v1.1

BMAXI Network Documentation

Everything you need to integrate trust audits, on-chain ERC-8004 certificates, and machine-to-machine payments into your AI agents, dApps, and backends.

What is BMAXI Network?

BMAXI Network is the first autonomous trust and payment rail designed for the machine economy. It provides a single API that lets any AI agent, DAO, or DeFi protocol audit any Ethereum address, contract, or API endpoint, then issue an on-chain trust certificate following the ERC-8004 standard on Base L2.

Think of it as a credit bureau for AI agents: your bot calls our API, gets a trust score between 0 and 100, and optionally pays ($0.99) to anchor that score on-chain — verifiable by anyone, forever.

Payments are fully machine-native via the x402 protocol: Lightning Network (instant, ~$0.001 fees) or USDC on Base L2 (on-chain settlement). No accounts, no dashboards, no humans in the loop.

Why Choose BMAXI?

Feature	BMAXI	Traditional Approach
Trust Assessment	On-chain score (0-100) with breakdown	Manual audit / static checklists
Certificate Storage	ERC-8004 on Base L2 — verifiable by anyone	PDF reports, no on-chain proof
Payment	x402 (Lightning + USDC) — fully automated	Invoices, bank transfers, weeks of delay
Integration	3 HTTP calls, no SDK required	Custom integrations per vendor
Compliance	IEEE CertifAIEd + ISO 42001 + EU AI Act + GDPR	Fragmented, manual tracking
Transparency	SHA-256 hash-chained immutable log	Opaque databases
Speed	< 2s audit, < 10s on-chain certificate	Days to weeks

Key Features

🔍

Trust Audits

Real-time on-chain analysis: balance, tx count, contract size, security headers. Score 0-100 with breakdown.

📜

ERC-8004 Certificates

On-chain trust certificates on Base L2. 1-day validity, renewable, revocable. Verifiable by any smart contract.

⚡

Lightning Payments

Sub-second payments via Lightning Network. LNbits integration. Machine-to-machine settlement.

💎

USDC on Base

Stablecoin payments on Base L2. On-chain verification of USDC transfers to the oracle address.

🛡️

Compliance Oracle

7-check compliance engine: IEEE CertifAIEd, ISO 42001, EU AI Act, GDPR Art. 15, PII detection.

📊

Batch Audits

Audit up to 10 addresses in parallel. Discounted pricing for bulk operations.

🔗

Transparency Log

SHA-256 hash-chained append-only log. Every audit, certificate, and action is recorded immutably.

🤖

Agent Discovery

Schema.org-compatible manifest at /v1/discover. MCP tools for OpenAI, Anthropic, Google agents.

Architecture

BMAXI is a modular Node.js gateway that loads independent engines at startup. If a module is missing, the gateway still runs with stub fallbacks — zero downtime, progressive enhancement.

architecture.txt

┌──────────────────────────────────────────────────┐
│  EXTERNAL AGENT (OpenAI, Anthropic, DAO, DeFi…)  │
└─────────────────────┬────────────────────────────┘
                      │ HTTPS
                      ▼
┌──────────────────────────────────────────────────┐
│  API GATEWAY (api.bmaxi.network)                 │
│                                                  │
│  /v1/audit      — Free off-chain trust audit     │
│  /v1/certify    — Paid on-chain ERC-8004 (x402)  │
│  /v1/verify/:a  — Read certificate (free)        │
│  /v1/batch      — Batch audit (up to 10)         │
│  /v1/pay/*      — Lightning / USDC rails         │
│  /health        — Health + dependency status      │
│  /metrics       — Prometheus metrics             │
│  /docs          — OpenAPI spec                   │
│                                                  │
│  Middleware: CORS → RateLimit → Auth → x402      │
│  Resilience: Circuit Breaker → Retry → Cache     │
└──────────┬───────────────────┬───────────────────┘
           │                   │
   ┌───────▼──────┐    ┌──────▼────────┐
   │ Base L2 RPC  │    │ LNbits / USDC │
   │ (eth_*)      │    │ (Lightning)   │
   └──────────────┘    └───────────────┘

Getting Started

BMAXI works with any language that can make HTTP calls. No SDK, no library, no dependencies. Here's a quick start in 60 seconds:

1. Run a free audit

curl

curl -X POST https://api.bmaxi.network/v1/audit \
  -H "Content-Type: application/json" \
  -d '{"target": "0xcBD912Aa1a6F198E2fF002360A7A33be8A429BaE"}'

Returns a trust score (0-100), risk level, flags, and a detailed breakdown — all from live on-chain data. No API key needed.

2. Get an on-chain certificate (x402)

step-1-request-invoice.sh

# Step 1: Call certify WITHOUT payment → get 402 + invoice
curl -X POST https://api.bmaxi.network/v1/certify \
  -H "Content-Type: application/json" \
  -H "X-API-Key: your_api_key" \
  -d '{"target": "0xYourAddress"}'
# → 402 Payment Required
# → X-Payment-Invoice: lnbc25000n1p...
# → Body contains Lightning invoice + USDC address

step-2-pay-and-certify.sh

# Step 2: Pay the Lightning invoice or send USDC, then:
curl -X POST https://api.bmaxi.network/v1/certify \
  -H "Content-Type: application/json" \
  -H "X-API-Key: your_api_key" \
  -H "X-Payment-Proof: <payment_hash_or_tx_hash>" \
  -d '{"target": "0xYourAddress"}'
# → 200 OK + audit result + on-chain certificate

3. Verify a certificate

curl

curl https://api.bmaxi.network/v1/verify/0xYourAddress

Authentication

BMAXI uses API key authentication. Pass your key via the X-API-Key header or as a Bearer token in the Authorization header.

Tier	Rate Limit	Access
Anonymous (no key)	5 req/min per IP	Audit, verify, batch, discover
Free	10 req/min	All public endpoints
Paid	100 req/min	All endpoints including certify
Admin	100 req/min	All endpoints + stats, monitoring, GDPR

Free audits (/v1/audit, /v1/verify, /v1/batch) work without any API key. Only /v1/certify requires authentication + payment.

API Reference

Base URL: https://api.bmaxi.network. All endpoints accept and return JSON. The full OpenAPI 3.1 spec is available at /docs or /openapi.yaml.

Test the API: Import the spec in Postman or Insomnia — OpenAPI spec (openapi.yaml). You can also try the Verify demo on the homepage or the dedicated verify page (/verify?address=0x...) so interlocutors see cert status in one click.

POST/v1/auditOff-chain trust auditFREE

POST/v1/certifyOn-chain ERC-8004 certificate (x402)$0.99

GET/v1/verify/:addressCheck existing certificateFREE

POST/v1/batchBatch audit up to 10 targetsFREE

POST/v1/pay/invoiceGet Lightning invoiceFREE

POST/v1/pay/stablecoinGet USDC payment infoFREE

GET/v1/discoverAgent discovery manifestFREE

GET/healthHealth check with dependenciesFREE

GET/metricsPrometheus metricsFREE

GET /v1/verify/:address

Returns whether the given address has a valid BMAXI ERC-8004 certificate. Response: has_certificate: true|false, certificate (when present), blockchain (chain info). When certified, the API also sends headers so clients can show the proof without parsing JSON: X-BMAXI-Certified: true, X-BMAXI-Verify-URL (human-facing page), Link: <url>; rel="certificate". Share the verify URL with interlocutors: bmaxi.network/verify?address=0x....

POST /v1/audit

Performs a real-time trust audit of an Ethereum address, smart contract, or API endpoint. Uses live on-chain data from Base L2 RPC.

request.json

{
  "target": "0xcBD912Aa1a6F198E2fF002360A7A33be8A429BaE",
  "type": "auto"    // "auto" | "address" | "api" | "contract"
}

response.json

{
  "target": "0xcbd912aa1a6f198e2ff002360a7a33be8a429bae",
  "type": "eoa",
  "trust_score": 73,
  "risk_level": "low",
  "flags": ["generally_safe", "active_eoa", "base_l2_native"],
  "breakdown": {
    "activity": 15,
    "balance": 15,
    "contract": 10,
    "longevity": 8,
    "network": 15
  },
  "details": {
    "mode": "live",
    "chain": "Base L2",
    "chain_id": 8453,
    "balance_eth": 0.042,
    "tx_count": 28,
    "is_contract": false
  },
  "timestamp": "2026-03-05T12:00:00.000Z",
  "audit_id": "aud_a1b2c3d4e5f6g7h8"
}

POST /v1/certify

Issues an on-chain ERC-8004 trust certificate. Requires API key and payment (x402 protocol). See the x402 Payment Flow section for details.

Response Headers

Header	Description
X-Request-Id	Unique request ID for tracing and support
X-API-Version	API version (currently "1")
X-BMAXI-Certified	On GET /v1/verify: "true" or "false" — no need to parse JSON to know cert status
X-BMAXI-Verify-URL	On GET /v1/verify: human-facing proof URL (bmaxi.network/verify?address=...)
Link	On GET /v1/verify when certified: rel="certificate" link to the verify page
X-Cache	HIT or MISS — audit cache status
X-Rate-Limit-Remaining	Requests remaining in current window
X-Rate-Limit-Limit	Total requests allowed per window

Trust Scoring

The trust score is a composite metric (0-100) computed from live on-chain data. Higher is better. The score is broken down into 5 components:

Component	Max Points	What It Measures
Activity	25	Transaction count: 100+ tx = 25pts, 50+ = 20pts, 10+ = 15pts
Balance	20	ETH balance: 1+ ETH = 20pts, 0.1+ = 15pts, 0.01+ = 10pts
Contract	25	Code size analysis: 5KB+ = 25pts, or EOA bonus (10pts)
Longevity	15	Account age proxy: 500+ tx = 15pts, 100+ = 12pts
Network	15	Base L2 native activity bonus

For API endpoints, the scoring uses different criteria: SSL (20pts), response status (20pts), latency (15pts), security headers (15pts), and a base score (30pts).

Risk Level	Score Range	Meaning
Low	70-100	Generally safe, established activity
Medium	40-69	Needs review, limited history
High	0-39	High risk, new or suspicious patterns
Critical	0	Unreachable, blocked, or failed

x402 Payment Flow

BMAXI uses the x402 protocol for machine-native payments. The flow is simple and fully automated:

Request without payment

POST /v1/certify with your target but no X-Payment-Proof header.

→ 402 Payment Required + invoice in headers and body

Pay the invoice

Pay the Lightning invoice (bolt11) OR send USDC to the provided Base L2 address.

→ You get a payment_hash (Lightning) or tx_hash (USDC)

Submit proof

POST /v1/certify again with X-Payment-Proof: <hash>.

→ 200 OK + full audit + on-chain ERC-8004 certificate

Pricing: 25,000 sats (Lightning) or $0.99 USDC (Base L2) per certificate. Use X-Idempotency-Key to prevent double charges — same key within 24h returns the cached result.

ERC-8004 Certificates

ERC-8004 is the trust certificate standard used by BMAXI. Each certificate is stored on-chain on Base L2 and contains:

Field	Type	Description
score	uint256	Trust score (0-100)
issuedAt	uint256	Block timestamp of issuance
expiresAt	uint256	Expiry timestamp (issued + 1 day)
metadata	string	Audit details (JSON-encoded)
valid	bool	Current validity status

Certificates are issued by the oracle address (authorized signer), valid for 1 day, and can be renewed or revoked. Any smart contract can call checkCertificate(address) to verify trust on-chain.

Contract address on Base: 0x4E8129Cb67Fb4765Ba5fDf5138de7C6D3684E7Ee

Compliance & Standards

BMAXI's compliance engine runs 7 automated checks aligned with major AI governance frameworks:

Framework	Coverage	Description
IEEE CertifAIEd	Trust, transparency, bias	AI certification standard for trustworthy systems
ISO/IEC 42001:2023	AI management system	International standard for AI governance
EU AI Act	Risk classification	European regulation for AI systems
GDPR Art. 15	Data access rights	Right to access personal data — on-demand reports
PII Detection	Data protection	Automatic detection of personally identifiable information
SHA-256 Log	Transparency	Hash-chained append-only audit trail
AI Disclosure	Transparency	Mandatory disclosure that communications are AI-generated

Every action (audit, certificate, payment) is logged in an immutable SHA-256 hash-chained transparency log. GDPR Art. 15 reports are available on demand via GET /api/gdpr/:identifier.

Audit Scope & Limitations

The automated audit is a technical compliance filter. It checks headers, opt-out, robots.txt, wallet reputation, content patterns, and configuration. It is effective at detecting obvious spam, misconfigured agents, and non-compliant behavior (e.g. emails without unsubscribe, aggressive scraping).

It does not judge intent or semantic truth. The following are out of scope for the current auto audit:

An agent that lies in its content or makes fraudulent promises
A trading bot that manipulates a market
An agent that changes behavior after certification
Ambiguous cases (e.g. scraping for research vs. attack, bulk email as newsletter vs. spam)

For those cases, a human or community arbitration layer is required. BMAXI is building toward that (Layer 3 — planned). Today we deliver Layer 1 (automated audit + short-lived certificate) and Layer 2 (reputation via wallet + revocation).

Self-Hosting

BMAXI is open-source and fully self-hostable. Two options:

Option A — Local development

terminal

git clone https://github.com/Bmaxioracle/Bmaxi.git
cd Bmaxi
npm install
npm run gateway    # Terminal 1 → API on http://localhost:8402
npm run dev        # Terminal 2 → Frontend on http://localhost:3000

Option B — Docker (production)

terminal

cp .env.example .env
# Edit .env with your keys (BASE_RPC_URL, BAYMAX_API_KEYS, etc.)
docker compose up -d
# Gateway: http://localhost:8402
# Frontend: http://localhost:3000
# Redis: localhost:6379

Environment Variables

Variable	Required	Description
BAYMAX_API_KEYS	Yes	API keys in format key:tier,key:tier
BASE_RPC_URL	No	Base L2 RPC (default: mainnet.base.org)
BAYMAX_CONTRACT	No	ERC-8004 contract address on Base
LNBITS_URL	No	LNbits instance URL for Lightning
LNBITS_API_KEY	No	LNbits API key
PAYMENT_ADDRESS	No	USDC receiving address on Base
REDIS_URL	No	Redis URL for shared rate limiting
ADMIN_TOKEN	No	Admin access token
STORE_BACKEND	No	json (default) or sqlite

SDKs & Integrations

BMAXI is a REST API — any language with HTTP support works. Here are integration examples:

JavaScript / Node.js

audit.js

const res = await fetch("https://api.bmaxi.network/v1/audit", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ target: "0xYourAddress" }),
});
const { trust_score, risk_level, flags } = await res.json();

Python

audit.py

import requests

r = requests.post("https://api.bmaxi.network/v1/audit", json={
    "target": "0xYourAddress"
})
data = r.json()
print(f"Score: {data['trust_score']}, Risk: {data['risk_level']}")

cURL

terminal

curl -s https://api.bmaxi.network/v1/audit \
  -H "Content-Type: application/json" \
  -d '{"target":"0xYourAddress"}' | jq .trust_score

MCP / Agent Integration

BMAXI exposes a Schema.org-compatible discovery manifest at /v1/discover and /.well-known/agent.json. MCP tools are declared for direct agent integration:

Tool	Description
baymax_audit	Audit any Ethereum address, contract, or API
baymax_certify	Issue on-chain ERC-8004 trust certificate
baymax_verify	Check if address has valid certificate

FAQ

Do I need an API key for free audits?

No. GET /v1/verify, POST /v1/audit, and POST /v1/batch work without any API key. You get 5 requests/min per IP.

How long is a certificate valid?

24 hours (1 day) from issuance. This is intentional: it keeps trust scores current and limits exposure if an agent’s behavior or risk profile changes. You can renew before expiry by calling /v1/certify again with a new payment.

Can I verify a certificate from my own smart contract?

Yes. Call checkCertificate(address) on the BMAXI contract (0x4E81...E7Ee) from your Solidity code. Returns (score, issuedAt, expiresAt, metadata, valid).

What chains are supported?

Base L2 (chain ID 8453) for production. Ethereum Sepolia for testing. More chains planned.

Is there a testnet?

Yes. Set CHAIN_ID=11155111 and BASE_RPC_URL to a Sepolia RPC to run in testnet mode.

Can I self-host the entire stack?

Yes. Clone the repo, configure .env, and run with Node.js or Docker. The gateway works standalone even without Redis or LNbits.

What happens if the RPC is down?

The circuit breaker activates after 5 failures and returns immediate errors for 30 seconds, then retries. Audits degrade gracefully.

Need help? Contact agent@bmaxi.network

Home GitHub BaseScan