WPRC 2026#037

x402

WPRC-037· KL· 2025. 09. 13· INFRASTRUCTURE

x402

x402 is an open HTTP 402-based payment protocol that enables AI agents and web services to autonomously pay for API access, data, and digital services.

Contributors

Wei Hup·Jun Heng·Junaid

Summary

The WhitePaper Reading Club [05]	[13-September-2025]
x402	[Wei Hup, Jun Heng, Junaid]
https://www.x402.org/x402-whitepaper.pdf

Summary

x402 is an open HTTP 402-based payment protocol that enables AI agents and web services to autonomously pay for API access, data, and digital services.

Why This Is Important

Legacy payment systems are primarily designed for human interactions, not machine-to-machine. x402 makes it economically and operationally possible for AI agents and modern apps to pay for data, API, and compute access on demand.

x402 enables:

Removing the need for subscriptions and paying an up-front lump sum
Instant low-fee micropayments at request-level granularity
Eliminating chargebacks and fraud risks
Allowing machines to transact autonomously

Key Innovation

x402 reimagines the unused HTTP 402 status code by embedding payment instructions directly into normal web traffic, creating a standardized and unified Internet payment layer where servers request payment and clients respond seamlessly. It enables true pay-per-use micropayments — charging exactly per API call, data access, or AI inference without the need for accounts, subscriptions, or prepaid credits — using stablecoins like USDC for instant, sub-second, and low-cost settlement on Base L2. By supporting any ERC-20 token that implements EIP-3009, it provides gas abstraction, one-step payments, and universal facilitator support. x402 makes integration developer-friendly with a single line of middleware code: paymentMiddleware("0xYourAddress", {"/your-endpoint": "$0.01"});. All payments are signed with EIP-712, ensuring wallet transparency where users see the domain, amount, token, and resources purchased in their standard crypto wallet UI.

Team

Erik Reppel – Head of Engineering @ coinbasedev
Ronnie Caspers – Product @ Coinbase
Kevin Leffew – GTM Lead @ coinbasedev
Danny Organ – Product Marketing @ Coinbase
Dan Kim – VP @ Coinbase
Nemil Dalal – Ex-Senior Director of Product @ Coinbase

Opinion from WPRC KL

Aligns well with the trend of microservices and autonomous agents.
Low latency and low fees which are impossible to find on credit cards or other expensive chains.
Simplified API monetization.
However, it assumes clients hold crypto/stablecoins, which limits the breadth of adoption.

Questions

How will refund or dispute scenarios be handled when payments are irreversible on-chain?
Does removing chargebacks expose users to risk?
Will mainstream API providers (OpenAI, Google Cloud) support x402, or prefer existing payment systems? What incentives would get them onboard?

Components

x402 pay-per-use flow — an AI agent signs and pays across client, API server, and blockchain

Payment Flow	1. Clients send requests to access premium resources. 2. The server checks whether the payment is done and valid. If yes, the server returns the requested data/content. If not, the server returns HTTP 402 Payment Required and the client makes payment. The payment is settled on-chain (Base or other chains). After payment is done, clients can access the premium resources.
Client	i) Send an HTTP request to the server. ii) Read the 402 Payment Required response and extract payment details. iii) Use the provided payment requirements to construct a valid payment payload. iv) Retry the request with the valid payment payload.
Server	i) Respond to unauthenticated requests with an HTTP 402 and payment requirements. ii) Validate incoming payment payloads. iii) Upon successful verification, submit the payment for settlement on-chain. iv) Return the requested resource to the client.
Facilitator	i) Confirm that the payment payload meets the payment requirement. ii) Submit validated payments to the blockchain. iii) Return verification and settlement results to the server.

HTTP 402 Payment Signaling

Problem	Payments for APIs/content are bolted on (API keys, subscriptions), not standardized at the HTTP layer; machines can't seamlessly discover/pay per request.
Solution	Use the reserved HTTP 402 "Payment Required" status to signal price/payment details in a structured JSON response.
How it works	Server middleware intercepts unpaid requests and returns a 402 Payment Required error code with fields like maxAmountRequired, asset, payTo, network, nonce, expiresAt; clients read it, pay/sign, then retry the request.

Payment requirements fields returned in the 402 response

EIP-712 Signature

Problem	Need a secure, user/agent-readable way to authorize payments per request and prevent replay across endpoints.
Solution	Use EIP-712 typed-data signatures over the payment request + actual amount + timestamp.
How it works	User signs the structured data; server verifies signature, fields, amount ≤ maxAmountRequired, nonce/expiry validity, then proceeds to settle and serve the resource.

Transaction Settlement

Problem	Micropayments require low fees and fast finality; different volumes/latency targets need different settlement choices.
Solution	Offers multiple settlement methods: 1. On-chain settlement (L1/L2, Layer 2 for lower fees); 2. Payment channels for high-frequency micropayments between trusted parties; 3. Batched settlements combining multiple micropayments into a single transaction.
How it works	User signs the structured data; server verifies signature, fields, amount ≤ maxAmountRequired, nonce/expiry validity, then proceeds to settle and serve the resource.

Server Middleware & Client-side Implementation

Problem	Providers need a simple way to add per-request payments without rebuilding their stack. Implementing the 402-pay-retry loop is boilerplate and error-prone for agents/apps.
Solution	Drop-in middleware (e.g., @x402/express-middleware) that emits 402s, verifies payments, and gates handlers. A client SDK handles fetch → 402 parse → wallet sign → settle → retry automatically.
How it works	Express server middleware and client-side implementation (below).

Express server middleware implementation

Client-side implementation with the x402 client SDK

Potential Use Cases

Agents accessing APIs for on-demand requests
Pay-per-use AI model inference monetization
Agents paying for cloud compute & storage
Context retrieval for agents
Micropayments for human access to content

References

[1] https://www.x402.org/x402-whitepaper.pdf

[2] https://x402.gitbook.io/x402

[3] https://eips.ethereum.org/EIPS/eip-712

Cheat Sheet — x402

Overview: x402 is an open payment protocol created by Coinbase that brings real-time, pay-per-use payments to the web by using the long-reserved HTTP 402 "Payment Required" status code. Instead of relying on accounts, credit cards, API keys, or subscriptions, it allows AI agents and applications to pay autonomously whenever they request a service, API call, or digital content. When a request is made without payment, the server responds with a 402 message containing structured payment details such as price, pay-to address, token type, and expiry. The agent then signs a transaction (typically using stablecoins like USDC and the EIP-712 standard), broadcasts or authorizes the payment, and retries the request with proof of payment attached. The server verifies settlement and validity before granting access. Because x402 is chain- and token-agnostic, it provides a flexible foundation for machine-native payments.

HTTP 402: The HTTP 402 Payment Required response status code is a non-standard code indicating the client must pay to access the requested resource. It was originally reserved for digital cash/micropayment systems but never widely adopted. The HTTP/1.1 specification reserved it for future use with micropayments; in reality, payments were handled by higher-level application layers (PayPal, Stripe, etc.) rather than HTTP itself. Some modern APIs (Google Cloud, Stripe) unofficially use 402 to signal billing issues or insufficient funds. Think of HTTP 402 like a toll road: you're driving (making a request), the toll booth (server) checks if you've paid, and if not it says "Payment Required."

EIP-3009: Transfer with Authorization: The Ethereum standard for "Transfer with Authorization." It introduces an ERC-20 function transferWithAuthorization that lets users pre-sign a token transfer off-chain (sender, recipient, amount, validity period, signature); another party (recipient or relayer) submits it on-chain. The contract verifies the signature, that the authorization hasn't expired, and that it hasn't been used before, then transfers tokens and marks the authorization used (preventing replay). It solves ERC-20's requirement that the sender pay gas in ETH, enabling natively supported gasless transfers. Pioneered by USDC (Circle/Coinbase) and in production since ~2020. Like writing a signed check: Alice cashes it without you going to the bank.

EIP-712: Typed Structured Data Hashing and Signing: Allows wallets and applications to create signatures over structured data (JSON fields with types) instead of raw bytes or strings. A developer defines a typed schema; the schema and values are encoded and hashed per EIP-712 rules and signed with eth_signTypedData. Wallets (like MetaMask) display the structured fields clearly so users (or AI agents) see exactly what they're signing. Before EIP-712, signing used EIP-191 where users signed meaningless hex blobs, making phishing easy. EIP-712 makes signatures explicit and typed, prevents ambiguity, and enables off-chain authorizations (like x402 payment approvals) later enforced on-chain. Like a clear, itemized receipt versus a random string of numbers.

Discussion Dump

Opinions from WPRC NYC

Protocol merit: Clever use of a dormant HTTP status code to create a universal paywall primitive. Could meaningfully shift web monetization from ads/subscriptions to direct micropayments.
Middleware centralization risk: Although the spec is open, Coinbase's reference middleware defaults to their facilitator. Most early devs may adopt this without customization, giving Coinbase soft control over everything that flows through the protocol.
Facilitator incentive gap: Unlike routing nodes in Lightning or validators in PoS chains, x402 facilitators have no built-in, protocol-level economic rewards. Unless resource servers voluntarily pay them, there's little incentive for independent facilitators to spin up, making it likely most traffic defaults to Coinbase's hosted service by convenience. This undermines the protocol's decentralization potential despite facilitators being "optional" in theory.
Compliance exposure: Making facilitators optional means resource servers can run fully self-hosted verification/settlement without KYT or sanctions screening, opening potential non-compliant payment channels.
Authentication caveat: x402 "authenticates" that the sender controls funds, not that they are legitimate or KYC'd. If those tokens were obtained via hacks or exploits, the system still considers them valid.
Business model implications: Lowers monetization friction for the long tail by allowing small creators/developers to charge without intermediaries and without harvesting data for ad revenue — but also makes it easy for big players to meter every micro-interaction, potentially fueling hyper-capitalist value-extractive models.

Summary

The WhitePaper Reading Club [05]	[13-September-2025]
x402	[Wei Hup, Jun Heng, Junaid]
https://www.x402.org/x402-whitepaper.pdf

Summary

x402 is an open HTTP 402-based payment protocol that enables AI agents and web services to autonomously pay for API access, data, and digital services.

Why This Is Important

x402 enables:

Removing the need for subscriptions and paying an up-front lump sum
Instant low-fee micropayments at request-level granularity
Eliminating chargebacks and fraud risks
Allowing machines to transact autonomously

Key Innovation

Team

Erik Reppel – Head of Engineering @ coinbasedev
Ronnie Caspers – Product @ Coinbase
Kevin Leffew – GTM Lead @ coinbasedev
Danny Organ – Product Marketing @ Coinbase
Dan Kim – VP @ Coinbase
Nemil Dalal – Ex-Senior Director of Product @ Coinbase

Opinion from WPRC KL

Aligns well with the trend of microservices and autonomous agents.
Low latency and low fees which are impossible to find on credit cards or other expensive chains.
Simplified API monetization.
However, it assumes clients hold crypto/stablecoins, which limits the breadth of adoption.

Questions

How will refund or dispute scenarios be handled when payments are irreversible on-chain?
Does removing chargebacks expose users to risk?
Will mainstream API providers (OpenAI, Google Cloud) support x402, or prefer existing payment systems? What incentives would get them onboard?

Components

Payment Flow	1. Clients send requests to access premium resources. 2. The server checks whether the payment is done and valid. If yes, the server returns the requested data/content. If not, the server returns HTTP 402 Payment Required and the client makes payment. The payment is settled on-chain (Base or other chains). After payment is done, clients can access the premium resources.
Client	i) Send an HTTP request to the server. ii) Read the 402 Payment Required response and extract payment details. iii) Use the provided payment requirements to construct a valid payment payload. iv) Retry the request with the valid payment payload.
Server	i) Respond to unauthenticated requests with an HTTP 402 and payment requirements. ii) Validate incoming payment payloads. iii) Upon successful verification, submit the payment for settlement on-chain. iv) Return the requested resource to the client.
Facilitator	i) Confirm that the payment payload meets the payment requirement. ii) Submit validated payments to the blockchain. iii) Return verification and settlement results to the server.

HTTP 402 Payment Signaling

Problem	Payments for APIs/content are bolted on (API keys, subscriptions), not standardized at the HTTP layer; machines can't seamlessly discover/pay per request.
Solution	Use the reserved HTTP 402 "Payment Required" status to signal price/payment details in a structured JSON response.
How it works	Server middleware intercepts unpaid requests and returns a 402 Payment Required error code with fields like maxAmountRequired, asset, payTo, network, nonce, expiresAt; clients read it, pay/sign, then retry the request.

EIP-712 Signature

Problem	Need a secure, user/agent-readable way to authorize payments per request and prevent replay across endpoints.
Solution	Use EIP-712 typed-data signatures over the payment request + actual amount + timestamp.
How it works	User signs the structured data; server verifies signature, fields, amount ≤ maxAmountRequired, nonce/expiry validity, then proceeds to settle and serve the resource.

Transaction Settlement

Problem	Micropayments require low fees and fast finality; different volumes/latency targets need different settlement choices.
Solution	Offers multiple settlement methods: 1. On-chain settlement (L1/L2, Layer 2 for lower fees); 2. Payment channels for high-frequency micropayments between trusted parties; 3. Batched settlements combining multiple micropayments into a single transaction.
How it works	User signs the structured data; server verifies signature, fields, amount ≤ maxAmountRequired, nonce/expiry validity, then proceeds to settle and serve the resource.

Server Middleware & Client-side Implementation

Problem	Providers need a simple way to add per-request payments without rebuilding their stack. Implementing the 402-pay-retry loop is boilerplate and error-prone for agents/apps.
Solution	Drop-in middleware (e.g., @x402/express-middleware) that emits 402s, verifies payments, and gates handlers. A client SDK handles fetch → 402 parse → wallet sign → settle → retry automatically.
How it works	Express server middleware and client-side implementation (below).

Potential Use Cases

Agents accessing APIs for on-demand requests
Pay-per-use AI model inference monetization
Agents paying for cloud compute & storage
Context retrieval for agents
Micropayments for human access to content

References

[1] https://www.x402.org/x402-whitepaper.pdf

[2] https://x402.gitbook.io/x402

[3] https://eips.ethereum.org/EIPS/eip-712

Cheat Sheet — x402

Discussion Dump

Opinions from WPRC NYC

Protocol merit: Clever use of a dormant HTTP status code to create a universal paywall primitive. Could meaningfully shift web monetization from ads/subscriptions to direct micropayments.
Middleware centralization risk: Although the spec is open, Coinbase's reference middleware defaults to their facilitator. Most early devs may adopt this without customization, giving Coinbase soft control over everything that flows through the protocol.
Facilitator incentive gap: Unlike routing nodes in Lightning or validators in PoS chains, x402 facilitators have no built-in, protocol-level economic rewards. Unless resource servers voluntarily pay them, there's little incentive for independent facilitators to spin up, making it likely most traffic defaults to Coinbase's hosted service by convenience. This undermines the protocol's decentralization potential despite facilitators being "optional" in theory.
Compliance exposure: Making facilitators optional means resource servers can run fully self-hosted verification/settlement without KYT or sanctions screening, opening potential non-compliant payment channels.
Authentication caveat: x402 "authenticates" that the sender controls funds, not that they are legitimate or KYC'd. If those tokens were obtained via hacks or exploits, the system still considers them valid.
Business model implications: Lowers monetization friction for the long tail by allowing small creators/developers to charge without intermediaries and without harvesting data for ad revenue — but also makes it easy for big players to meter every micro-interaction, potentially fueling hyper-capitalist value-extractive models.