Skip to main content

Install

pip install foldset-flask

Setup

1

Get your API key

Copy your API key from the Foldset dashboard.
2

Set the environment variable

The SDK reads your API key from the FOLDSET_API_KEY environment variable.Local development: add it to a .env file and load it with python-dotenv or your preferred env loader. Make sure .env is in your .gitignore:
FOLDSET_API_KEY=sk_live_...
Production: set it in your hosting provider’s environment variable settings (e.g. Railway, Render, AWS). Never commit API keys to your repository.
3

Add the middleware

import os
from flask import Flask
from foldset_flask import foldset, FoldsetOptions

app = Flask(__name__)

# Add Foldset middleware
foldset(FoldsetOptions(api_key=os.environ.get("FOLDSET_API_KEY", ""))).init_app(app)

# Your routes
@app.route("/api/data")
def get_data():
    return {"message": "This content is protected"}
The middleware must be initialized before your first request is served. It will intercept requests that match your configured rules.
4

Configure routes

Head to the rules page to choose which paths to protect and set prices.

How it works

The Foldset middleware runs on every incoming request:
  1. Checks the request path against your configured rules
  2. If no payment is required, your route handler runs normally
  3. If payment is required and no valid x402 payment header is present, returns a 402 Payment Required response with payment instructions
  4. If a valid payment is attached, your route handler runs and settlement completes after the response is sent

MCP server protection

If your Flask app hosts an MCP server (Streamable HTTP), Foldset can gate individual tool calls and resource reads. Configure MCP rules in the dashboard by specifying the endpoint path, method, and tool or resource name. Discovery methods like tools/list pass through for free with payment metadata attached.

Update your robots.txt

Once Foldset is active, you want AI agents visiting your site so they can pay for access. If your robots.txt blocks AI crawlers, remove those rules. Foldset handles gating at the payment layer. 
# Remove rules like these:
User-agent: GPTBot
Disallow: /

User-agent: ClaudeBot
Disallow: /