DAILY NEWS

Stay Ahead, Stay Informed – Every Day

Advertisement
The AI Agent Payment Wars Have Begun — Here’s What Actually Matters



Visa announced this week that AI agents can now use credit cards. Mastercard launched a protocol for AI-to-AI payments and micropayments. Catena Labs raised $30M and filed for a national trust bank charter to build an “AI-native bank.”

The agent payment wars are officially live.

But if you look past the headlines, the real story isn’t about competition between payment networks. It’s about a structural mismatch between legacy financial infrastructure and autonomous systems — and what it actually takes to solve it.

The Identity Gap No One’s Talking About

Here’s the problem: AI agents can’t open bank accounts.

They can’t pass KYC. They don’t have Social Security numbers. They can’t verify their identity using a driver’s license or utility bill. Every compliance layer in traditional finance is built around human identity.

Credit cards require all of this. When Visa says agents can “use credit cards,” what they’re really offering is a workaround — not a solution. Someone (a human) still owns the card. The agent is operating under delegation, not autonomy.

This isn’t a technical limitation. It’s an architectural one. Cards were designed 50 years ago for human consumers. Retrofitting them for agents is like adding a fax machine to a self-driving car.

Settlement Speed vs. Agent Speed

An agent booking a $47 flight needs three things:

Authorization in under 150ms
Policy enforcement (spend caps, recipient allowlists) in real-time
Immediate settlement

Cards can’t deliver this. Authorization might be fast, but settlement takes 3 days. Fraud models are built around human behavior patterns — purchase location, time of day, merchant category. None of this applies to agents operating autonomously across APIs.

Mastercard’s AI-to-AI protocol is a step in the right direction, but it still sits on top of card rails. The latency is baked into the foundation.

Meanwhile, stablecoin payments settle in seconds. USDC already dominates AI agent payments, according to CoinDesk. Not because developers are crypto ideologues — because it’s the only architecture that actually works for non-human actors.

Why Catena’s Bank Charter Matters More Than Visa’s Announcement

The most important signal this week wasn’t Visa or Mastercard. It was Catena Labs filing for a national trust bank charter.

Founded by Circle co-founder Sean Neville, Catena raised $30M to build financial infrastructure specifically for AI agents. But more importantly, they’re seeking regulatory approval to do it properly.

This proves two things:

The industry knows agents need financial access
Existing banks can’t provide it without regulatory reinvention

Catena is building at the banking layer — custody, compliance, identity. That’s a different layer than payment gateways like AgentWallex, but it validates the same thesis: legacy rails weren’t designed for this, and you can’t just patch them.

The MPC Advantage: Security Without Human Friction

Multi-party computation (MPC) wallets solve the core problem: agents need to authorize payments autonomously, but they can’t hold private keys.

With MPC, no single party ever holds the full key. A 2-of-3 threshold signing model means an agent can authorize a transaction without exposing secrets — and without requiring a human to approve every payment.

This isn’t just faster. It’s architecturally correct. Agents operate on policy, not instinct. You set spend caps, recipient allowlists, rate limits, and time-based rules once. Then the agent executes within those constraints — no manual approvals, no bottlenecks.

Compare that to card authorization: every purchase is either pre-approved (no control) or requires human intervention (not autonomous). There’s no middle ground.

What the Payment Wars Actually Mean for Builders

If you’re building AI agents today, here’s what matters:

Don’t wait for Visa and Mastercard to “solve” this. They’re offering retrofitted solutions to a structural problem. Cards will always carry human identity requirements and settlement delays.
Stablecoins aren’t a crypto preference — they’re a technical necessity. Agents need wallets that don’t require SSNs, KYC checks, or 3-day settlement windows.
MPC infrastructure is the security model that scales. Agents can’t hold keys. Humans shouldn’t approve every transaction. Policy-driven authorization with threshold signing is the only model that delivers both autonomy and control.
Watch the regulatory layer. Catena’s bank charter filing matters because it signals that compliance frameworks for agents are coming. Building on top of compliant infrastructure now will save you pain later.

We’ve Been Building for This Moment

At AgentWallex, we’ve been building the payment gateway for AI agents since before this became a headline war.

MPC-secured wallets. Sub-150ms authorization. Native support for x402 micropayments (pay-per-API-call billing). A policy engine that enforces rules without manual approvals. Stablecoin-first, starting with USDC on Base.

We’re not competing with Visa or Mastercard. We’re building the infrastructure layer they can’t — because we started with agents, not humans.

The payment wars have begun. But the real question isn’t who wins between card networks and crypto rails. It’s whether you’re building on architecture designed for the future, or retrofitted from the past.

Sandbox live now at app.agentwallex.com. 3,600+ teams already on the waitlist.

Follow & Try AgentWallex



Source link

My Side Project Security Audit Results — I’m Embarrassed to Share



I recently did a security audit of all the side projects I’m running. FastAPI backend, Telegram bot, PWA, Streamlit app and many more. I thought, “I made it with some care, so it’ll be okay.” Wrong. We honestly share each problem we found, why we made it that way, and how we fixed it. This is not a theoretical checklist, but rather bugs that I have actually deployed to production. 1. Authentication bypass due to empty secret (Critical) My code _API_SECRET = os.environ.get(“https://dev.to/justjinoit/API_SECRET_KEY”https://dev.to/justjinoit/, ‘”https://dev.to/justjinoit/) def verify_api_key(x_api_key: str = Header(default=”https://dev.to/justjinoit/)): if _API_SECRET and x_api_key != _API_SECRET: # ← Bug here raise HTTPException(status_code=401) Enter fullscreen mode Exit fullscreen mode if _API_SECRET and … Let’s look at the conditions. If there is no API_SECRET_KEY environment variable on the server, _API_SECRET becomes an empty string — falsy — and the entire condition is skipped. All requests pass as if authenticated. Why was it designed like this? I tried to “handle it gracefully” so that the server would not crash even if environment variables were not set during local development. The problem is that the “elegant processing” made it to production, and the moment you didn’t set API_SECRET_KEY on the server, the entire API was opened. How to modify _API_SECRET = os.environ.get(“https://dev.to/justjinoit/API_SECRET_KEY”https://dev.to/justjinoit/, ‘”https://dev.to/justjinoit/) def verify_api_key(x_api_key: str = Header(default=””https://dev.to/justjinoit/)): if not _API_SECRET: raise HTTPException(status_code=500, detail=”https://dev.to/justjinoit/API_SECRET_KEY not configured”https://dev.to/justjinoit/) if not secrets.compare_digest(x_api_key, _API_SECRET): raise HTTPException(status_code=401, detail=”https://dev.to/justjinoit/Unauthorized”https://dev.to/justjinoit/) Enter fullscreen mode Exit fullscreen mode No secret = 500 error, not open access. Secrets.compare_digest() is also applied to prevent timing attacks. Lesson: Don’t make authentication conditional on whether a secret is set or not. Missing settings should be a hard failure, not an open. 2. Secret committed in the Git history (Critical) Although it is not in the current code, the API key that I committed for a “quick test” a few months ago was still in the Git history. # How to check git log –all -p | grep -E “sk-ant-api03-(A-Za-z0-9_-){20,}” git log –all -p | grep -E “AIzaSy(A-Za-z0-9){20,}” Enter fullscreen mode Exit fullscreen mode Why does this happen? To test quickly in the beginning, hardcode the key and commit. I think I “fixed it” by later moving it to .env. But git remembers every commit forever. When a repo is released or a team member joins, anyone can retrieve keys from past commits. How to fix # Remove a specific file from the entire history pip install git-filter-repo git-filter-repo –path .env –invert-paths –force git push –force-with-lease origin main Enter fullscreen mode Exit fullscreen mode And the exposed key is immediately discarded + reissued. Cleaning up the git history does not cancel exposure that has already occurred. Lesson learned: Keys that have been committed to git even once are assumed to have already been stolen and reissued. 3. Debug endpoint production deployment (High) This endpoint was deployed on the production server: @app.get(“https://dev.to/justjinoit//debug/config”https://dev.to/justjinoit/) async def debug_config(): return { “https://dev.to/justjinoit/supabase_url”https://dev.to/justjinoit/: settings.supabase_url, “https://dev.to/justjinoit/environment”https://dev.to/justjinoit/: settings.env, “https://dev.to/justjinoit/connected_services”https://dev.to/justjinoit/: (…) } Enter fullscreen mode Exit fullscreen mode Why does this happen? Debug endpoints are really convenient during development. After solving the blockage, I forget to erase it. Since there is no error, no one tells you. How to edit: Delete. If runtime debugging is necessary, place it after authentication or write logs. # Pre-deployment check grep -rn ‘@app.get.*debug\|@app.post.*debug’ app/ Enter fullscreen mode Exit fullscreen mode Lesson: Add “Check removal of debug endpoints” to the deployment checklist. Otherwise, it’s better not to make it in the first place. 4. Internal information exposed as an error message (High) # My code except Exception as e: return JSONResponse({“https://dev.to/justjinoit/error”https://dev.to/justjinoit/: str(e)}, status_code=500) Enter fullscreen mode Exit fullscreen mode If you do this, this message will be sent to the client: FATAL: password authentication failed for user “postgres” (Errno 2) No such file or directory: ‘/home/ubuntu/app/config.json’ Module ‘xyz’ version 1.2.3 has no attribute ‘connect’ An attacker can use this information to determine the infrastructure structure, libraries in use, and known vulnerabilities by version. Why was it designed like this? This is also for development convenience. It is convenient when testing because you can immediately see the cause of the error with just str(e). The problem was that there was no layer between the internal error and the HTTP response. How to fix import logging logger = logging.getLogger(__name__) except Exception as e: logger.error(f”https://dev.to/justjinoit/Error: {e}”https://dev.to/justjinoit/, exc_info=True) # Only in server log return JSONResponse({“https://dev.to/justjinoit/error”https://dev.to/justjinoit/: “https://dev.to/justjinoit/internal server error”https://dev.to/justjinoit/}, status_code=500) Enter fullscreen mode Exit fullscreen mode Gives everything to the log and nothing to the HTTP response. Lesson: Server logs are for me, HTTP error responses are for the client. These two must be completely separated. 5. XSS (High) front-end code with innerHTML without escaping: articles.forEach(article => { container.innerHTML += ` ${article.title} ${article.summary} ${article.url}”>More `; }); Enter fullscreen mode Exit fullscreen mode When the same title is entered into the DB, it is executed in all users’ browsers. Why does this happen? It is because template literals feel like string formatting. When you use ${article.title}, it doesn’t feel like you’re rendering HTML. However, the browser parses the HTML there and executes it. “https://dev.to/justjinoit/<"https://dev.to/justjinoit/) .replace(/>/g, “https://dev.to/justjinoit/>”https://dev.to/justjinoit/) .replace(/”/g, “https://dev.to/justjinoit/””https://dev.to/justjinoit/); const safeUrl = u => /^https?:\/\//.test(u || ‘”https://dev.to/justjinoit/) ? u: “https://dev.to/justjinoit/#”https://dev.to/justjinoit/; container.innerHTML += ` ${esc(article.title)} ${esc(article.summary)} ${safeUrl(article.url)}” rel=”noopener noreferrer”>More `; Enter fullscreen mode Exit fullscreen mode Lesson learned: Every time you use innerHTML, you mentally read “I’m executing arbitrary code.” Then it’s difficult to miss the escape. 6. Rate limit on AI endpoints None (High) @app.post(“https://dev.to/justjinoit//analyze”https://dev.to/justjinoit/) async def analyze(item: Item, _: None = Depends(verify_api_key)): result = await ai_client.messages.create(…) # Cost per call return result Enter fullscreen mode Exit fullscreen mode Rate limit None. If you make infinite calls, you will be charged a lot of money in an instant. @limiter.limit(“https://dev.to/justjinoit/10/minute”https://dev.to/justjinoit/) async def analyze(request: Request, item: Item, _: None = Depends(verify_api_key)): … Enter fullscreen mode Exit fullscreen mode Lesson: Authentication prevents unauthorized access. Rate limits prevent authorized but abusive access. 7. CORS is needed in production. Wildcard (Medium) app.add_middleware( CORSMiddleware, allow_origins=(“https://dev.to/justjinoit/*”https://dev.to/justjinoit/), # Allow all sources… ) Enter fullscreen mode Exit fullscreen mode Why is it dangerous even if there is an API key? CORS is a browser-level firewall. If the API key is in the front-end JavaScript, an API call using that key can be made in the user’s browser through an XSS vulnerability on another site. Possible modification: import os ALLOWED_ORIGINS = os.environ.get(“https://dev.to/justjinoit/ALLOWED_ORIGINS”https://dev.to/justjinoit/, “https://dev.to/justjinoit/*”https://dev.to/justjinoit/).split(“https://dev.to/justjinoit/,”https://dev.to/justjinoit/) app.add_middleware( CORSMiddleware, allow_origins=ALLOWED_ORIGINS, allow_methods=(“https://dev.to/justjinoit/GET”https://dev.to/justjinoit/, “https://dev.to/justjinoit/POST”https://dev.to/justjinoit/), allow_headers=(“https://dev.to/justjinoit/X-API-Key”https://dev.to/justjinoit/, “https://dev.to/justjinoit/Content-Type”https://dev.to/justjinoit/), ) Enter fullscreen mode Exit fullscreen mode # production .env ALLOWED_ORIGINS=https://myapp.vercel.app Enter fullscreen mode Exit fullscreen mode Lesson: allow_origins=(“*”) is for local development only. Never distribute. 8. Do not delete temporary files (Medium) with tempfile.NamedTemporaryFile(suffix=”https://dev.to/justjinoit/.xlsx”https://dev.to/justjinoit/, delete=False) as tmp: tmp.write(uploaded_file.read()) tmp_path = tmp.name process_file(tmp_path) # If an exception occurs here, the temporary file will remain forever Enter fullscreen mode Exit fullscreen mode An exception occurs in process_file() When exploded, temporary files are not deleted from the long-term operating server, and if the file contains user-sensitive data, it remains on the disk. How to fix tmp_path = None with tempfile.NamedTemporaryFile(suffix=”https://dev.to/justjinoit/.xlsx”https://dev.to/justjinoit/, delete=False) as tmp: tmp.write(uploaded_file.read()) tmp_path = tmp.name try: process_file(tmp_path) finally: if tmp_path and os.path.exists(tmp_path): os.unlink(tmp_path) Enter fullscreen mode Exit fullscreen mode Lesson: The code path that creates the file is also responsible for deletion. Finally is always executed even if there is an exception. After this audit, I created a checklist that is enforced on all projects: Before writing code: ( ) Create .gitignore (.env, *.key, sessions/, credentials.json) ( ) Create .env.example (template without actual values) All endpoints: ( ) Add authentication (500 error, not bypass if no secret) ( ) Error response is generic message only (str(e) prohibited) ( ) Rate limit on AI/cost-generating endpoints Frontend: ( ) Escape for all uses of innerHTML ( ) Verify that URL starts with https:// ( ) For external links rel=”noopener noreferrer” Before commit: git diff –cached | This is because it was always treated as a separate step after feature development. Add a TODO comment: “Let’s clean it up later.” Deploying “temporary” code as is. The only solution I’ve found is to insert security checks into natural timings: before commit, before deployment, and the cost of fixing the bugs themselves is tedious. If you are running a backend, we recommend checking the above pattern yourself if _SECRET and key != _SECRET Authentication bypass is much more common than you think.



Source link

How I Built a Cinematic Portfolio with React and Framer Motion



Hi, I’m Akshay Bhawar, a Full Stack Developer from Maharashtra, India.

Recently, I decided to completely redesign my portfolio. Instead of going with a traditional, minimalist layout, I wanted something bold, immersive, and interactive—something that feels like a high-tech Sci-Fi Heads-Up Display (HUD).

You can see the live result here: https://akshaybhawar03.github.io/portfolio/

In this article, I’ll explain how I used framer-motion and React to bring this cinematic experience to life, the challenges I faced, and the key tech stack behind it.

🛠️ The Tech StackTo build a smooth, high-performance UI without compromising on developer experience, I used:

React.js: For building a component-driven, scalable architecture.

Framer Motion: The powerhouse behind all the futuristic animations, staggered text reveals, and UI transitions.

Tailwind CSS / CSS Modules: For styling the glowing neon effects, grids, and cyber-punk aesthetics.

🚀 Key Features & How They Were Built

The Futuristic HUD Boot-up Sequence
First impressions matter. When a user lands on the site, they are greeted with a dynamic “system loading” animation.
Using Framer Motion’s animate and variants, I staggered the entry of various UI panels to mimic a computer system powering up.

JavaScriptconst bootVariants = {hidden: { opacity: 0, scale: 0.95 },visible: { opacity: 1, scale: 1,transition: { duration: 0.8, ease: “easeOut” }}};

Glowing Neon & Cyberpunk AestheticsA true HUD needs to look alive. I heavy relied on CSS box-shadow and drop-shadow filters combined with subtle infinite floating animations. By using Framer Motion’s animate={{ y: (0, -5, 0) }} with a loop transition, elements appear to float seamlessly in space.
Interactive Data PanelsEvery section (About, Projects, Experience) behaves like an interactive module. When you switch tabs, the data doesn’t just instantly appear; it clips, slides, and reveals itself like data stream lines on a real monitor.

🧠 Challenges I FacedPerformance Optimization: Rendering multiple heavy glowing elements and continuous animations can easily drop frame rates. I optimized this by using layoutId for smooth layout transitions and ensuring hardware acceleration was active for transforms.

Responsive Design: HUDs are notoriously difficult to make mobile-friendly because they rely on fixed panels. I had to create a completely adapted layout for smaller screens that retains the “cyber” feel without cluttering the viewport.

🎯 Conclusion & Key TakeawaysBuilding this portfolio taught me a lot about the fine line between “cool animations” and “good user experience.” Framer Motion made it incredibly easy to orchestrate complex UI timelines that would have taken hundreds of lines of pure CSS.

What do you think of this high-tech approach? Would you use a HUD-style layout for your own portfolio, or do you prefer classic minimalism?

Check out the live site here: Akshay Bhawar Portfolio

Let me know your thoughts or drop your questions in the comments below! 👇



Source link