Skip to main content

Install

npm install @foldset/express

Setup

1

Get your API key

Copy your API key from the Foldset dashboard.
2

Set the environment variable

The SDK reads your API key from the FOLDSET_API_KEY environment variable.Local development: add it to a .env file and load it with dotenv (or your preferred env loader). Make sure .env is in your .gitignore:
FOLDSET_API_KEY=sk_live_...
Production: set it in your hosting provider’s environment variable settings (e.g. Railway, Render, AWS). Never commit API keys to your repository.
3

Add the middleware

import express from "express";
import { foldset } from "@foldset/express";

const app = express();

// Add Foldset middleware before your routes
app.use(foldset({
  apiKey: process.env.FOLDSET_API_KEY!,
}));

// Your routes
app.get("/api/data", (req, res) => {
  res.json({ message: "This content is protected" });
});

app.listen(3000);
The middleware must be added before your route handlers. It will intercept requests that match your configured rules.
4

Configure routes

Head to the rules page to choose which paths to protect and set prices.

How it works

The Foldset middleware runs on every incoming request:
  1. Checks the request path against your configured rules
  2. If no payment is required, calls next() and your route handler runs normally
  3. If payment is required and no valid x402 payment header is present, returns a 402 Payment Required response with payment instructions
  4. If a valid payment is attached, calls next() and settles the payment after your route handler responds

MCP server protection

If your Express app hosts an MCP server (Streamable HTTP), Foldset can gate individual tool calls and resource reads. Configure MCP rules in the dashboard by specifying the endpoint path, method, and tool or resource name. Discovery methods like tools/list pass through for free with payment metadata attached.

Update your robots.txt

Once Foldset is active, you want AI agents visiting your site so they can pay for access. If your robots.txt blocks AI crawlers, remove those rules. Foldset handles gating at the payment layer. 
# Remove rules like these:
User-agent: GPTBot
Disallow: /

User-agent: ClaudeBot
Disallow: /