Publisher Guide

Publisher Implementation (The "How")

Goal: Secure your content integrity and monetize AI agents automatically. Install once, handle millions of agents.

Prerequisites

  • Node.js 18+
  • A Next.js or Express application

What you need:

  • @imagxp/protocol: The Logic Engine.
  • jose: Why? It handles the sophisticated "JSON Web Signatures" (JWS) needed for the court-proof logging.
  • uuid: Why? Creates unique Trace IDs for every single request so you can debug "that one time it failed".

Step 1: Install

npm install @imagxp/protocol jose uuid

Step 1.5: Environment Variables (.env)

Create a .env file in your root directory. This ensures your Publisher Identity is persistent.

# .env
# 1. Your Publisher Identity (Generate via `npx imagxp generate-identity`)
IMAGXP_PRIVATE_KEY="MIGHAgEAMBMGByq..."
IMAGXP_PUBLIC_KEY="MFKwEwYHKoZIzj0..."

# 2. Configuration
# "HUMAN" or "AI_GENERATED"
IMAGXP_CONTENT_ORIGIN="HUMAN"

# Strategy: 'HYBRID' (Humans+Agents) or 'STRICT' (Agents Only)
IMAGXP_STRATEGY="HYBRID"

# True = Verify Agent's Public Key matches their Domain (Security)
IMAGXP_REQUIRE_IDENTITY_BINDING=true

# True = Agents must pay (or whitelist) to access
IMAGXP_PAYMENT_REQUIRED=true

# True = Allow access if Agent proves it displayed an Ad
IMAGXP_ALLOW_ADS=true

# True = Allow access for RAG (Search/Retrieval)
IMAGXP_ALLOW_RAG=true

# True = Allow access for Training (Scraping)
IMAGXP_ALLOW_TRAINING=false

# True = Agents must attribute content source
IMAGXP_ATTRIBUTION_REQUIRED=true

# Wallet for payments (Interledger/Lightning/etc)
IMAGXP_PAYMENT_POINTER="$wallet.example.com"

Step 2: The Gatekeeper (src/middleware.ts)

This code acts as a "Bouncer". It intercepts requests and runs the flow described above (Steps A-C).

// src/middleware.ts
import { NextResponse } from 'next/server';
import { IMAGXPNext } from '@imagxp/protocol';

// Initialize the Protocol Engine
const imagxp = IMAGXPNext.init({
    meta: { 
        origin: 'HUMAN',             // Claim: "My content is human-written" 
        paymentPointer: '$wallet'    // Your direct payment address
    },
    policy: {
        // [SECURITY] STRICT IDENTIFICATION
        // Stops "Fake DNS" spoofing. We verify the Agent's Public Key matches their Domain.
        requireIdentityBinding: process.env.IMAGXP_REQUIRE_IDENTITY_BINDING !== 'false', // Default: true 

        // [ECONOMICS]
        requiresPayment: process.env.IMAGXP_PAYMENT_REQUIRED === 'true', 
        
        // [PERMISSIONS]
        allowTraining: process.env.IMAGXP_ALLOW_TRAINING === 'true',  
        allowRAG: process.env.IMAGXP_ALLOW_RAG === 'true'             
    },
    strategy: process.env.IMAGXP_STRATEGY || 'HYBRID'
});

// Protect specific routes (e.g. /posts, /articles)
export async function middleware(req) {
    if (req.nextUrl.pathname.startsWith('/posts')) {
        return imagxp.withProtection(async (req) => NextResponse.next())(req);
    }
    return NextResponse.next();
}

Step 3: The Dashboard (Admin Only)

Warning: This dashboard contains Sensitive Logs. You MUST protect it.

  • Safety: Use Basic Auth or your existing Login system.
  • Legal Proof: The logs shown here prove exactly who accessed your data, signed with their private key.

FAQ: Publishers

  • Q: Will this block Google?
    • A: No. strategy: 'HYBRID' allows standard browsers and crawlers like Googlebot to pass through (using heuristics), while strictly enforcing protocols for known AI Agents.
  • Q: Does this add latency?
    • A: Minimal (<10ms). The crypto verification is extremely fast. DNS lookups are cached.
  • Q: Data Retention?
    • A: Small publishers: Ephemeral logs (Vercel/Netlify, 7 days). Enterprise: Ship logs to S3/Postgres for 7-year audit trails.