The NordBastion polar-bear mascot supervises a multi-pane orchestration UI where autonomous AI agents provision servers and process crypto payments, inside an aurora-lit Nordic stone console room.
Agent integration · MCP · REST v1 · OAuth · x402

Built for AI agents.
From day one.

A native MCP server, a full REST API, OAuth 2.1 with dynamic client registration, and pay-per-call x402 settlement. No KYC. Crypto-billed. Four Nordic jurisdictions.

Read the OpenAPI Install MCP server
MCP-native
Streamable HTTP server, server-card discovery, scoped tools.
REST v1 · 50+ endpoints
Provision, snapshot, top-up, peer — every panel action in code.
x402 + crypto
Pay-per-call on-chain, or top up once in BTC, XMR, USDC.
Web Bot Auth
Signed bots from Cloudflare, Google, OpenAI, Anthropic, AWS — verified, 5× rate.
快速入门

Onboard your agent in 30 seconds.

Pick the surface that matches your client. Same identity floor across the three: email and password, no humans in the loop.

Paste the server-card URL into Claude Desktop, Claude Code, Cursor or any MCP-aware client. The host discovers the tool list and the OAuth dance starts automatically. 

https://nordbastion.com/.well-known/mcp/server-card.json

Or with Claude Code from the CLI: 

claude mcp add nordbastion https://nordbastion.com/mcp

All three pay the same price. All three honour the same kill-switch. All three are KYC-free.

Machine surfaces

Six discovery endpoints, all under /.well-known/.

Every surface is content-typed, CORS-open, and described by a standard. Plug in once, follow the cross-links, find everything else.

REST API v1

50+ JSON endpoints — auth, billing, servers, snapshots, networking, transparency.

https://nordbastion.com/v1/ Open the API page
OpenAPI 3.1

Machine-readable spec for every endpoint — feed it to your codegen of choice.

/.well-known/openapi.json Fetch the spec
MCP server-card

SEP-1649 discovery document — paste into any MCP host, tools auto-register.

/.well-known/mcp/server-card.json View the card
A2A agent.json

Linux Foundation A2A agent card — capabilities, auth schemes, contact endpoint.

/.well-known/agent.json View the agent card
OAuth 2.1 + DCR

RFC 8414 metadata + RFC 7591 dynamic client registration. Agents self-onboard without paperwork.

/.well-known/oauth-authorization-server OAuth metadata
llms-agents.txt

Extended llms.txt — pointers to every machine surface, written for LLM ingestion.

/.well-known/llms-agents.txt Read the map
Payment for agents

Top up a balance, or pay per call.

Same prices on both rails. Choose the one that matches how your agent thinks about money.

Classic · prepaid balance

One top-up, many calls.

Your agent calls POST /v1/billing/topups once, sends crypto to the returned address, and every subsequent API call settles against the prepaid balance. Best for long-running agents that make many small calls.

Minimum $30 USD per top-up, maximum $10,000 USD — enforced server-side. Lower values return HTTP 422 amount_too_low. 

POST /v1/billing/topups
{
  "amount_usd": 50,
  "coin": "XMR"
}

→ 201 Created
{
  "address":  "8B5x…",
  "qr":       "data:image/png;base64,…",
  "expires_at": "2026-05-16T15:00:00Z"
}
x402 · pay per call

HTTP 402, finally used.

Protected endpoints answer 402 Payment Required with a quote. Your agent pays the on-chain quote and replays the request with the receipt header. Best for transient agents with no long-lived account. 

POST /v1/servers
→ 402 Payment Required
X-Payment-Quote: nb_q_3f9c2a…
{
  "amount_usd":   23.90,
  "accepts":      ["XMR","BTC","USDC"],
  "settle_url":   "https://…",
  "expires_in":   600
}

POST /v1/servers
X-Payment-Receipt: nb_r_8b71…
→ 202 Accepted
Twelve coins, both rails
  • BTC Bitcoin
  • ETH Ethereum
  • USDT Tether
  • USDC USD Coin
  • XMR Monero
  • LTC Litecoin
  • XRP XRP
  • TRX TRON
  • TON Toncoin
  • SOL Solana
  • BCH Bitcoin Cash
  • DOGE Dogecoin

Live list at /v1/billing/coins

Trust & identity

Signed bots get more headroom. Every agent gets a clean audit trail.

Web Bot Auth

Verified bots, 5× the rate

Bots that present a valid HTTP Message Signature from a Cloudflare / Google / AWS / OpenAI / Anthropic crawler-pool key are recognised and granted a 5× rate-limit multiplier. The verification is in front of every endpoint, including unauthenticated catalogue calls.

Signature-Agent: "https://crawl.anthropic.com"
Scoped API keys

Tight blast radius

Issue keys with scopes (read-only, billing, servers, full), optional IP allowlist, optional expiry. Agents get the smallest key they need. Revocation is immediate.

scope: servers · billing-read
速率限制

Published, per-key

Baseline
120 / min · 3000 / h
Verified bot
600 / min · 15 000 / h
429 重试
Retry-After
Audit log

Off by default · opt-in by call

NordBastion stores the minimum needed to run the rate-limiter. Customers who want a full audit trail of agent actions can flip it on at /v1/account/audit-log and download it any time.

GET /v1/account/audit-log?from=2026-05-01
Public agent directory

Agents that run on NordBastion.

Builders who shipped something interesting on top of the API. Publish yours with POST /v1/agents/directory.

Empty for now

Be the first agent in the directory.

No vetting fee, no exclusivity clause — a NordBastion human just confirms the agent does what its description says. Send a POST and we will review within a few days.

POST /v1/agents/directory
FAQ · agents

Questions an agent would ask before buying a server.

Same answers whether the requester is a human, a script, or a foundation-model agent.

Can my agent open an account on its own?

Yes. POST /v1/auth/register accepts an email and a password and returns an account, no human review and no identity check. The same floor applies whether the requester is a human or an agent.

How does my agent pay?

Two paths. The classic flow: top up the account balance once in cryptocurrency, then every API call settles against the prepaid balance. The agent-native flow: per-call x402 — protected endpoints answer 402 Payment Required with a quote, your agent pays the on-chain quote and replays with the receipt header. Both pay the same prices.

What about KYC?

No KYC, even for agents. Email plus password is the entire identity floor. The doctrine page explains why.

Which AI clients support this?

Claude (Desktop, Code), Cursor, OpenClaw, and any custom client speaking MCP, A2A or plain REST. Paste the MCP server-card URL into the host and the tools register automatically.

What are the rate limits?

120 requests per minute and 3000 per hour by default, per API key. Verified bots from Cloudflare, Google, AWS, OpenAI and Anthropic — signed with Web Bot Auth — get five times that.

Is the kill-switch a thing agents need to handle?

Yes, and it is transparent. If payments are paused, write endpoints return 503 with kill_switch_blocked: true and a structured tooltip code, so your agent can defer the action without guessing at the cause.

Can I publish my agent in the public directory?

Yes. POST /v1/agents/directory from an authenticated session. A NordBastion human verifies the entry within a few days before it goes live on this page.

Where is the underlying doctrine?

The /doctrine/ page explains the privacy contract — what is collected, what is not, what is logged and for how long. The same contract binds agent traffic and human traffic.

Start integrating

Read the spec. Wire the agent. Boot a Nordic server.

Email and password is the entire identity floor. Pay in crypto. Ninety seconds to a booted Stockholm, Helsinki, Oslo or Reykjavík machine — same flow for humans and agents.

Read the OpenAPI MCP server-card 准则
MCP base · https://nordbastion.com/mcp · API base · https://nordbastion.com/v1/ · 客服支持 · open a panel ticket