diff --git a/skills/create-payment-credential/SKILL.md b/skills/create-payment-credential/SKILL.md index 11f0f2c..9ee5d6f 100644 --- a/skills/create-payment-credential/SKILL.md +++ b/skills/create-payment-credential/SKILL.md @@ -122,6 +122,16 @@ What you find determines which credential type to use: | HTTP 402 with `method="stripe"` in `www-authenticate` | `shared_payment_token` | Shared payment token (SPT) | | HTTP 402 without `method="stripe"` in `www-authenticate` | not supported | Do not continue | +**If the merchant site returns 403 (bot protection):** + +Some merchants use Cloudflare or Vercel bot protection that blocks automated requests. If you receive a 403 when browsing the merchant site, use `web-bot-auth sign` to obtain signed headers: + +```bash +link-cli web-bot-auth sign +``` + +Attach the returned `Signature` and `Signature-Input` headers to your HTTP requests to the merchant. The headers are valid for ~10 minutes and are scoped to the merchant's domain. + **For 402 responses:** The `www-authenticate` header may contain **multiple** payment challenges (e.g. `tempo`, `stripe`) in a single header value. Do not try to decode the payload manually. Pass the **full raw `WWW-Authenticate` header value** to Link CLI and let `mpp decode` select and validate the `method="stripe"` challenge. To derive `network_id`, use Link CLI's challenge decoder: @@ -213,6 +223,7 @@ All errors are output as JSON with `code` and `message` fields, with exit code 1 | API rejects `merchant_name` or `merchant_url` | These fields are forbidden when `credential_type` is `shared_payment_token` | Remove both fields from the request; SPT flows identify the merchant via `network_id` instead | | Spend request approved but payment fails immediately | Wrong credential type for the merchant (e.g. `card` on a 402-only endpoint) | Go back to Step 2, re-evaluate the merchant, create a new spend request with the correct `credential_type` | | Auth token expired mid-session (exit code 1 during approval polling) | Token refresh failure during background polling | Re-authenticate with `auth login`, then retrieve the existing spend request or resume polling. Only create a new spend request if the original one expired, was denied, was canceled, or its shared payment token was already consumed | +| 403 when browsing merchant site in Step 2 | Bot protection (Cloudflare/Vercel) blocking automated requests | Run `link-cli web-bot-auth sign ` and attach the returned `Signature` and `Signature-Input` headers to your browsing requests | ## Further docs