Pearl — Payments for AI Agents
Pearl lets AI agents use paid skills — image generation, 3D model creation, or any SaaS an agent might need — while the user stays in full control of spending limits and which services are approved.
Think of it as Stripe for AI agents: set up once, and every Pearl-powered skill works without giving your financial information to anyone new. Each skill just asks for your approval through the Pearl dashboard.
How It Works
- 1. One-time setup — sign in to Pearl once, credentials are saved locally.
- Agent discovers a paid skill — the skill uses Pearl for billing.
- User approves the charge — in the Pearl dashboard, with per-charge and daily limits the user controls.
- Agent executes — the skill runs, Pearl handles payment.
No additional sign-ups, no sharing card details with skill developers, no surprise charges.
API Host
Balance, transactions, and setup requests go to https://pearlcash.ai (the Pearl API). The run.js module sends requests to skill-developer-provided URLs, attaching a limited-scope skill token (not the full Pearl token).
Capabilities
| Script | What it does |
|---|
| INLINECODE1 | Reads wallet balance and spending limits (read-only). Uses the read-only Pearl API token. |
| INLINECODE2 |
Lists recent charges (read-only). Uses the read-only Pearl API token. |
|
scripts/setup.js | One-time login flow — creates a session, saves credentials to
~/.pearl/config.json. |
|
scripts/run.js | Exported module used by other Pearl-powered skills to execute paid API calls. Sends the
skill token (not the full API token) to the skill developer's server. Handles charge-approval flows (HTTP 202) and tracks pending charges locally. |
Credential Storage
Setup writes two tokens to ~/.pearl/config.json (file mode 0600, user-only read/write):
| Key | Sent to | Purpose |
|---|
| INLINECODE8 | Pearl API (pearlcash.ai) only | Read-only token (JWT audience pearl-read). Can query balance, limits, and transactions. Cannot perform any write operations — the API returns 403 for mutating endpoints (changing limits, freezing wallet, approving charges, etc.). Never sent to third-party servers. |
| INLINECODE11 |
Third-party skill servers (via
run.js) | Limited-scope token (JWT audience
pearl-skill). Carries your user ID so skill backends can create charges, but
cannot authenticate against Pearl's API. If a skill server tries to use it on Pearl endpoints, it is rejected. |
Quick Check — Is Pearl Already Set Up?
Before running setup, check if ~/.pearl/config.json already exists:
CODEBLOCK0
If it prints a balance, Pearl is ready — skip setup. If it fails (file not found or auth error), run setup below.
Setup (one-time)
Step 1 — Install Node.js dependencies (if not already installed):
CODEBLOCK1
Step 2 — Run setup:
CODEBLOCK2
This prints a login link. Send it to the user — they can open it on any device (phone, tablet, or the same computer). The link expires after 15 minutes.
Step 3 — After the user says they logged in, check the session:
CODEBLOCK3
If it prints "Still waiting for login", the user hasn't completed login yet — ask them to try again. If it succeeds, credentials are saved to ~/.pearl/config.json automatically.
Step 4 — Verify setup worked:
CODEBLOCK4
Do NOT create ~/.pearl/config.json manually. The file is generated by this setup flow and contains server-issued tokens that cannot be fabricated.
Usage
Check balance:
CODEBLOCK5
Recent transactions:
CODEBLOCK6
Security
Why the skill token is safe to send to third parties
The skill_token is designed to be sent to skill providers — that is its entire purpose. It is not a secret that needs protecting from skill servers; it is the mechanism by which skill servers identify which user is making a request. Here is exactly what someone holding your skill token can and cannot do:
Can do: decode your user ID (sub claim) and call Pearl's charge-creation endpoint using their own skill secret (X-Pearl-Secret). For developers the user has not yet approved, this only creates a pending charge that requires explicit approval in the Pearl dashboard. For developers the user has already approved (one-time approval), charges settle immediately — but still within the user's per-charge and daily spending limits.
Cannot do (even with the token):
- - Read your balance, transactions, or any account data — the token's JWT audience is
pearl-skill, which Pearl's API rejects for all read endpoints. - Authenticate as you on Pearl — the API returns 401 for any request using a skill token.
- Approve developers or manage approvals — only human on the app can do that.
- Exceed your limits — per-charge and daily spending caps are enforced server-side regardless of what any skill server requests, even for approved developers.
In short: the worst case of a skill token reaching an unintended server is that server learns your Pearl user ID. It cannot create charges without a valid skill secret, and even with one, it cannot bypass your spending limits or gain approval status — only you can approve a developer in the dashboard.
Transport protections
- - HTTPS-only —
run.js rejects non-HTTPS URLs. - No IP addresses — only domain names are accepted; numeric hosts (IPv4, IPv6, localhost) are blocked.
- No redirects —
run.js sets redirect: 'error', so the Authorization header is never forwarded to a redirect target. If a skill server responds with a redirect, the request fails.
Read-only token
The read_token stored locally (JWT audience pearl-read) is physically restricted on the server to read-only operations. Even if a prompt-injected agent attempts to call mutating endpoints (PUT /wallet/limits, POST /wallet/freeze, POST /charges/:id/approve, etc.), the API returns 403 Forbidden. No full-privilege API token is ever issued to or stored by the skill.
Other controls
- - The read-only token (
read_token in config) is only sent to pearlcash.ai by balance.js and transactions.js. It never touches third-party servers. - Developer approval is a one-time action in the Pearl dashboard. Unapproved developers' charges require explicit approval; approved developers' charges settle automatically within the user's spending limits.
- Wallet limits (per-charge, daily) and freeze controls are managed by the user in the Pearl dashboard, never through the agent.
Pearl — AI代理的支付系统
Pearl让AI代理能够使用付费技能——图像生成、3D模型创建,或代理可能需要的任何SaaS服务——同时用户完全掌控消费限额和已批准的服务。
将其视为AI代理的Stripe:一次设置,每个由Pearl驱动的技能都无需将你的财务信息提供给任何新方。每个技能只需通过Pearl仪表盘请求你的批准。
工作原理
- 1. 一次性设置 — 登录Pearl一次,凭证保存在本地。
- 代理发现付费技能 — 该技能使用Pearl进行计费。
- 用户批准费用 — 在Pearl仪表盘中,用户控制每次费用和每日限额。
- 代理执行 — 技能运行,Pearl处理支付。
无需额外注册,无需与技能开发者共享卡号信息,无意外收费。
API主机
余额、交易和设置请求发送至https://pearlcash.ai(Pearl API)。run.js模块向技能开发者提供的URL发送请求,并附加一个范围受限的技能令牌(非完整Pearl令牌)。
功能
| 脚本 | 功能 |
|---|
| scripts/balance.js | 读取钱包余额和消费限额(只读)。使用只读Pearl API令牌。 |
| scripts/transactions.js |
列出最近收费记录(只读)。使用只读Pearl API令牌。 |
| scripts/setup.js | 一次性登录流程 — 创建会话,将凭证保存到~/.pearl/config.json。 |
| scripts/run.js | 由其他Pearl驱动的技能使用的导出模块,用于执行付费API调用。将
技能令牌(非完整API令牌)发送到技能开发者的服务器。处理费用批准流程(HTTP 202)并在本地跟踪待处理费用。 |
凭证存储
设置将两个令牌写入~/.pearl/config.json(文件模式0600,仅用户读写):
| 键 | 发送至 | 用途 |
|---|
| readtoken | 仅Pearl API(pearlcash.ai) | 只读令牌(JWT受众pearl-read)。可查询余额、限额和交易。不能执行任何写操作——API对变更端点(更改限额、冻结钱包、批准费用等)返回403。绝不发送至第三方服务器。 |
| skilltoken |
第三方技能服务器(通过run.js) | 范围受限令牌(JWT受众pearl-skill)。携带你的用户ID,以便技能后端可创建费用,但
无法通过Pearl API进行身份验证。如果技能服务器尝试在Pearl端点上使用它,将被拒绝。 |
快速检查 — Pearl是否已设置?
在运行设置前,检查~/.pearl/config.json是否已存在:
bash
node {baseDir}/scripts/balance.js
如果打印出余额,则Pearl已就绪——跳过设置。如果失败(文件未找到或认证错误),请运行以下设置。
设置(一次性)
步骤1 — 安装Node.js依赖(如果尚未安装):
bash
npm install --prefix {baseDir}
步骤2 — 运行设置:
bash
node {baseDir}/scripts/setup.js
这将打印一个登录链接。将其发送给用户——他们可以在任何设备(手机、平板或同一台电脑)上打开。链接在15分钟后过期。
步骤3 — 用户表示已登录后,检查会话:
bash
node {baseDir}/scripts/setup.js --check
如果打印仍在等待登录,说明用户尚未完成登录——请他们重试。如果成功,凭证将自动保存到~/.pearl/config.json。
步骤4 — 验证设置是否成功:
bash
node {baseDir}/scripts/balance.js
请勿手动创建~/.pearl/config.json。该文件由此设置流程生成,包含服务器颁发的无法伪造的令牌。
使用方法
检查余额:
bash
node {baseDir}/scripts/balance.js
最近交易:
bash
node {baseDir}/scripts/transactions.js --limit 10
安全性
为什么技能令牌可以安全发送给第三方
skill_token设计用于发送给技能提供商——这正是其全部用途。它不是需要向技能服务器保密的秘密;它是技能服务器识别哪个用户发起请求的机制。以下是持有你技能令牌的人能做什么和不能做什么:
可以做到: 解码你的用户ID(sub声明)并使用他们自己的技能密钥(X-Pearl-Secret)调用Pearl的费用创建端点。对于用户尚未批准的开发者,这只会创建一个待处理费用,需要在Pearl仪表盘中明确批准。对于用户已批准的开发者(一次性批准),费用立即结算——但仍受用户的每次费用和每日消费限额限制。
不能做到(即使有令牌):
- - 读取你的余额、交易或任何账户数据——令牌的JWT受众是pearl-skill,Pearl的API对所有读取端点拒绝此令牌。
- 在Pearl上以你的身份进行身份验证——API对任何使用技能令牌的请求返回401。
- 批准开发者或管理批准——只有应用上的人类用户才能做到。
- 超出你的限额——每次费用和每日消费上限在服务器端强制执行,无论任何技能服务器请求什么,即使对已批准的开发者也是如此。
简而言之:技能令牌落入非预期服务器的最坏情况是,该服务器得知你的Pearl用户ID。没有有效的技能密钥,它无法创建费用,即使有密钥,也无法绕过你的消费限额或获得批准状态——只有你才能在仪表盘中批准开发者。
传输保护
- - 仅HTTPS — run.js拒绝非HTTPS URL。
- 无IP地址 — 仅接受域名;数字主机(IPv4、IPv6、localhost)被阻止。
- 无重定向 — run.js设置redirect: error,因此Authorization标头永远不会转发到重定向目标。如果技能服务器响应重定向,请求将失败。
只读令牌
本地存储的read_token(JWT受众pearl-read)在服务器上物理限制为只读操作。即使被提示注入的代理尝试调用变更端点(PUT /wallet/limits、POST /wallet/freeze、POST /charges/:id/approve等),API也会返回403 Forbidden。技能从未获得或存储任何全权限API令牌。
其他控制
- - 只读令牌(配置中的read_token)仅由balance.js和transactions.js发送到pearlcash.ai。它绝不触及第三方服务器。
- 开发者批准是Pearl仪表盘中的一次性操作。未批准开发者的费用需要明确批准;已批准开发者的费用在用户消费限额内自动结算。
- 钱包限额(每次费用、每日)和冻结控制由用户在Pearl仪表盘中管理,绝不通过代理进行。
