We don’t do content marketing. When we publish, it’s because we built something interesting or shipped something worth understanding. Every post cross-posts to the changelog RSS.
~95 commits in two days: treasury-loss races, silent auth bypasses, circuit breaker defeats, and 550 new tests. A walkthrough of the worst bugs, the three recurring patterns behind them, and what the audit did not cover.
Raw API keys aren't insecure — they're insecure when the operator is going to paste them into an LLM chat. Why Cards402 onboards agents with single-use claim codes, the threat model, and the exchange flow that avoids every credential-in-prompt failure we could think of.
Why Cards402 agents pay the receiver contract directly on Stellar, and how the backend watches on-chain events instead of touching customer funds. The trade-offs we accepted and the ones we refused.
Every millisecond of the 33-second path from agent.purchaseCard() to PAN-in-hand. Payment confirmation, Stage 1 scrape, Stage 2 fulfilment, the SSE stream, and the failure modes we found along the way.
Server-Sent Events are almost always the right primitive for long-lived order tracking with autonomous agents. Latency, reconnects, fallbacks, and the operational details that matter when your clients are long-lived processes instead of browsers.
If you've built something interesting on top of Cards402 and want to write about it, we'll happily host it on the blog with full byline and a link to your work. Email press@cards402.com with a rough outline or a draft.