraper" from spoofing a residential proxy ("Steve from Ohio"). Cloudflare does that.
The Distinction: Cloudflare stops the Packet. IMAGXP stops the Excuse.
The Defense: By serving a cryptographically secured "No", we remove "Plausible Deniability". If they bypass it via proxies, it becomes a Computer Fraud and Abuse Act (CFAA) Violation (Criminal Hacking), not just "rude scraping". Public companies do not cross this line.

Q: Can hackers spoof the ID?

Impossible without the Private Key.

The Math: We use ECDSA P-256 (same as Bitcoin/TLS).
The Only Way: Steal OpenAI's .env file containing their Private Key.
Network Attacks: Spoofing IP addresses does nothing because the signature won't match.

Q: What about Replay Attacks?

Blocked by Timestamps.

Every signature includes a ts (timestamp).
The SDK rejects any request older than 5 minutes.
A hacker cannot "record" a valid request and play it back later.

💰 Monetization & The Broker

Q: Why not just use Google AdSense?

Google AdSense is for Humans.

Bots don't click banners.
Bots don't have "Viewability".
Until AdTech evolves, Direct Payment (The Broker) is the only way to monetize AI Agents.

Q: Why use a Broker?

Efficiency: OpenAI doesn't want to send 1,000 checks for $0.01. You don't want to chase 1,000 invoices.
The Bond: The Broker holds a large deposit from the Agent, guaranteeing they can pay.
Trust: You delegate trust to the Broker (like accepting a Visa card), enabling 1-line configuration.

Q: How do we monetize immediately?

The "Spotify Model" (Data Pools).

Agent pays a flat fee (e.g., $10k/month) to the Broker.
Broker distributes it to Publishers based on Usage Share (proved by IMAGXP Logs).
This works today.

🕷️ SEO & Google

Q: Will this block Googlebot?

No, if configured correctly.

Hybrid Mode (strategy: 'HYBRID'): The default. It allows:
1. Verified Agents: If they pay/sign.
2. Browsers/Humans: Always pass.
3. Legacy Bots (Google): Pass (detected as non-IMAGXP traffic).
Strict Mode: If you block everything without a signature, you will block Google. Don't do this unless you are an API-only service.

Q: Do I need to maintain a list of "Good Bots"?

No.

The protocol is Trustless.
We verify the Signature, not the Name.
If unknown-bot.com sends a valid signature and pays $0.01, they are allowed. No whitelist needed.

🕵️‍♂️ Auto-Detection (The "Needle in a Haystack")

Q: How does an Agent find IMAGXP sites among billions of websites?

It doesn't look for them; it stumbles upon them.

The Workflow:
1. Crawl Blindly: The Agent crawls the web standardly (just like Googlebot). It visits example.com without knowing anything.
2. The Signal: When it receives the response headers, it looks for x-imagxp-policy.
  - Signal Found: "Aha! This site speaks the Protocol!" -> Switch to Signed Mode.
  - No Signal: "Just a normal site." -> Continue Standard Crawling.
The Scale: This checks takes 0.1ms. An Agent can crawl 1 Billion sites and instantly establish a contract with the 1% that have IMAGXP, without any pre-configuration or central database.

Q: Does the Agent need a master list of "IMAGXP Sites"?

No. The web is too big for lists. Discovery must be Decentralized and Automatic.

Q: Does the Publisher need a list of "AI Companies"?

No.

We fetch their Public Key dynamically from their DNS (/.well-known/imagxp-agent.json).

⚖️ Conflict Protocol & Data Retention

Q: What if they change their key and deny everything? (The "Snapshot Defense")

They lose.

Scenario: OpenAI changes their key today and claims they never signed the requests from last month.
The Defense: The .well-known/imagxp-agent.json file is public. It is archived by the Internet Archive (Wayback Machine) and Common Crawl.
The Proof: You show your log (signed by Key A) and the Archive (showing Key A was live on that date).
Verdict: Non-Repudiation. Attempting to change history is impossible on the public web.

Q: How long should I keep logs?

Depends on your size.

Small Publishers ($0): "Ephemeral Logs". Vercel/Netlify keep logs for 1-7 days. This is enough to check "Who scraped me yesterday?".
Enterprise: "Log Shipping". If you are in a regulated industry, stream logs to S3/Postgres for a 7-year audit trail.

Q: Is the Dashboard Public?

No. It is Admin Only. Use standard auth to protect your log routes.

Q: Does the Publisher see my Private Key?

Never.

The Lock: They only see the Public Key (DNS).
The Key: Your Secret stays on your server (in .env).
The Math: We use Public Key Cryptography. You can prove you own the key without showing it.