Improve x402 Express example with security hardening and formatting fixes

docs/ai-agents/payments/accepting-payments.mdx

@@ -16,7 +16,7 @@ You can build agent services that charge other agents for access using x402. Whe
 
 With the CDP Agentic Wallet skills installed, expose a paid endpoint with a single prompt:
 
-```bash Terminal
+```bash
 npx skills add coinbase/agentic-wallet-skills
 ```
 
@@ -34,7 +34,7 @@ The `monetize-service` skill configures the x402 gating and deploys the endpoint
 
 Create a reusable x402 payment link that other agents pay before accessing your service:
 
-```bash Terminal
+```bash
 curl -X POST "https://api.wallet.paysponge.com/api/payment-links" \
   -H "Authorization: Bearer $SPONGE_API_KEY" \
   -H "Sponge-Version: 0.2.1" \
@@ -47,7 +47,7 @@ curl -X POST "https://api.wallet.paysponge.com/api/payment-links" \
 
 Share the returned payment link URL with clients. Check payment status:
 
-```bash Terminal
+```bash
 curl "https://api.wallet.paysponge.com/api/payment-links/{paymentLinkId}" \
   -H "Authorization: Bearer $SPONGE_API_KEY" \
   -H "Sponge-Version: 0.2.1"
@@ -59,33 +59,65 @@ curl "https://api.wallet.paysponge.com/api/payment-links/{paymentLinkId}" \
 
 Use the `x402-express` package to add payment gating to any Express endpoint:
 
-```bash Terminal
-npm install x402-express express
+```bash
+npm install x402-express express express-rate-limit helmet
 ```
 
-```typescript TypeScript
+```ts
 import express from "express";
+import rateLimit from "express-rate-limit";
+import helmet from "helmet";
 import { paymentMiddleware } from "x402-express";
 
 const app = express();
 
-app.use(
-  paymentMiddleware(
-    "0xYourAgentWalletAddress",
-    {
-      "/api/data": {
-        price: "$0.01",
-        network: "base-sepolia",
-      },
+app.use(express.json());
+app.use(helmet());
+
+// Normalize path to prevent bypass
+app.use((req, res, next) => {
+  try {
+    req.url = decodeURIComponent(req.url);
+
+    if (req.path.endsWith("/") && req.path.length > 1) {
+      req.url = req.url.slice(0, -1);
     }
-  )
+
+    next();
+  } catch {
+    return res.status(400).json({ error: "Invalid URL encoding" });
+  }
+});
+
+// Rate limit to prevent abuse
+app.use(
+  rateLimit({
+    windowMs: 60 * 1000,
+    max: 60,
+  })
+);
+
+// x402 payment middleware
+app.use(
+  paymentMiddleware("0xYourAgentWalletAddress", {
+    "/api/data": {
+      price: "$0.01",
+      network: "base-sepolia",
+    },
+  })
 );
 
 app.get("/api/data", (req, res) => {
-  res.json({ data: "premium content" });
+  res.json({
+    data: "premium content",
+    paid: true,
+    timestamp: Date.now(),
+  });
 });
 
-app.listen(3000);
+app.listen(3000, () => {
+  console.log("Server running on port 3000");
+});
 ```
 
 The middleware returns `402` to unpaid callers. The CDP facilitator handles verification and onchain settlement.
@@ -101,7 +133,7 @@ A facilitator is the off-chain service that verifies payment payloads and settle
 | **CDP facilitator** (default) | Production — requires CDP API key, supports Base and Solana |
 | **Public testnet facilitator** | Development — no API key, Base Sepolia only |
 
-The public testnet facilitator endpoint is `https://www.x402.org/facilitator`. Switch to the CDP facilitator for mainnet. See the [x402 client-server model](https://docs.cdp.coinbase.com/x402/docs/client-server-model) for full endpoint details.
+The public testnet facilitator endpoint is `https://www.x402.org/facilitator`. Switch to the CDP facilitator for mainnet. See the x402 client-server model docs for full endpoint details.
 
 ## Pricing and payment terms
 
@@ -112,9 +144,9 @@ The public testnet facilitator endpoint is `https://www.x402.org/facilitator`. S
 
 ## Make your endpoint discoverable
 
-Host a `SKILL.md` file at `/.well-known/SKILL.md` describing your endpoint's inputs, outputs, pricing, and authentication requirements. Agents discover your service by checking this path.
+Host a `SKILL.md` file at `/.well-known/SKILL.md` describing your endpoint's inputs, outputs, pricing, and authentication requirements.
 
-```markdown SKILL.md template
+```md
 # Your Agent Service
 
 ## Description
@@ -123,24 +155,17 @@ What your service does, in plain language.
 ## Endpoints
 
 ### GET /api/data
-- **Description:** Returns premium market data
-- **Payment:** $0.01 per request via x402 (Base, USDC)
-- **Output:** JSON with current prices and volume
+- Description: Returns premium market data
+- Payment: $0.01 per request via x402 (Base, USDC)
+- Output: JSON with current prices and volume
 
 ## Authentication
 x402 payment required. No API key needed.
 ```
 
-Register your service in the ERC-8004 registry so agents can discover it by category — see [agent registration](/ai-agents/setup/agent-registration).
+Register your service in the ERC-8004 registry so agents can discover it by category.
 
 ## Related
 
-<CardGroup cols={2}>
-  <Card title="x402 protocol" icon="bolt" href="/ai-agents/payments/pay-for-services-with-x402">
-    How x402 works from the client side.
-  </Card>
-
-  <Card title="x402 client-server model" icon="file-contract" href="https://docs.cdp.coinbase.com/x402/docs/client-server-model">
-    Facilitator endpoints and protocol addresses.
-  </Card>
-</CardGroup>
+- x402 protocol — how it works from the client side  
+- x402 client-server model — facilitator endpoints and protocol addresses