The latest articles on Forem by mkmkkkkk (@mkmkkkkk). https://forem.com/mkmkkkkk https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3757757%2Ffb634ba0-a53d-42b4-910c-a8e03613b415.png https://forem.com/mkmkkkkk en mkmkkkkk Thu, 26 Feb 2026 14:06:55 +0000 https://forem.com/mkmkkkkk/ai-agents-lost-600k-to-prompt-injection-attack-taxonomy-code-level-defenses-532p https://forem.com/mkmkkkkk/ai-agents-lost-600k-to-prompt-injection-attack-taxonomy-code-level-defenses-532p <h2> The Problem </h2> <p>AI agents are spending real money. When they get prompt-injected, it's not just data leakage — it's direct financial loss.</p> <p>Here are documented incidents:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Attack</th> <th>Loss</th> <th>Vector</th> </tr> </thead> <tbody> <tr> <td>Freysa AI</td> <td>$47K</td> <td>Function redefinition</td> </tr> <tr> <td>AIXBT</td> <td>$106K</td> <td>Control plane compromise</td> </tr> <tr> <td>Lobstar Wilde</td> <td>$441K</td> <td>State amnesia</td> </tr> <tr> <td>EchoLeak</td> <td>CVSS 9.3</td> <td>Zero-click document poisoning</td> </tr> <tr> <td>MCPTox</td> <td>72.8% success</td> <td>MCP tool poisoning</td> </tr> </tbody> </table></div> <h2> The Pattern </h2> <p>Every attack follows the same structure: <strong>the agent cannot distinguish trusted instructions from injected ones.</strong> The attacker doesn't break the code — they break the agent's judgment. And since the agent holds payment credentials, broken judgment means broken wallets.</p> <h2> Why Prompts Can't Fix This </h2> <p>Telling an LLM "don't send money to attackers" is like telling a human "don't get phished." The whole point of injection is that the agent <em>doesn't know</em> it's being attacked.</p> <p>The fix has to be at the <strong>code level</strong> — deterministic policy engines that run <em>outside</em> the LLM context:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// This code runs BEFORE any payment executes</span> <span class="c1">// No prompt injection can override TypeScript</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">securityGate</span><span class="p">.</span><span class="nf">validatePayment</span><span class="p">({</span> <span class="na">token</span><span class="p">:</span> <span class="nx">agentToken</span><span class="p">,</span> <span class="c1">// Auth: agent can't modify policies</span> <span class="na">manifestId</span><span class="p">:</span> <span class="nx">manifest</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="c1">// Manifest: pre-approved recipients only</span> <span class="na">recipient</span><span class="p">:</span> <span class="dl">"</span><span class="s2">attacker.com</span><span class="dl">"</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">"</span><span class="s2">USDC</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// result.allowed = false</span> <span class="c1">// Reason: recipient not in manifest allowlist</span> </code></pre> </div> <p>The key insight: <strong>defense doesn't depend on the LLM's judgment.</strong> It's like an ATM — no matter what a scammer tells you, the machine won't dispense without the right PIN.</p> <h2> Defense Layers </h2> <ol> <li> <strong>Session Manifest</strong> — Immutable payment envelope created by user BEFORE agent touches untrusted content. Defines allowed recipients, max amounts, currency, TTL.</li> <li> <strong>Auth Scope Separation</strong> — Agents get <code>payment:execute</code> tokens. Only admins get <code>policy:write</code>. Agent can't modify its own rules.</li> <li> <strong>Rate Limiter + Auto-Freeze</strong> — Frequency anomaly → auto-freeze → requires manual admin unfreeze.</li> <li> <strong>Behavioral Anomaly Detection</strong> — Welford's algorithm for running stats. Any single strong deviation triggers (MAX score, not average).</li> </ol> <p>All 4 layers run on every payment. ALL must pass. Code-level pipeline — unskippable.</p> <h2> Self-Attack Results </h2> <p>We built 18 attack scenarios (39 test cases) mapping to every real-world case above. Results: <strong>39/39 pass.</strong> Every attack blocked.</p> <p>Full writeup with bilingual (EN/中文) analysis: <a href="https://mkyang.ai/blog/agent-payment-security.html" rel="noopener noreferrer">mkyang.ai/blog/agent-payment-security.html</a></p> <p>Open source (MIT): <a href="https://github.com/mkmkkkkk/paysentry" rel="noopener noreferrer">github.com/mkmkkkkk/paysentry</a></p> <p><em>Built with TypeScript. 12 packages, 217 tests, zero dependencies on LLM judgment for security decisions.</em></p> security ai typescript webdev mkmkkkkk Sun, 08 Feb 2026 09:12:14 +0000 https://forem.com/mkmkkkkk/x402-v2-security-deep-dive-new-attack-vectors-in-ai-agent-payments-2cp2 https://forem.com/mkmkkkkk/x402-v2-security-deep-dive-new-attack-vectors-in-ai-agent-payments-2cp2 <p>x402 V2 shipped with three major protocol upgrades: dynamic <code>payTo</code> routing, wallet-based session identity, and a fully modular SDK architecture. Each change unlocks powerful new capabilities for AI agent payments. Each also introduces attack vectors that didn't exist in V1.</p> <p>I spent the last two weeks stress-testing the V2 migration path for <a href="https://github.com/mkmkkkkk/paysentry" rel="noopener noreferrer">PaySentry</a>, our payment control plane for autonomous agents. Here's what you need to know about V2's security model — and how to enforce spending policies at the middleware layer before your agent loses money.</p> <h2> What x402 V2 Actually Changed </h2> <p>Quick context: x402 is the HTTP-native payment protocol built on the <code>402 Payment Required</code> status code. AI agents use it to pay for API calls directly inside HTTP flows — no accounts, no OAuth, no subscription management. Coinbase launched it in 2025, Cloudflare integrated it into Workers, and it's now processing millions of agent payment flows per month.</p> <p>V2 is a ground-up rearchitecture. Three changes matter for security:</p> <h3> 1. Dynamic payTo Routing </h3> <p>The <code>payTo</code> field is no longer static. In V1, your agent paid a fixed wallet address per API endpoint. In V2, the server can specify a different recipient address on every single request.</p> <p><strong>Why this exists:</strong> Multi-tenant marketplaces where the payment recipient changes based on the underlying provider. Think: an AI agent calling a marketplace API where the service provider varies by query.</p> <p><strong>The risk:</strong> Your agent trusts the server to tell it where to send money. If the server is compromised or malicious, it can return an attacker-controlled address. Your agent pays it. The response looks valid (cached data, plausible content). No immediate red flags.</p> <h3> 2. Wallet-Based Session Identity </h3> <p>V2 introduces session mechanisms using CAIP-122 (Sign-In-With-X). After the first payment, your agent gets a session token that grants repeated access without repayment.</p> <p><strong>Why this exists:</strong> Agents making repeated calls to the same endpoint (chat completions, data feeds) shouldn't pay every single time. Sessions reduce transaction overhead.</p> <p><strong>The risk:</strong> Session tokens become high-value targets. If an attacker captures a session token (via logging, middleware, or a compromised facilitator), they get free access to every resource the agent has already paid for. No additional payment required. Indefinite access if there's no expiry.</p> <h3> 3. Modular SDK Architecture </h3> <p>The reference SDK was rewritten as a plugin system. Chains, assets, and payment schemes are now registered through <code>@x402/*</code> npm packages. The core is extractable; everything else is opt-in.</p> <p><strong>Why this exists:</strong> Extensibility. New chains and payment rails can be added without modifying core protocol code.</p> <p><strong>The risk:</strong> Supply chain attacks. A malicious plugin registered as a "payment scheme" operates inside the payment flow with access to transaction data, amounts, and potentially wallet keys. The attack surface isn't just the core SDK anymore — it's every plugin you install.</p> <h2> The Attack Vectors V2 Creates </h2> <p>Let's walk through each risk with concrete attack scenarios.</p> <h3> Attack 1: Recipient Address Manipulation (Dynamic Routing) </h3> <p><strong>Scenario:</strong> Your agent calls a marketplace API that uses dynamic routing. The API is supposed to route payments to different service providers based on the query. On request #127, the server returns a <code>payTo</code> address that doesn't belong to any legitimate provider — it's the attacker's wallet.</p> <p>Your agent:</p> <ol> <li>Receives the payment requirement with the malicious <code>payTo</code> address</li> <li>Signs and submits the transaction (no validation)</li> <li>Gets back a 200 response with seemingly valid data (maybe cached, maybe generated)</li> <li>Continues execution — nothing looks wrong</li> </ol> <p><strong>Impact:</strong> Funds sent to attacker. The agent's application logic sees a successful API call and moves on.</p> <p><strong>Why V1 didn't have this:</strong> Static addresses. You validated the recipient once during integration and never thought about it again.</p> <p><strong>Mitigation:</strong> Recipient allowlists. Before your agent pays, check that the <code>payTo</code> address is on an explicit allowlist for that endpoint.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PaySentryX402Adapter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/x402</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PolicyEngine</span><span class="p">,</span> <span class="nx">blockRecipient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/control</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">policyEngine</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PolicyEngine</span><span class="p">();</span> <span class="c1">// Define allowed recipients per endpoint</span> <span class="nx">policyEngine</span><span class="p">.</span><span class="nf">loadPolicy</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">marketplace-recipients</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Marketplace Recipient Allowlist</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">rules</span><span class="p">:</span> <span class="p">[</span> <span class="c1">// Block any recipient NOT on the allowlist</span> <span class="nf">blockRecipient</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">unless</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">eip155:8453/0xABC...</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Provider A treasury</span> <span class="dl">'</span><span class="s1">eip155:8453/0xDEF...</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Provider B treasury</span> <span class="p">]}),</span> <span class="p">],</span> <span class="na">budgets</span><span class="p">:</span> <span class="p">[],</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">adapter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PaySentryX402Adapter</span><span class="p">(</span> <span class="p">{</span> <span class="nx">policyEngine</span> <span class="p">},</span> <span class="p">{</span> <span class="na">abortOnPolicyDeny</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="c1">// Abort the x402 flow if policy denies</span> <span class="p">);</span> </code></pre> </div> <p>When the agent attempts to pay the malicious address, the policy engine blocks it before the transaction is signed.</p> <h3> Attack 2: Session Token Theft (Session Identity) </h3> <p><strong>Scenario:</strong> Your agent pays for access to an API and receives a session token. The token is logged to your observability platform (accidentally included in a trace). An attacker with access to your logs extracts the token and uses it to make API calls on your behalf — for free, indefinitely.</p> <p><strong>Impact:</strong> Unauthorized API access. If there's no session budget cap, the attacker can consume resources until the session expires (if it ever does).</p> <p><strong>Why V1 didn't have this:</strong> No session mechanism. Every request required a fresh payment.</p> <p><strong>Mitigation:</strong> Session-scoped budgets and aggressive TTLs. Even with a valid session token, enforce a maximum spend per session window and expire sessions after 15-30 minutes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PaySentryX402Adapter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/x402</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PolicyEngine</span><span class="p">,</span> <span class="nx">budgetPerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/control</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">policyEngine</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PolicyEngine</span><span class="p">();</span> <span class="nx">policyEngine</span><span class="p">.</span><span class="nf">loadPolicy</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">session-budgets</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Session Budget Limits</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">rules</span><span class="p">:</span> <span class="p">[],</span> <span class="na">budgets</span><span class="p">:</span> <span class="p">[</span> <span class="nf">budgetPerSession</span><span class="p">({</span> <span class="na">maxAmount</span><span class="p">:</span> <span class="mf">5.00</span><span class="p">,</span> <span class="c1">// $5 max spend per session</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">USDC</span><span class="dl">'</span><span class="p">,</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">30</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 30-minute session window</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">adapter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PaySentryX402Adapter</span><span class="p">({</span> <span class="nx">policyEngine</span> <span class="p">});</span> </code></pre> </div> <p>If an attacker steals a session token, they can only spend up to the session budget before it's blocked. The 30-minute TTL limits exposure window.</p> <h3> Attack 3: Malicious Plugin Injection (Modular SDK) </h3> <p><strong>Scenario:</strong> You install a new chain plugin from npm: <code>@x402/facilitator-arbitrum</code>. Looks legitimate. The package description matches the official pattern. Two weeks later, you discover it was a typosquat (<code>@x4O2/facilitator-arbitrum</code> — note the letter "O" instead of zero). The plugin has been intercepting transaction data and exfiltrating wallet keys.</p> <p><strong>Impact:</strong> Complete wallet compromise. Every transaction made through that facilitator is potentially logged by the attacker.</p> <p><strong>Why V1 didn't have this:</strong> Monolithic SDK. No plugin system.</p> <p><strong>Mitigation:</strong> Pin exact versions, verify package provenance, and audit every <code>@x402/*</code> dependency before installation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Verify npm package provenance before installing</span> npm view @x402/facilitator-arbitrum <span class="c"># Check publisher identity</span> npm owner <span class="nb">ls</span> @x402/facilitator-arbitrum <span class="c"># Pin exact version in package.json (no ^ or ~)</span> <span class="o">{</span> <span class="s2">"dependencies"</span>: <span class="o">{</span> <span class="s2">"@x402/core"</span>: <span class="s2">"2.1.0"</span>, <span class="s2">"@x402/facilitator-base"</span>: <span class="s2">"2.1.0"</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Treat payment plugins like you'd treat dependencies that access secrets. Audit before install, monitor for unexpected updates, and run in isolated contexts where possible.</p> <h2> Building a V2 Security Policy </h2> <p>The pattern across all these risks: <strong>V2 gives agents more flexibility, so agents need more constraints.</strong> Recipient allowlists, session budgets, and plugin auditing aren't optional — they're the minimum.</p> <p>Here's a complete policy configuration using PaySentry's declarative policy engine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PaySentryX402Adapter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/x402</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PolicyEngine</span><span class="p">,</span> <span class="nx">blockAbove</span><span class="p">,</span> <span class="nx">blockRecipient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/control</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SpendTracker</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/observe</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Initialize core engines</span> <span class="kd">const</span> <span class="nx">policyEngine</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PolicyEngine</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">spendTracker</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SpendTracker</span><span class="p">();</span> <span class="c1">// Global spending policy</span> <span class="nx">policyEngine</span><span class="p">.</span><span class="nf">loadPolicy</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">global-limits</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Global Transaction Limits</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">rules</span><span class="p">:</span> <span class="p">[</span> <span class="nf">blockAbove</span><span class="p">(</span><span class="mf">1.00</span><span class="p">,</span> <span class="dl">'</span><span class="s1">USDC</span><span class="dl">'</span><span class="p">),</span> <span class="c1">// Block any transaction &gt;$1</span> <span class="p">],</span> <span class="na">budgets</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">daily-limit</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAmount</span><span class="p">:</span> <span class="mf">50.00</span><span class="p">,</span> <span class="c1">// $50/day max across all APIs</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">USDC</span><span class="dl">'</span><span class="p">,</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">});</span> <span class="c1">// Per-endpoint policies</span> <span class="nx">policyEngine</span><span class="p">.</span><span class="nf">loadPolicy</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">openai-policy</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">OpenAI API Spending</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">rules</span><span class="p">:</span> <span class="p">[</span> <span class="nf">blockAbove</span><span class="p">(</span><span class="mf">0.10</span><span class="p">,</span> <span class="dl">'</span><span class="s1">USDC</span><span class="dl">'</span><span class="p">),</span> <span class="c1">// $0.10 max per completion</span> <span class="nf">blockRecipient</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">unless</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">eip155:8453/0xOPENAI_OFFICIAL_ADDRESS</span><span class="dl">'</span><span class="p">],</span> <span class="p">}),</span> <span class="p">],</span> <span class="na">budgets</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">openai-hourly</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAmount</span><span class="p">:</span> <span class="mf">5.00</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">USDC</span><span class="dl">'</span><span class="p">,</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// $5/hour for OpenAI</span> <span class="p">},</span> <span class="p">],</span> <span class="na">scope</span><span class="p">:</span> <span class="p">{</span> <span class="na">recipient</span><span class="p">:</span> <span class="dl">'</span><span class="s1">api.openai.com</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Session security</span> <span class="nx">policyEngine</span><span class="p">.</span><span class="nf">loadPolicy</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">session-security</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Session Budget Limits</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">rules</span><span class="p">:</span> <span class="p">[],</span> <span class="na">budgets</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">session-cap</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAmount</span><span class="p">:</span> <span class="mf">5.00</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">USDC</span><span class="dl">'</span><span class="p">,</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">30</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 30-minute session window</span> <span class="na">scope</span><span class="p">:</span> <span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">});</span> <span class="c1">// Create the adapter</span> <span class="kd">const</span> <span class="nx">adapter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PaySentryX402Adapter</span><span class="p">(</span> <span class="p">{</span> <span class="nx">policyEngine</span><span class="p">,</span> <span class="nx">spendTracker</span> <span class="p">},</span> <span class="p">{</span> <span class="na">abortOnPolicyDeny</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Reject payments that violate policy</span> <span class="na">circuitBreaker</span><span class="p">:</span> <span class="p">{</span> <span class="na">failureThreshold</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="c1">// Open circuit after 5 failures</span> <span class="na">recoveryTimeoutMs</span><span class="p">:</span> <span class="mi">30000</span><span class="p">,</span> <span class="c1">// 30s recovery window</span> <span class="p">},</span> <span class="p">},</span> <span class="p">);</span> <span class="c1">// Register with your x402 server</span> <span class="nx">adapter</span><span class="p">.</span><span class="nf">withLifecycleHooks</span><span class="p">(</span><span class="nx">x402Server</span><span class="p">);</span> </code></pre> </div> <p>This configuration:</p> <ul> <li>Blocks any transaction over $1 (global cap)</li> <li>Enforces a $50 daily spending limit across all endpoints</li> <li>Restricts OpenAI payments to $0.10 per request and $5/hour total</li> <li>Only allows payments to explicitly allowlisted recipient addresses</li> <li>Caps session spending at $5 per 30-minute window</li> <li>Opens a circuit breaker after 5 consecutive payment failures (protects against cascading failures)</li> </ul> <p>Every policy is evaluated <strong>before</strong> the transaction is signed. If any rule blocks the transaction, the x402 flow aborts and your agent never pays.</p> <h2> The "79 Tests" Problem </h2> <p>Here's something nobody talks about: x402 security isn't just about writing policies. It's about <strong>testing that they actually work</strong> under adversarial conditions.</p> <p>PaySentry has <a href="https://github.com/mkmkkkkk/paysentry" rel="noopener noreferrer">79 test cases</a> covering policy enforcement, circuit breaker state transitions, session budget tracking, and x402 lifecycle hook integration. That sounds like a lot until you realize how many edge cases exist:</p> <ul> <li>What happens when a policy blocks a transaction mid-flight?</li> <li>Does the circuit breaker correctly transition from half-open to closed after a successful probe?</li> <li>Are session budgets enforced across facilitator retries?</li> <li>Do recipient allowlists work for CAIP-standardized addresses with chain prefixes?</li> </ul> <p>If you're building your own policy layer, you need test coverage for:</p> <ol> <li> <strong>Policy evaluation logic</strong> — Does <code>blockAbove(1.00)</code> actually block at $1.01?</li> <li> <strong>State management</strong> — Do rolling window budgets reset correctly?</li> <li> <strong>x402 integration</strong> — Do lifecycle hooks run in the right order?</li> <li> <strong>Failure modes</strong> — What happens when the policy engine crashes during <code>onBeforeVerify</code>?</li> </ol> <p>Testing payment security is not optional. One missed edge case and your agent burns through its budget in seconds.</p> <h2> V2 Migration Checklist </h2> <p>Before you deploy V2 in production:</p> <ul> <li>✅ <strong>Recipient allowlists configured</strong> for every API endpoint your agent calls</li> <li>✅ <strong>Session TTLs defined</strong> — 15-30 minutes for most agent workloads</li> <li>✅ <strong>Session budget caps enforced</strong> — max spend per session, not just per transaction</li> <li>✅ <strong>Global daily spending limit active</strong> — hard cap across all endpoints</li> <li>✅ <strong>Plugin versions pinned</strong> — exact versions, no semver ranges, provenance verified</li> <li>✅ <strong>Circuit breaker configured</strong> — prevent cascading failures to payment facilitators</li> <li>✅ <strong>Monitoring hooked up</strong> — log every policy denial, every failed payment, every new recipient address</li> <li>✅ <strong>Test coverage for adversarial scenarios</strong> — test that policies actually block malicious transactions</li> </ul> <h2> The Bottom Line </h2> <p>x402 V2 is a significant step forward for agent payments. Dynamic routing enables marketplaces. Session identity reduces transaction overhead. Modular SDKs make the protocol extensible.</p> <p>But every new capability is a new attack surface:</p> <ul> <li>Dynamic <code>payTo</code> → recipient manipulation</li> <li>Session tokens → token theft and session hijacking</li> <li>Plugin architecture → supply chain attacks</li> </ul> <p>The fix isn't to avoid V2. It's to match V2's flexibility with equally granular security policies. Recipient allowlists, session budgets, and plugin auditing are table stakes.</p> <p>Your agent is spending real money on every API call. Treat its payment security like you'd treat your own wallet — because in production, it <strong>is</strong> your wallet.</p> <p><em>PaySentry is an open-source payment control plane for AI agents. It enforces spending policies, tracks transactions, and provides circuit breakers for x402, Stripe, and custom payment protocols. <a href="https://github.com/mkmkkkkk/paysentry" rel="noopener noreferrer">GitHub</a> | <a href="https://www.npmjs.com/org/paysentry" rel="noopener noreferrer">npm</a></em></p> <p><em>Follow me for more on AI agent security, payment protocol internals, and production deployment war stories.</em></p> x402 ai security blockchain mkmkkkkk Sat, 07 Feb 2026 22:44:46 +0000 https://forem.com/mkmkkkkk/x402-v2-just-dropped-5-security-changes-every-ai-agent-builder-needs-to-know-5apf https://forem.com/mkmkkkkk/x402-v2-just-dropped-5-security-changes-every-ai-agent-builder-needs-to-know-5apf <h1> x402 V2 Just Dropped: 5 Security Changes Every AI Agent Builder Needs to Know </h1> <p>x402 V2 shipped in December 2025 with five major protocol changes. Dynamic payTo routing. Wallet-based identity. A fully modular SDK. If you're running AI agents that pay for API calls, every one of these changes introduces new attack surface you need to understand.</p> <p>I spent the last few weeks dissecting the V2 spec and stress-testing migration paths. Here's what actually matters for payment security — and how to protect your agents in production.</p> <h2> What Changed in x402 V2 </h2> <p>For context: x402 is the HTTP-native payment protocol built on the 402 status code. It lets AI agents pay for API calls directly inside HTTP request-response flows — no accounts, no redirects, no subscriptions. Coinbase launched it, Cloudflare integrated it, and it's processed over 100 million payment flows in its first months.</p> <p>V2 is a ground-up rearchitecture. Here are the five changes that matter:</p> <h3> 1. Payment Identifier Standardization (CAIP-Based) </h3> <p>V2 standardizes how networks and assets are identified using <a href="https://github.com/ChainAgnostic/CAIPs" rel="noopener noreferrer">CAIP</a> (Chain Agnostic Improvement Proposals). Instead of chain-specific identifiers, there's now a single payment format that works across Base, Solana, emerging L2s, and even legacy payment rails like ACH and SEPA.</p> <p><strong>Before V2:</strong> Each chain had custom asset identification logic. Integrating a new chain meant modifying core protocol code.</p> <p><strong>After V2:</strong> Assets and chains are identified uniformly. <code>eip155:8453/erc20:0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913</code> identifies USDC on Base. Every chain follows the same pattern.</p> <h3> 2. Dynamic payTo Routing </h3> <p>This is the biggest change. V2 supports per-request routing to different addresses, roles, or callback-based payout logic. The <code>payTo</code> field is no longer static — it can change on every request based on input parameters.</p> <p>This enables marketplaces and multi-tenant APIs where the payment recipient varies per transaction. Think: an AI agent calling a marketplace API where the underlying provider changes based on the query.</p> <h3> 3. Wallet-Based Identity and Session Access </h3> <p>V2 introduces wallet-controlled sessions. Once an agent pays for a resource, it can skip the full payment flow on repeated access using a session mechanism based on CAIP-122 (Sign-In-With-X). No more paying twice for the same data.</p> <p>This is critical for agents that make repeated calls to the same API — chat completions, data feeds, search endpoints.</p> <h3> 4. Modular SDK Architecture </h3> <p>The reference SDK was rewritten from scratch for modularity. Chains, assets, and payment schemes are now registered as plugins through the <code>@x402</code> npm organization. The core package <code>@x402/paywall</code> is fully extractable and supports EVM and Solana out of the box.</p> <h3> 5. HTTP Header Modernization </h3> <p>V2 replaces deprecated <code>X-*</code> headers with standards-compliant alternatives: <code>PAYMENT-SIGNATURE</code>, <code>PAYMENT-REQUIRED</code>, <code>PAYMENT-RESPONSE</code>. Payment data moves entirely to HTTP headers rather than response bodies.</p> <h2> The Security Implications Nobody's Talking About </h2> <p>Each of these changes is a net positive for the protocol. But each one also shifts the threat model. Here's where things get interesting.</p> <h3> Dynamic payTo Routing → Recipient Manipulation Attacks </h3> <p>This is the one that keeps me up at night.</p> <p>In V1, the payment recipient was static. Your agent paid a fixed address. Simple. In V2, the <code>payTo</code> address can change per-request — the server tells your agent where to send money, and your agent complies.</p> <p><strong>The attack:</strong> A compromised or malicious API can return a different <code>payTo</code> address on any request. Your agent dutifully sends funds to the attacker's wallet. The response still returns valid data (maybe cached, maybe generated), so your agent's logic sees nothing wrong.</p> <p>This is especially dangerous in marketplace scenarios where dynamic routing is <em>expected behavior</em>. Your agent can't distinguish "legitimate new provider address" from "attacker-injected address" without an explicit allowlist.</p> <p><strong>What to do:</strong></p> <ul> <li>Maintain a <strong>recipient allowlist</strong> per API endpoint. If the <code>payTo</code> address isn't on the list, reject the payment.</li> <li>Log every unique <code>payTo</code> address encountered. Alert on first-seen addresses.</li> <li>For marketplace APIs, require the provider to publish their address set via a signed manifest. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Recipient allowlist enforcement</span> <span class="kd">const</span> <span class="nx">TRUSTED_RECIPIENTS</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">api.example.com</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">eip155:8453/0xABC...</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Primary treasury</span> <span class="dl">'</span><span class="s1">eip155:8453/0xDEF...</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Operations wallet</span> <span class="p">],</span> <span class="p">};</span> <span class="kd">function</span> <span class="nf">validateRecipient</span><span class="p">(</span><span class="nx">host</span><span class="p">,</span> <span class="nx">payTo</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">allowed</span> <span class="o">=</span> <span class="nx">TRUSTED_RECIPIENTS</span><span class="p">[</span><span class="nx">host</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">allowed</span> <span class="o">||</span> <span class="o">!</span><span class="nx">allowed</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">payTo</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">PaymentSecurityError</span><span class="p">(</span> <span class="s2">`Untrusted recipient </span><span class="p">${</span><span class="nx">payTo</span><span class="p">}</span><span class="s2"> for </span><span class="p">${</span><span class="nx">host</span><span class="p">}</span><span class="s2">. `</span> <span class="o">+</span> <span class="s2">`Allowed: </span><span class="p">${</span><span class="nx">allowed</span><span class="p">?.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">, </span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">none configured</span><span class="dl">'</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Wallet-Based Identity → Session Hijacking Risks </h3> <p>Session-based access means your agent gets a token after the first payment that grants repeated access. Convenient. Also a new target.</p> <p><strong>The attack vectors:</strong></p> <ol> <li> <strong>Session token theft:</strong> If an attacker captures the session token (via logging, middleware, or a compromised facilitator), they get free access to every resource the agent has already paid for.</li> <li> <strong>Session fixation:</strong> An attacker sets a session token before the agent authenticates, then uses the same token after the agent pays.</li> <li> <strong>Unbounded sessions:</strong> Without explicit expiry, a leaked session token grants indefinite access — or in reverse, an agent holds sessions that should have been revoked.</li> </ol> <p><strong>What to do:</strong></p> <ul> <li>Bind session tokens to a specific wallet address AND a request fingerprint (user-agent, IP range).</li> <li>Set aggressive session TTLs. For AI agents, 15-30 minutes is usually sufficient.</li> <li>Implement session budget caps — even with a valid session, enforce a maximum spend per session window. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Session-scoped budget enforcement</span> <span class="kd">const</span> <span class="nx">sessionPolicy</span> <span class="o">=</span> <span class="p">{</span> <span class="na">maxSessionDuration</span><span class="p">:</span> <span class="mi">30</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 30 minutes</span> <span class="na">maxTransactionsPerSession</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="na">maxSpendPerSession</span><span class="p">:</span> <span class="mf">5.00</span><span class="p">,</span> <span class="c1">// $5 USD equivalent</span> <span class="na">requireWalletBinding</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">rotateTokenOnThreshold</span><span class="p">:</span> <span class="mf">0.8</span><span class="p">,</span> <span class="c1">// Rotate at 80% budget</span> <span class="p">};</span> <span class="kd">function</span> <span class="nf">validateSession</span><span class="p">(</span><span class="nx">session</span><span class="p">,</span> <span class="nx">transaction</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">age</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">session</span><span class="p">.</span><span class="nx">createdAt</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">age</span> <span class="o">&gt;</span> <span class="nx">sessionPolicy</span><span class="p">.</span><span class="nx">maxSessionDuration</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">SessionExpiredError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Session TTL exceeded</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">session</span><span class="p">.</span><span class="nx">totalSpend</span> <span class="o">+</span> <span class="nx">transaction</span><span class="p">.</span><span class="nx">amount</span> <span class="o">&gt;</span> <span class="nx">sessionPolicy</span><span class="p">.</span><span class="nx">maxSpendPerSession</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">BudgetExceededError</span><span class="p">(</span> <span class="s2">`Session budget: $</span><span class="p">${</span><span class="nx">sessionPolicy</span><span class="p">.</span><span class="nx">maxSpendPerSession</span><span class="p">}</span><span class="s2">. `</span> <span class="o">+</span> <span class="s2">`Current: $</span><span class="p">${</span><span class="nx">session</span><span class="p">.</span><span class="nx">totalSpend</span><span class="p">}</span><span class="s2">. Requested: $</span><span class="p">${</span><span class="nx">transaction</span><span class="p">.</span><span class="nx">amount</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Modular SDK → Plugin Trust Boundary Questions </h3> <p>V2's plugin architecture lets anyone register new chains, assets, and payment schemes. This is great for extensibility. It's also a supply chain attack waiting to happen.</p> <p><strong>The attack:</strong> A malicious plugin registered as a "payment scheme" could intercept transaction data, modify amounts, redirect funds, or exfiltrate wallet keys. Since plugins operate inside the payment flow, they have access to everything.</p> <p><strong>What to do:</strong></p> <ul> <li>Audit every <code>@x402/*</code> plugin before installation. Check the npm package provenance.</li> <li>Pin exact versions. Never use <code>^</code> or <code>~</code> ranges for payment-critical packages.</li> <li>Run payment plugins in an isolated context with limited permissions where possible.</li> <li>Monitor the plugin registry for typosquatting (<code>@x4O2/paywall</code> vs <code>@x402/paywall</code>).</li> </ul> <h3> CAIP Identifiers → Chain Confusion Attacks </h3> <p>Standardized identifiers are great until an attacker exploits the standardization.</p> <p><strong>The attack:</strong> An API requests payment on <code>eip155:8453</code> (Base) but the agent's wallet defaults to <code>eip155:1</code> (Ethereum mainnet) where gas is 100x higher. Or worse: the identifier specifies a testnet chain where tokens are worthless, but the service delivers production data.</p> <p><strong>What to do:</strong></p> <ul> <li>Maintain an explicit chain allowlist. Only permit chains your agent is configured to operate on.</li> <li>Validate that the requested chain matches the expected chain for each API endpoint.</li> <li>Flag any chain identifier your agent hasn't seen before in that context.</li> </ul> <h3> Header Migration → Detection Blind Spots </h3> <p>Moving from <code>X-PAYMENT</code> headers to <code>PAYMENT-*</code> headers seems minor. But if your logging, monitoring, or WAF rules filter on the old header names, you'll have a detection gap during migration.</p> <p><strong>What to do:</strong></p> <ul> <li>Update all monitoring rules to match both old and new header patterns during the transition period.</li> <li>Test your logging pipeline to confirm <code>PAYMENT-SIGNATURE</code> and <code>PAYMENT-RESPONSE</code> headers are captured.</li> </ul> <h2> Putting It Together: A V2 Security Policy Engine </h2> <p>The pattern across all these risks is the same: <strong>V2 gives agents more flexibility, which means agents need more constraints.</strong> Per-route spending policies, recipient validation, and session scoping aren't optional — they're the minimum.</p> <p>Here's what a comprehensive policy configuration looks like in practice, using a structured policy engine approach:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// x402 V2 Security Policy Configuration</span> <span class="kd">const</span> <span class="nx">v2SecurityPolicy</span> <span class="o">=</span> <span class="p">{</span> <span class="na">global</span><span class="p">:</span> <span class="p">{</span> <span class="na">maxTransactionAmount</span><span class="p">:</span> <span class="mf">1.00</span><span class="p">,</span> <span class="c1">// $1 max per transaction</span> <span class="na">dailySpendLimit</span><span class="p">:</span> <span class="mf">50.00</span><span class="p">,</span> <span class="c1">// $50/day across all APIs</span> <span class="na">allowedChains</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">eip155:8453</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// Base only</span> <span class="na">allowedAssets</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">erc20:USDC</span><span class="dl">'</span><span class="p">],</span> <span class="na">blockTestnetPayments</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">requireRecipientAllowlist</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="na">routes</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">api.example.com/v2/completions</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="na">maxPerRequest</span><span class="p">:</span> <span class="mf">0.10</span><span class="p">,</span> <span class="na">dailyLimit</span><span class="p">:</span> <span class="mf">10.00</span><span class="p">,</span> <span class="na">allowedRecipients</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">eip155:8453/0xABC...</span><span class="dl">'</span><span class="p">],</span> <span class="na">sessionPolicy</span><span class="p">:</span> <span class="p">{</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">maxDuration</span><span class="p">:</span> <span class="mi">1800</span><span class="p">,</span> <span class="c1">// 30 min</span> <span class="na">maxSpend</span><span class="p">:</span> <span class="mf">5.00</span><span class="p">,</span> <span class="na">bindToWallet</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">marketplace.example.com/*</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="na">maxPerRequest</span><span class="p">:</span> <span class="mf">0.50</span><span class="p">,</span> <span class="na">dailyLimit</span><span class="p">:</span> <span class="mf">25.00</span><span class="p">,</span> <span class="na">allowedRecipients</span><span class="p">:</span> <span class="dl">'</span><span class="s1">MANIFEST_VERIFIED</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Dynamic, but verified</span> <span class="na">requireManifestSignature</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">alertOnNewRecipient</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">{</span> <span class="na">allowedPackages</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">@x402/paywall@2.1.0</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Pinned versions only</span> <span class="dl">'</span><span class="s1">@x402/facilitator-base@2.1.0</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="na">blockUnverifiedPublishers</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">auditLogEnabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="na">monitoring</span><span class="p">:</span> <span class="p">{</span> <span class="na">headerPatterns</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">PAYMENT-SIGNATURE</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// V2 headers</span> <span class="dl">'</span><span class="s1">PAYMENT-REQUIRED</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PAYMENT-RESPONSE</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">X-PAYMENT-*</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// V1 legacy (transition)</span> <span class="p">],</span> <span class="na">alertOn</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">new_recipient_address</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">chain_mismatch</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">session_budget_threshold</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">unknown_plugin_loaded</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <p>Tools like <a href="https://github.com/paysentry" rel="noopener noreferrer">PaySentry</a> can enforce these policies at the SDK layer, wrapping your x402 client with per-route spending limits, recipient validation, and session budget controls — without modifying your agent's core logic.</p> <h2> V2 Migration Security Checklist </h2> <p>Before you flip the switch to V2 in production, run through this:</p> <ul> <li>[ ] <strong>Recipient allowlists configured</strong> for every API endpoint your agent calls</li> <li>[ ] <strong>Chain allowlist set</strong> — only chains your agent's wallet is funded on</li> <li>[ ] <strong>Session TTLs defined</strong> — 15-30 minutes for most agent workloads</li> <li>[ ] <strong>Session budget caps enforced</strong> — max spend per session, not just per transaction</li> <li>[ ] <strong>Plugin versions pinned</strong> — exact versions, no semver ranges, provenance checked</li> <li>[ ] <strong>Monitoring rules updated</strong> — both <code>PAYMENT-*</code> and legacy <code>X-PAYMENT-*</code> header patterns</li> <li>[ ] <strong>CAIP identifier validation</strong> — reject unknown chain/asset combinations</li> <li>[ ] <strong>Daily spend limits active</strong> — global and per-route</li> <li>[ ] <strong>New recipient alerting enabled</strong> — flag first-seen <code>payTo</code> addresses</li> <li>[ ] <strong>Testnet payment blocking</strong> — reject any transaction on testnet chain identifiers</li> </ul> <h2> The Bottom Line </h2> <p>x402 V2 is a significant step forward for the protocol. CAIP standardization, dynamic routing, and modular SDKs make it genuinely viable for production agent payments at scale.</p> <p>But every new capability is a new attack surface. Dynamic <code>payTo</code> means recipient manipulation. Sessions mean session hijacking. Plugins mean supply chain attacks. These aren't theoretical — they're the natural consequences of adding flexibility to a payment protocol.</p> <p>The fix isn't to avoid V2. It's to match V2's flexibility with equally granular security policies. Allowlists, budget caps, session scoping, and plugin auditing are table stakes.</p> <p>Your agent is spending real money. Treat its payment security like you'd treat your own wallet.</p> <p><em>This is part of the "x402 in Production" series. Previous: <a href="https://dev.to/paysentry">x402 Payment Timeouts: Why Your Agent Loses Money and How to Fix It</a>. Follow for the next post on building a payment observability stack for autonomous agents.</em></p> x402 security ai blockchain mkmkkkkk Sat, 07 Feb 2026 21:25:30 +0000 https://forem.com/mkmkkkkk/x402-payment-timeouts-why-your-agent-loses-money-and-how-to-fix-it-fgk https://forem.com/mkmkkkkk/x402-payment-timeouts-why-your-agent-loses-money-and-how-to-fix-it-fgk <p>Your AI agent just paid $50 for an API call and got nothing back. The wallet was debited. The transaction confirmed on-chain. But the server returned a 402 error and refused to deliver the data. The money is gone. The resource is locked. And your agent has no idea what happened.</p> <p>This is not a hypothetical scenario. It is the direct consequence of a timing mismatch buried deep in the x402 payment protocol's settlement layer -- one that affects every agent running on Base network through the Coinbase-hosted facilitator. The issue was first documented as <a href="https://github.com/coinbase/x402/issues/1062" rel="noopener noreferrer">Issue #1062</a> in the x402 repository, and it reveals a fundamental gap between how the protocol assumes blockchain settlement works and how it actually works under load.</p> <p>This article walks through the root cause, quantifies the impact, and provides three concrete solutions -- from a five-minute config fix to a production-grade settlement state machine. If you are running x402 payments in production, you need to read this before your next deployment.</p> <h2> Table of Contents </h2> <ol> <li>How x402 Settlement Works</li> <li>The Timeout Race Condition</li> <li>Root Cause: Block Time vs. Facilitator Deadline</li> <li>What Happens to the Money</li> <li>Related Failure Modes</li> <li>Solution 1: Network-Aware Timeouts</li> <li>Solution 2: Settlement State Machine</li> <li>Solution 3: Payment Guardian Layer</li> <li>Production Checklist</li> <li>Conclusion</li> </ol> <h2> How x402 Settlement Works </h2> <p>Before we dissect the failure, we need to understand the normal flow. The x402 protocol uses HTTP's long-dormant <code>402 Payment Required</code> status code to embed payment negotiation directly into standard HTTP request-response cycles. The settlement path involves eleven discrete steps, but the critical ones for understanding the timeout problem are steps 5 through 10:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Client (Agent) Resource Server Facilitator Base L2 │ │ │ │ │── 1. GET /resource ───────&gt;│ │ │ │&lt;── 2. 402 + PAYMENT-REQ ──│ │ │ │ │ │ │ │ (agent signs ERC-3009 │ │ │ │ TransferWithAuth) │ │ │ │ │ │ │ │── 3. GET /resource ───────&gt;│ │ │ │ + X-PAYMENT header │ │ │ │ │── 4. POST /verify ──────&gt;│ │ │ │&lt;── 5. { valid: true } ───│ │ │ │ │ │ │ │── 6. POST /settle ──────&gt;│ │ │ │ │── 7. Submit tx ────&gt;│ │ │ │ │ │ │ │ ... waiting for │ │ │ │ block confirmation │ │ │ │ (2-28 seconds) │ │ │ │ │ │ │ │&lt;── 8. tx confirmed ──│ │ │&lt;── 9. Settlement OK ─────│ │ │&lt;── 10. 200 + resource ────│ │ │ </code></pre> </div> <p>The key insight: steps 6 through 9 are where the timeout problem lives. The facilitator submits the transaction to Base (step 7), then waits for block confirmation (step 8). The facilitator has an internal deadline for how long it will wait. If that deadline expires before the block confirms, the facilitator returns a settlement failure to the resource server, which then returns a 402 to the client.</p> <p>The transaction, however, is already submitted to the mempool. It does not care about the facilitator's deadline. It will confirm whenever the next block includes it.</p> <h2> The Timeout Race Condition </h2> <p><a href="https://github.com/coinbase/x402/issues/1062" rel="noopener noreferrer">Issue #1062</a> documents this with a specific on-chain transaction as evidence. The reporter provided transaction <code>0x8e01aace...629ae696</code>, which confirmed successfully on Base but generated a facilitator error: <em>"transaction did not confirm in time: context deadline exceeded."</em></p> <p>Here is the timeline of what happened:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>T+0.0s Client sends payment request T+0.3s Facilitator receives /settle call T+0.8s Facilitator submits transaction to Base mempool T+1.0s Facilitator starts confirmation polling ... T+5.0s *** FACILITATOR TIMEOUT TRIGGERS *** Facilitator returns: { success: false, error: "context deadline exceeded" } Resource server returns: 402 Payment Required Client receives error. No data. ... T+14.2s Transaction confirms on-chain. USDC transferred. Nobody is listening anymore. </code></pre> </div> <p>The gap between T+5.0s and T+14.2s is the race condition. The facilitator gave up. The blockchain did not. The money moved. The data did not.</p> <p>This is not an edge case. On Base network, the standard block time is 2 seconds, but under congestion or during periods of high gas prices, confirmation can take significantly longer. The issue reporter observed confirmation times ranging from 10 to 28 seconds -- well beyond the facilitator's 5-10 second internal deadline.</p> <p>The failure rate is effectively 100% whenever Base confirmation time exceeds the facilitator timeout. You cannot predict when this will happen. You cannot prevent it from the client side. And you cannot recover the funds through any mechanism in the current x402 specification.</p> <h2> Root Cause: Block Time vs. Facilitator Deadline </h2> <p>The root cause is a mismatch between two independent systems with different timing guarantees. This is a classic distributed systems problem: component A sets a deadline based on assumptions about component B, but component B operates on its own schedule.</p> <p><strong>The facilitator's perspective:</strong> The Coinbase-hosted facilitator (CDP) uses a <code>context.WithTimeout</code> internally -- likely set to 5-10 seconds for the full settlement round-trip. This timeout was probably calibrated against Solana, where confirmation takes ~400ms and the entire settle round-trip completes in under 2 seconds. It was then applied uniformly across all supported networks, including Base, without accounting for Base's fundamentally different confirmation characteristics under load.</p> <p><strong>Base network's perspective:</strong> Base is an Optimistic Rollup (OP Stack) L2 with a standard 2-second block time. Under normal conditions, a transaction submitted to the mempool will be included in the next block within 2-4 seconds. But "normal conditions" is doing a lot of heavy lifting. During periods of high network activity, mempool congestion, or gas price volatility, inclusion can be delayed. Base processes millions of transactions daily, and spikes are common.</p> <p>The problem is compounded by the ERC-3009 <code>TransferWithAuthorization</code> scheme that x402 uses for USDC payments. Unlike a simple ETH transfer, ERC-3009 involves:</p> <ol> <li>Validating the authorization signature against the USDC contract</li> <li>Checking the nonce has not been used</li> <li>Executing the <code>transferWithAuthorization</code> function</li> <li>Emitting the transfer event</li> </ol> <p>Each of these steps requires gas, and gas estimation itself can fail -- a related problem documented in <a href="https://github.com/coinbase/x402/issues/1065" rel="noopener noreferrer">Issue #1065</a>, which reports a 40% gas estimation failure rate on identical requests.</p> <p><strong>Why client-side fixes are impossible:</strong> The <a href="https://github.com/coinbase/x402/issues/1062" rel="noopener noreferrer">Issue #1062</a> reporter explicitly noted three reasons why agents cannot work around this:</p> <ol> <li>The facilitator controls gas pricing and transaction submission. The client has no influence over when or how the transaction is broadcast.</li> <li>The <code>@x402/fetch</code> library does not expose timeout configuration. There is no <code>maxSettlementTimeout</code> parameter you can pass.</li> <li>No reconciliation mechanism exists. Once the facilitator returns a failure, there is no callback, webhook, or polling endpoint to check whether the transaction eventually confirmed.</li> </ol> <h2> What Happens to the Money </h2> <p>This is the question every developer asks first, and the answer is uncomfortable.</p> <p><strong>Scenario 1: Transaction confirms after facilitator timeout.</strong><br> The USDC transfers from the agent's wallet to the resource server's wallet. The resource server never delivered the resource. The agent has no receipt, no data, and no automated way to request a refund. The money sits in the server operator's wallet, and absent any off-chain dispute mechanism, it stays there.</p> <p><strong>Scenario 2: Transaction fails on-chain after facilitator timeout.</strong><br> The transaction reverts. Gas was consumed but the USDC transfer did not execute. The agent lost gas fees (paid by the facilitator in this case, but still a cost to the system) and received no resource. This is the "better" outcome.</p> <p><strong>Scenario 3: Transaction is stuck in mempool indefinitely.</strong><br> Rare, but possible during extreme congestion. The authorization signature may expire (ERC-3009 supports a <code>validBefore</code> timestamp), at which point the transaction becomes unexecutable. No USDC moves. No resource is delivered. The authorization nonce is burned.</p> <p>In all three scenarios, the agent's workflow is broken. If the agent was performing a multi-step task -- research, then analysis, then report generation -- the entire pipeline halts at the payment step. The agent cannot distinguish between "payment failed, retry" and "payment succeeded but confirmation was slow, do not retry or you will pay twice." This ambiguity is the most dangerous aspect of the timeout problem. A naive retry strategy doubles the cost. A conservative no-retry strategy abandons the task entirely. Neither outcome is acceptable for production agent systems.</p> <h2> Related Failure Modes </h2> <p>The timeout race condition is the most severe issue, but it does not exist in isolation. Two related problems compound the risk:</p> <h3> Gas Estimation Failures (Issue #1065) </h3> <p><a href="https://github.com/coinbase/x402/issues/1065" rel="noopener noreferrer">Issue #1065</a> documents intermittent <code>unable to estimate gas</code> errors on the <code>/settle</code> endpoint when paying with USDC on Base mainnet. The reported failure rate is approximately 60% -- identical API requests succeed 40% of the time and fail the rest.</p> <p>The root cause turned out to be a race condition in Coinbase's internal systems: after a wallet signs an ERC-3009 authorization, there is approximately a 1-second propagation delay before the facilitator's verification system recognizes the signature as valid. Payments submitted within that window fail because gas estimation cannot simulate a transaction with an unrecognized authorization.</p> <p>The fix is deceptively simple -- add a 1-second delay between signing and settlement:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Sign the ERC-3009 authorization</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">wallet</span><span class="p">.</span><span class="nf">signTypedData</span><span class="p">(</span><span class="nx">authorizationData</span><span class="p">);</span> <span class="c1">// Wait for Coinbase's internal state propagation</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">resolve</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">resolve</span><span class="p">,</span> <span class="mi">1000</span><span class="p">));</span> <span class="c1">// Now submit to the facilitator</span> <span class="kd">const</span> <span class="nx">settlement</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">facilitator</span><span class="p">.</span><span class="nf">settle</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">paymentDetails</span><span class="p">);</span> </code></pre> </div> <p>This is not documented anywhere in the x402 specification or SDK documentation. You discover it by failing in production and reading GitHub issues.</p> <h3> Verify-OK, Settle-Fail (Issue #961) </h3> <p><a href="https://github.com/coinbase/x402/issues/961" rel="noopener noreferrer">Issue #961</a> describes a scenario where the facilitator's <code>/verify</code> endpoint accepts a payment payload, but the subsequent <code>/settle</code> call fails with <code>invalid_payload</code>. Verification creates false confidence -- the developer believes their payload is correctly formatted because it passed verification, but settlement rejects it for reasons the error message does not explain.</p> <p>The discovered fix involved two undocumented requirements:</p> <ul> <li>The <code>name</code> field in the payment extra data must be <code>"USD Coin"</code>, not <code>"USDC"</code> </li> <li>The transaction amount must exceed a minimum threshold of $0.001</li> </ul> <p>Neither requirement is mentioned in the x402 specification. The error message (<code>invalid_payload</code>) provides no indication of which field is wrong or why.</p> <h2> Solution 1: Network-Aware Timeouts </h2> <p>The simplest fix addresses the timeout mismatch directly. If you are running your own facilitator (using the <a href="https://github.com/coinbase/x402/tree/main/examples/typescript/facilitator" rel="noopener noreferrer">x402 facilitator example</a> as a starting point), you can configure network-specific timeout values.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// network-timeouts.ts</span> <span class="c1">// Map chain IDs to appropriate settlement timeout values</span> <span class="kr">interface</span> <span class="nx">NetworkTimingConfig</span> <span class="p">{</span> <span class="cm">/** Maximum time to wait for block confirmation (ms) */</span> <span class="nl">settlementTimeoutMs</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="cm">/** Expected block time under normal conditions (ms) */</span> <span class="nl">expectedBlockTimeMs</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="cm">/** Buffer multiplier for congestion (e.g., 3x = handle 3x normal block time) */</span> <span class="nl">congestionMultiplier</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="cm">/** Delay between signing and settlement submission (ms) */</span> <span class="nl">postSignDelayMs</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">NETWORK_TIMING</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">number</span><span class="p">,</span> <span class="nx">NetworkTimingConfig</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="c1">// Base Mainnet</span> <span class="mi">8453</span><span class="p">:</span> <span class="p">{</span> <span class="na">settlementTimeoutMs</span><span class="p">:</span> <span class="mi">60</span><span class="nx">_000</span><span class="p">,</span> <span class="c1">// 60s -- generous, but safe</span> <span class="na">expectedBlockTimeMs</span><span class="p">:</span> <span class="mi">2</span><span class="nx">_000</span><span class="p">,</span> <span class="na">congestionMultiplier</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">postSignDelayMs</span><span class="p">:</span> <span class="mi">1</span><span class="nx">_000</span><span class="p">,</span> <span class="c1">// Workaround for Issue #1065</span> <span class="p">},</span> <span class="c1">// Base Sepolia (testnet)</span> <span class="mi">84532</span><span class="p">:</span> <span class="p">{</span> <span class="na">settlementTimeoutMs</span><span class="p">:</span> <span class="mi">90</span><span class="nx">_000</span><span class="p">,</span> <span class="c1">// Testnets are slower</span> <span class="na">expectedBlockTimeMs</span><span class="p">:</span> <span class="mi">2</span><span class="nx">_000</span><span class="p">,</span> <span class="na">congestionMultiplier</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="na">postSignDelayMs</span><span class="p">:</span> <span class="mi">1</span><span class="nx">_500</span><span class="p">,</span> <span class="p">},</span> <span class="c1">// Ethereum Mainnet (if supported in future)</span> <span class="mi">1</span><span class="p">:</span> <span class="p">{</span> <span class="na">settlementTimeoutMs</span><span class="p">:</span> <span class="mi">180</span><span class="nx">_000</span><span class="p">,</span> <span class="c1">// 3 minutes for L1</span> <span class="na">expectedBlockTimeMs</span><span class="p">:</span> <span class="mi">12</span><span class="nx">_000</span><span class="p">,</span> <span class="na">congestionMultiplier</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">postSignDelayMs</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="p">},</span> <span class="p">};</span> <span class="kd">function</span> <span class="nf">getSettlementTimeout</span><span class="p">(</span><span class="nx">chainId</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="kr">number</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="nx">NETWORK_TIMING</span><span class="p">[</span><span class="nx">chainId</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">config</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Default: 60 seconds for unknown networks</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="s2">`No timing config for chain </span><span class="p">${</span><span class="nx">chainId</span><span class="p">}</span><span class="s2">, using 60s default`</span><span class="p">);</span> <span class="k">return</span> <span class="mi">60</span><span class="nx">_000</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">config</span><span class="p">.</span><span class="nx">settlementTimeoutMs</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">getPostSignDelay</span><span class="p">(</span><span class="nx">chainId</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="kr">number</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NETWORK_TIMING</span><span class="p">[</span><span class="nx">chainId</span><span class="p">]?.</span><span class="nx">postSignDelayMs</span> <span class="o">??</span> <span class="mi">1</span><span class="nx">_000</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="p">{</span> <span class="nx">NETWORK_TIMING</span><span class="p">,</span> <span class="nx">getSettlementTimeout</span><span class="p">,</span> <span class="nx">getPostSignDelay</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NetworkTimingConfig</span> <span class="p">};</span> </code></pre> </div> <p>If you are using the CDP-hosted facilitator, you cannot change its internal timeout. But you can wrap your calls with proper timeout handling:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// x402-client-wrapper.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">x402fetch</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@x402/fetch</span><span class="dl">'</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">PaymentResult</span> <span class="p">{</span> <span class="nl">success</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">data</span><span class="p">?:</span> <span class="kr">any</span><span class="p">;</span> <span class="nl">settlementStatus</span><span class="p">:</span> <span class="dl">'</span><span class="s1">confirmed</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">timeout_pending</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">failed</span><span class="dl">'</span><span class="p">;</span> <span class="nl">txHash</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">fetchWithSettlementAwareness</span><span class="p">(</span> <span class="nx">url</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">wallet</span><span class="p">:</span> <span class="kr">any</span><span class="p">,</span> <span class="nx">options</span><span class="p">:</span> <span class="p">{</span> <span class="nl">maxRetries</span><span class="p">?:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">chainId</span><span class="p">?:</span> <span class="kr">number</span> <span class="p">}</span> <span class="o">=</span> <span class="p">{}</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">PaymentResult</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">maxRetries</span> <span class="o">=</span> <span class="mi">2</span><span class="p">,</span> <span class="nx">chainId</span> <span class="o">=</span> <span class="mi">8453</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">options</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">attempt</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="nx">attempt</span> <span class="o">&lt;=</span> <span class="nx">maxRetries</span><span class="p">;</span> <span class="nx">attempt</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Add post-sign delay to prevent Issue #1065</span> <span class="kd">const</span> <span class="nx">originalSign</span> <span class="o">=</span> <span class="nx">wallet</span><span class="p">.</span><span class="nx">signTypedData</span><span class="p">.</span><span class="nf">bind</span><span class="p">(</span><span class="nx">wallet</span><span class="p">);</span> <span class="nx">wallet</span><span class="p">.</span><span class="nx">signTypedData</span> <span class="o">=</span> <span class="k">async </span><span class="p">(...</span><span class="na">args</span><span class="p">:</span> <span class="kr">any</span><span class="p">[])</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">originalSign</span><span class="p">(...</span><span class="nx">args</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">delay</span> <span class="o">=</span> <span class="nf">getPostSignDelay</span><span class="p">(</span><span class="nx">chainId</span><span class="p">);</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">resolve</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">resolve</span><span class="p">,</span> <span class="nx">delay</span><span class="p">));</span> <span class="k">return</span> <span class="nx">result</span><span class="p">;</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">x402fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="na">paymentWallet</span><span class="p">:</span> <span class="nx">wallet</span><span class="p">,</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">(),</span> <span class="na">settlementStatus</span><span class="p">:</span> <span class="dl">'</span><span class="s1">confirmed</span><span class="dl">'</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// If we get a 402 after payment attempt, the settlement likely timed out</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">402</span> <span class="o">&amp;&amp;</span> <span class="nx">attempt</span> <span class="o">&lt;</span> <span class="nx">maxRetries</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span> <span class="s2">`Settlement may have timed out (attempt </span><span class="p">${</span><span class="nx">attempt</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">maxRetries</span><span class="p">}</span><span class="s2">). `</span> <span class="o">+</span> <span class="s2">`Waiting before retry to avoid double-payment...`</span> <span class="p">);</span> <span class="c1">// Critical: wait long enough for the previous tx to either confirm or fail</span> <span class="kd">const</span> <span class="nx">timeout</span> <span class="o">=</span> <span class="nf">getSettlementTimeout</span><span class="p">(</span><span class="nx">chainId</span><span class="p">);</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">resolve</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">resolve</span><span class="p">,</span> <span class="nx">timeout</span><span class="p">));</span> <span class="c1">// TODO: Check on-chain whether the previous payment already settled</span> <span class="c1">// before retrying. Without this check, you risk paying twice.</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">settlementStatus</span><span class="p">:</span> <span class="dl">'</span><span class="s1">failed</span><span class="dl">'</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">attempt</span> <span class="o">===</span> <span class="nx">maxRetries</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">settlementStatus</span><span class="p">:</span> <span class="dl">'</span><span class="s1">failed</span><span class="dl">'</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">settlementStatus</span><span class="p">:</span> <span class="dl">'</span><span class="s1">failed</span><span class="dl">'</span> <span class="p">};</span> <span class="p">}</span> <span class="k">export</span> <span class="p">{</span> <span class="nx">fetchWithSettlementAwareness</span> <span class="p">};</span> </code></pre> </div> <p>This is a band-aid. It mitigates the symptom but does not solve the architectural problem. For a proper fix, you need a settlement state machine.</p> <h2> Solution 2: Settlement State Machine </h2> <p>The core problem with the current x402 flow is that settlement has only two states: <code>success</code> and <code>failure</code>. In reality, blockchain settlement has at least four:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ┌──────────┐ │ IDLE │ └────┬─────┘ │ submit tx v ┌──────────┐ ┌────────│ PENDING │────────┐ │ └────┬─────┘ │ │ tx reverted │ tx confirmed │ timeout v v v ┌──────────┐ ┌──────────┐ ┌───────────┐ │ FAILED │ │CONFIRMED │ │UNRESOLVED │ └──────────┘ └──────────┘ └─────┬─────┘ │ poll chain v ┌──────────┐ ┌─────│ POLLING │─────┐ │ └──────────┘ │ │ found │ not found v v ┌──────────┐ ┌──────────┐ │CONFIRMED │ │ FAILED │ │(LATE) │ │(ORPHANED)│ └──────────┘ └──────────┘ </code></pre> </div> <p>The <code>UNRESOLVED</code> and <code>POLLING</code> states are what the current x402 specification is missing. Here is a TypeScript implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// settlement-state-machine.ts</span> <span class="kd">type</span> <span class="nx">SettlementState</span> <span class="o">=</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">idle</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">pending</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">confirmed</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">failed</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">unresolved</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">polling</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">confirmed_late</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">failed_orphaned</span><span class="dl">'</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">SettlementRecord</span> <span class="p">{</span> <span class="nl">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">txHash</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span><span class="p">;</span> <span class="nl">state</span><span class="p">:</span> <span class="nx">SettlementState</span><span class="p">;</span> <span class="nl">submittedAt</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">resolvedAt</span><span class="p">:</span> <span class="kr">number</span> <span class="o">|</span> <span class="kc">null</span><span class="p">;</span> <span class="nl">chainId</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">amount</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">payer</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">payee</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">pollAttempts</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">maxPollAttempts</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">error</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="kd">class</span> <span class="nc">SettlementStateMachine</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">records</span><span class="p">:</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">SettlementRecord</span><span class="o">&gt;</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Map</span><span class="p">();</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">pollIntervalMs</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">maxPollDurationMs</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">options</span><span class="p">:</span> <span class="p">{</span> <span class="nl">pollIntervalMs</span><span class="p">?:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">maxPollDurationMs</span><span class="p">?:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> <span class="o">=</span> <span class="p">{})</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">pollIntervalMs</span> <span class="o">=</span> <span class="nx">options</span><span class="p">.</span><span class="nx">pollIntervalMs</span> <span class="o">??</span> <span class="mi">5</span><span class="nx">_000</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">maxPollDurationMs</span> <span class="o">=</span> <span class="nx">options</span><span class="p">.</span><span class="nx">maxPollDurationMs</span> <span class="o">??</span> <span class="mi">120</span><span class="nx">_000</span><span class="p">;</span> <span class="c1">// 2 minutes</span> <span class="p">}</span> <span class="cm">/** * Create a new settlement record when a transaction is submitted. */</span> <span class="nf">submit</span><span class="p">(</span><span class="nx">params</span><span class="p">:</span> <span class="p">{</span> <span class="nl">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">txHash</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">chainId</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">amount</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">payer</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">payee</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}):</span> <span class="nx">SettlementRecord</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">maxPollAttempts</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span> <span class="k">this</span><span class="p">.</span><span class="nx">maxPollDurationMs</span> <span class="o">/</span> <span class="k">this</span><span class="p">.</span><span class="nx">pollIntervalMs</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">record</span><span class="p">:</span> <span class="nx">SettlementRecord</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">txHash</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">txHash</span><span class="p">,</span> <span class="na">state</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pending</span><span class="dl">'</span><span class="p">,</span> <span class="na">submittedAt</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">(),</span> <span class="na">resolvedAt</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">chainId</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">chainId</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">amount</span><span class="p">,</span> <span class="na">payer</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">payer</span><span class="p">,</span> <span class="na">payee</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">payee</span><span class="p">,</span> <span class="na">pollAttempts</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="nx">maxPollAttempts</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="p">};</span> <span class="k">this</span><span class="p">.</span><span class="nx">records</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">record</span><span class="p">);</span> <span class="k">return</span> <span class="nx">record</span><span class="p">;</span> <span class="p">}</span> <span class="cm">/** * Transition when the facilitator confirms settlement within its timeout. */</span> <span class="nf">confirm</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">SettlementRecord</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">record</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">getRecord</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nf">assertState</span><span class="p">(</span><span class="nx">record</span><span class="p">,</span> <span class="p">[</span><span class="dl">'</span><span class="s1">pending</span><span class="dl">'</span><span class="p">]);</span> <span class="nx">record</span><span class="p">.</span><span class="nx">state</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">confirmed</span><span class="dl">'</span><span class="p">;</span> <span class="nx">record</span><span class="p">.</span><span class="nx">resolvedAt</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="k">return</span> <span class="nx">record</span><span class="p">;</span> <span class="p">}</span> <span class="cm">/** * Transition when the facilitator times out. * This does NOT mean the transaction failed -- it means we do not know yet. */</span> <span class="nf">markUnresolved</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">error</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">SettlementRecord</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">record</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">getRecord</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nf">assertState</span><span class="p">(</span><span class="nx">record</span><span class="p">,</span> <span class="p">[</span><span class="dl">'</span><span class="s1">pending</span><span class="dl">'</span><span class="p">]);</span> <span class="nx">record</span><span class="p">.</span><span class="nx">state</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">unresolved</span><span class="dl">'</span><span class="p">;</span> <span class="nx">record</span><span class="p">.</span><span class="nx">error</span> <span class="o">=</span> <span class="nx">error</span><span class="p">;</span> <span class="k">return</span> <span class="nx">record</span><span class="p">;</span> <span class="p">}</span> <span class="cm">/** * Begin polling the chain for transaction status. */</span> <span class="nf">startPolling</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">SettlementRecord</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">record</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">getRecord</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nf">assertState</span><span class="p">(</span><span class="nx">record</span><span class="p">,</span> <span class="p">[</span><span class="dl">'</span><span class="s1">unresolved</span><span class="dl">'</span><span class="p">]);</span> <span class="nx">record</span><span class="p">.</span><span class="nx">state</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">polling</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span> <span class="nx">record</span><span class="p">;</span> <span class="p">}</span> <span class="cm">/** * Record a poll attempt result. * Returns the updated record with its new state. */</span> <span class="nf">recordPollResult</span><span class="p">(</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">result</span><span class="p">:</span> <span class="p">{</span> <span class="nl">found</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">confirmed</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">reverted</span><span class="p">:</span> <span class="nx">boolean</span> <span class="p">}</span> <span class="p">):</span> <span class="nx">SettlementRecord</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">record</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">getRecord</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nf">assertState</span><span class="p">(</span><span class="nx">record</span><span class="p">,</span> <span class="p">[</span><span class="dl">'</span><span class="s1">polling</span><span class="dl">'</span><span class="p">]);</span> <span class="nx">record</span><span class="p">.</span><span class="nx">pollAttempts</span><span class="o">++</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">found</span> <span class="o">&amp;&amp;</span> <span class="nx">result</span><span class="p">.</span><span class="nx">confirmed</span><span class="p">)</span> <span class="p">{</span> <span class="nx">record</span><span class="p">.</span><span class="nx">state</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">confirmed_late</span><span class="dl">'</span><span class="p">;</span> <span class="nx">record</span><span class="p">.</span><span class="nx">resolvedAt</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="k">return</span> <span class="nx">record</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">found</span> <span class="o">&amp;&amp;</span> <span class="nx">result</span><span class="p">.</span><span class="nx">reverted</span><span class="p">)</span> <span class="p">{</span> <span class="nx">record</span><span class="p">.</span><span class="nx">state</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">failed</span><span class="dl">'</span><span class="p">;</span> <span class="nx">record</span><span class="p">.</span><span class="nx">resolvedAt</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="nx">record</span><span class="p">.</span><span class="nx">error</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Transaction reverted on-chain</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span> <span class="nx">record</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Not found yet -- check if we have exhausted poll attempts</span> <span class="k">if </span><span class="p">(</span><span class="nx">record</span><span class="p">.</span><span class="nx">pollAttempts</span> <span class="o">&gt;=</span> <span class="nx">record</span><span class="p">.</span><span class="nx">maxPollAttempts</span><span class="p">)</span> <span class="p">{</span> <span class="nx">record</span><span class="p">.</span><span class="nx">state</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">failed_orphaned</span><span class="dl">'</span><span class="p">;</span> <span class="nx">record</span><span class="p">.</span><span class="nx">resolvedAt</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="nx">record</span><span class="p">.</span><span class="nx">error</span> <span class="o">=</span> <span class="s2">`Transaction not found after </span><span class="p">${</span><span class="nx">record</span><span class="p">.</span><span class="nx">pollAttempts</span><span class="p">}</span><span class="s2"> poll attempts`</span><span class="p">;</span> <span class="k">return</span> <span class="nx">record</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Still polling</span> <span class="k">return</span> <span class="nx">record</span><span class="p">;</span> <span class="p">}</span> <span class="cm">/** * Get all unresolved settlements that need polling. */</span> <span class="nf">getUnresolved</span><span class="p">():</span> <span class="nx">SettlementRecord</span><span class="p">[]</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[...</span><span class="k">this</span><span class="p">.</span><span class="nx">records</span><span class="p">.</span><span class="nf">values</span><span class="p">()].</span><span class="nf">filter</span><span class="p">(</span> <span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">state</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">unresolved</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">r</span><span class="p">.</span><span class="nx">state</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">polling</span><span class="dl">'</span> <span class="p">);</span> <span class="p">}</span> <span class="cm">/** * Determine the appropriate action for the resource server. * - 'deliver': Settlement confirmed, serve the resource. * - 'wait': Settlement pending or polling, hold the request. * - 'reject': Settlement definitively failed, return 402. */</span> <span class="nf">getAction</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="dl">'</span><span class="s1">deliver</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">wait</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">reject</span><span class="dl">'</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">record</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">records</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">record</span><span class="p">)</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">reject</span><span class="dl">'</span><span class="p">;</span> <span class="k">switch </span><span class="p">(</span><span class="nx">record</span><span class="p">.</span><span class="nx">state</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">confirmed</span><span class="dl">'</span><span class="p">:</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">confirmed_late</span><span class="dl">'</span><span class="p">:</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">deliver</span><span class="dl">'</span><span class="p">;</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">pending</span><span class="dl">'</span><span class="p">:</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">unresolved</span><span class="dl">'</span><span class="p">:</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">polling</span><span class="dl">'</span><span class="p">:</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">wait</span><span class="dl">'</span><span class="p">;</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">failed</span><span class="dl">'</span><span class="p">:</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">failed_orphaned</span><span class="dl">'</span><span class="p">:</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">idle</span><span class="dl">'</span><span class="p">:</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">reject</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">getRecord</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">SettlementRecord</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">record</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">records</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">record</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Settlement record </span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2"> not found`</span><span class="p">);</span> <span class="k">return</span> <span class="nx">record</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">assertState</span><span class="p">(</span><span class="nx">record</span><span class="p">:</span> <span class="nx">SettlementRecord</span><span class="p">,</span> <span class="nx">expected</span><span class="p">:</span> <span class="nx">SettlementState</span><span class="p">[])</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">expected</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">record</span><span class="p">.</span><span class="nx">state</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="s2">`Invalid state transition: </span><span class="p">${</span><span class="nx">record</span><span class="p">.</span><span class="nx">state</span><span class="p">}</span><span class="s2"> is not in [</span><span class="p">${</span><span class="nx">expected</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">, </span><span class="dl">'</span><span class="p">)}</span><span class="s2">]`</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="p">{</span> <span class="nx">SettlementStateMachine</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">SettlementState</span><span class="p">,</span> <span class="nx">SettlementRecord</span> <span class="p">};</span> </code></pre> </div> <p>The critical difference from the current x402 flow: when the facilitator times out, the resource server does not immediately return a 402. Instead, it transitions the settlement to <code>unresolved</code> and begins polling the chain. If the transaction confirms during polling, the resource is delivered -- just later than ideal. If polling exhausts its attempts without finding the transaction, only then does the server return a definitive failure.</p> <p>This eliminates the "money lost, no data" scenario entirely. The cost is added latency for slow settlements, but that is a far better outcome than lost funds.</p> <h2> Solution 3: Payment Guardian Layer </h2> <p>For production deployments handling significant payment volume, you need more than a state machine. You need a dedicated middleware layer that sits between your agent and the x402 facilitator, providing circuit breaking, retry classification, and automatic recovery.</p> <p>The pattern looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// payment-guardian.ts</span> <span class="kr">interface</span> <span class="nx">GuardianConfig</span> <span class="p">{</span> <span class="cm">/** Chain ID for network-specific behavior */</span> <span class="nl">chainId</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="cm">/** Circuit breaker: open after N consecutive failures */</span> <span class="nl">circuitBreakerThreshold</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="cm">/** Circuit breaker: recovery probe interval (ms) */</span> <span class="nl">circuitBreakerRecoveryMs</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="cm">/** Maximum settlement wait time (ms) */</span> <span class="nl">maxSettlementWaitMs</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="cm">/** Post-sign delay to prevent gas estimation failures (ms) */</span> <span class="nl">postSignDelayMs</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> <span class="kd">type</span> <span class="nx">FailureClassification</span> <span class="o">=</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">transient</span><span class="dl">'</span> <span class="c1">// Retry immediately (network blip, rate limit)</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">settlement</span><span class="dl">'</span> <span class="c1">// Retry after polling (timeout race condition)</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">permanent</span><span class="dl">'</span> <span class="c1">// Do not retry (invalid payload, insufficient balance)</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">unknown</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Escalate to operator</span> <span class="kd">function</span> <span class="nf">classifyFailure</span><span class="p">(</span><span class="nx">error</span><span class="p">:</span> <span class="kr">any</span><span class="p">):</span> <span class="nx">FailureClassification</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">message</span> <span class="o">=</span> <span class="k">typeof</span> <span class="nx">error</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">error</span> <span class="p">:</span> <span class="nx">error</span><span class="p">?.</span><span class="nx">message</span> <span class="o">??</span> <span class="dl">''</span><span class="p">;</span> <span class="c1">// Settlement timeout -- the critical case from Issue #1062</span> <span class="k">if </span><span class="p">(</span><span class="nx">message</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">context deadline exceeded</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">settlement</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">message</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">did not confirm in time</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">settlement</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Gas estimation failures -- Issue #1065</span> <span class="k">if </span><span class="p">(</span><span class="nx">message</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">unable to estimate gas</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">transient</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Invalid payload -- Issue #961</span> <span class="k">if </span><span class="p">(</span><span class="nx">message</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">invalid_payload</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">permanent</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">message</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">invalid_request</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">permanent</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Insufficient balance</span> <span class="k">if </span><span class="p">(</span><span class="nx">message</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">insufficient</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">permanent</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Rate limiting</span> <span class="k">if </span><span class="p">(</span><span class="nx">message</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">429</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">message</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">rate limit</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">transient</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">unknown</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The circuit breaker is essential for preventing cascading failures. If the facilitator is consistently timing out -- perhaps due to Base network congestion -- continuing to submit payments will only drain wallets faster. A circuit breaker stops payment attempts after a threshold of consecutive failures, waits for a recovery period, then probes with a single test transaction before resuming normal operation.</p> <p>Here is how the guardian integrates into an agent's payment flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Usage in an AI agent</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CircuitBreaker</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/x402</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">breaker</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CircuitBreaker</span><span class="p">({</span> <span class="na">failureThreshold</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="c1">// Open after 3 consecutive failures</span> <span class="na">recoveryTimeoutMs</span><span class="p">:</span> <span class="mi">30</span><span class="nx">_000</span><span class="p">,</span> <span class="c1">// Wait 30s before probing</span> <span class="na">halfOpenMaxRequests</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// Allow 1 probe request</span> <span class="p">});</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">agentPayAndFetch</span><span class="p">(</span><span class="nx">url</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">wallet</span><span class="p">:</span> <span class="kr">any</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">any</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">facilitatorUrl</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://x402.coinbase.com</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span> <span class="nx">breaker</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nx">facilitatorUrl</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// 1. Post-sign delay (prevents Issue #1065)</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">r</span><span class="p">,</span> <span class="mi">1000</span><span class="p">));</span> <span class="c1">// 2. Attempt payment</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">x402fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="na">paymentWallet</span><span class="p">:</span> <span class="nx">wallet</span><span class="p">,</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">errorText</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">text</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">classification</span> <span class="o">=</span> <span class="nf">classifyFailure</span><span class="p">(</span><span class="nx">errorText</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">classification</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">settlement</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Do NOT count as circuit breaker failure --</span> <span class="c1">// the payment may still confirm on-chain</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="dl">'</span><span class="s1">Settlement timeout detected. Payment may still confirm.</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Trigger async polling (do not block the circuit breaker)</span> <span class="nf">pollForLateConfirmation</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="nx">wallet</span><span class="p">).</span><span class="k">catch</span><span class="p">(</span><span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Payment failed: </span><span class="p">${</span><span class="nx">classification</span><span class="p">}</span><span class="s2"> - </span><span class="p">${</span><span class="nx">errorText</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="p">});</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">pollForLateConfirmation</span><span class="p">(</span> <span class="nx">url</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">wallet</span><span class="p">:</span> <span class="kr">any</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Poll for up to 2 minutes</span> <span class="kd">const</span> <span class="nx">maxAttempts</span> <span class="o">=</span> <span class="mi">24</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">intervalMs</span> <span class="o">=</span> <span class="mi">5</span><span class="nx">_000</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">maxAttempts</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">r</span><span class="p">,</span> <span class="nx">intervalMs</span><span class="p">));</span> <span class="c1">// Check if the tx confirmed by re-requesting with the same payment</span> <span class="c1">// (a well-implemented server would recognize the already-settled payment)</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-PAYMENT-STATUS-CHECK</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">true</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Late confirmation detected -- payment settled successfully</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="c1">// Continue polling</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span> <span class="dl">'</span><span class="s1">Payment may be orphaned. Manual reconciliation required. </span><span class="dl">'</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">Check the transaction on BaseScan.</span><span class="dl">'</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The key architectural decision: settlement timeouts should not count as circuit breaker failures. A timeout means the facilitator was slow, not that it is broken. If you trip the circuit breaker on timeouts, you will stop all payments during network congestion -- exactly when you need payments to work the most (because the congestion will eventually clear and the transactions will confirm).</p> <p>Only count permanent failures (invalid payloads, insufficient balance) and repeated transient failures toward the circuit breaker threshold.</p> <h2> Production Checklist </h2> <p>Before deploying x402 payments in production, verify each of these items:</p> <p><strong>1. Settlement timeout is network-appropriate.</strong><br> The default facilitator timeout is too aggressive for Base under load. If you run your own facilitator, set it to at least 60 seconds. If you use the CDP facilitator, implement client-side settlement polling.</p> <p><strong>2. Post-sign delay is implemented.</strong><br> Add a 1-second delay between ERC-3009 signature generation and settlement submission. Without this, you will see 40-60% gas estimation failures (<a href="https://github.com/coinbase/x402/issues/1065" rel="noopener noreferrer">Issue #1065</a>).</p> <p><strong>3. Token name matches exactly.</strong><br> Use <code>"USD Coin"</code> in the payment extra data, not <code>"USDC"</code>. The facilitator silently rejects mismatched names with an unhelpful <code>invalid_payload</code> error (<a href="https://github.com/coinbase/x402/issues/961" rel="noopener noreferrer">Issue #961</a>).</p> <p><strong>4. Minimum payment threshold is met.</strong><br> The facilitator enforces an undocumented minimum of $0.001 USDC per transaction.</p> <p><strong>5. Circuit breaker protects against cascading failures.</strong><br> Do not let a failing facilitator drain wallets. Implement a circuit breaker with a failure threshold appropriate to your volume.</p> <p><strong>6. Retry logic classifies failure types.</strong><br> Not all failures are retryable. Distinguish between transient failures (retry), settlement timeouts (poll, then retry), and permanent failures (abort).</p> <p><strong>7. Orphaned payment detection exists.</strong><br> Monitor for transactions that confirm on-chain but were reported as failures by the facilitator. This requires comparing your settlement records against on-chain events.</p> <p><strong>8. Wallet balance monitoring is active.</strong><br> Track your agent's USDC balance separately from the x402 flow. If the balance decreases but the facilitator reports no successful settlements, you have orphaned payments.</p> <p><strong>9. Fallback network is configured.</strong><br> If Base settlement is consistently slow, consider Solana as a fallback. Solana confirmation (~400ms) is well within any reasonable facilitator timeout.</p> <p><strong>10. Alerting covers the settlement gap.</strong><br> Set up alerts for: facilitator timeout rate &gt; 5%, gas estimation failure rate &gt; 10%, orphaned payment count &gt; 0, and circuit breaker open events.</p> <h2> Conclusion </h2> <p>The x402 protocol is a genuinely useful piece of infrastructure. It solves a real problem that HTTP has needed solved for thirty years -- embedding payment directly into the request-response cycle. The design is elegant: stateless, web-native, and simple enough that AI agents can interact with it without custom wallet integrations or complex payment orchestration. The protocol has processed over 100 million payments, and the developer experience for the happy path is genuinely excellent. You can go from zero to paid API in under an hour.</p> <p>But the happy path is not where production systems live. Production systems live in the gap between a facilitator's 5-second timeout and a blockchain's 14-second confirmation. They live in the undocumented requirement to name USDC as "USD Coin." They live in the 1-second delay you need between signing and settlement that no documentation mentions.</p> <p>These are solvable problems. The three solutions in this article -- network-aware timeouts, a settlement state machine, and a payment guardian layer -- address them at increasing levels of sophistication. For most deployments, Solution 1 (adjusting timeouts and adding delays) will eliminate the majority of failures. For high-volume or high-value deployments, Solution 2 (the state machine) eliminates the orphaned payment risk entirely.</p> <p>The x402 ecosystem is early. The specification is evolving. <a href="https://github.com/coinbase/x402/issues/651" rel="noopener noreferrer">Issue #651</a> proposes configurable timeouts in the Python SDK. <a href="https://github.com/coinbase/x402/issues/646" rel="noopener noreferrer">Issue #646</a> discusses deadline validation. Base itself is rolling out Flashblocks on testnet, which would reduce block times to 200ms and largely eliminate the timeout problem at the network level.</p> <p>In the meantime, do not deploy x402 without understanding what happens when settlement takes longer than the facilitator expects. The protocol is sound. The infrastructure is maturing. But the gap between "works in development" and "works in production" is measured in edge cases -- and the edge cases documented here will find you before you find them. Your agent's wallet depends on it.</p> <p><em>Have questions about x402 settlement issues or need help debugging payment failures? Find me on X <a href="https://x.com/bayc2043" rel="noopener noreferrer">@bayc2043</a> or check out <a href="https://github.com/paysentry/paysentry" rel="noopener noreferrer">PaySentry</a>, an open-source control plane for AI agent payments that handles circuit breaking, retry classification, and settlement recovery out of the box.</em></p> x402 ai blockchain typescript mkmkkkkk Sat, 07 Feb 2026 04:23:37 +0000 https://forem.com/mkmkkkkk/x402-vs-acp-vs-ap2-why-your-ai-agent-needs-a-payment-control-plane-3mi1 https://forem.com/mkmkkkkk/x402-vs-acp-vs-ap2-why-your-ai-agent-needs-a-payment-control-plane-3mi1 <p>The AI agent payment landscape in 2026 looks a lot like the API gateway landscape in 2015 — multiple competing protocols, zero standardized middleware, and developers stitching together bespoke solutions that break in production. x402 processes over $600 million in annualized volume. Agent Commerce Protocol (ACP) is gaining traction for agent-to-agent transactions. AP2 is positioning itself as the "next-gen" alternative. And Visa TAP is bridging traditional card rails to agentic workflows. Each protocol solves a different slice of the problem. None of them solve the governance problem.</p> <p>Here's the reality: your AI agent can now autonomously negotiate prices, execute payments, and purchase services from other agents — but there's no unified layer to set spending limits, enforce policies, or even observe what's happening in real time. The Model Context Protocol (MCP) gives agents the ability to call external tools, but it has no native payment abstraction. When your agent decides to pay for a service, it's operating without guardrails. And the numbers bear this out — only 1 in 5 enterprises have any form of AI agent governance in place, according to Deloitte's 2026 AI governance survey.</p> <p>This article breaks down the three major agent payment protocols, identifies the gaps each one leaves open, and introduces a middleware approach to solving them — whether you're running x402, ACP, AP2, or all three.</p> <h2> Table of Contents </h2> <ol> <li>The Agent Payment Explosion</li> <li>Protocol Landscape: x402, ACP, AP2, Visa TAP</li> <li>The Middleware Gap</li> <li>PaySentry Architecture</li> <li>Quick Start: Adding PaySentry to an x402 Agent</li> <li>Multi-Protocol Configuration</li> <li>What's Next</li> </ol> <h2> The Agent Payment Explosion </h2> <p>AI agents are no longer just answering questions or writing code — they're autonomously spending money on behalf of users and companies. We're seeing three distinct categories emerge:</p> <ol> <li> <strong>Human-to-agent payments</strong>: User pays agent for service (research, automation, analysis)</li> <li> <strong>Agent-to-service payments</strong>: Agent pays third-party APIs (OpenAI, Anthropic, data providers)</li> <li> <strong>Agent-to-agent payments</strong>: Agents transacting with other agents (still rare, but protocols exist)</li> </ol> <p>x402 alone processes over <strong>$600M in annualized volume</strong> across <strong>15M+ transactions</strong>. The infrastructure is ready. The protocols are battle-tested (mostly). But the governance layer? Barely exists.</p> <p>Agent-to-agent payments are the wild frontier. The protocols are ready before the governance is. No one's asking "what happens when a rogue agent quotes an inflated price?" or "how do we prevent an agent from paying itself in a loop?" We're building the payment rails before we've built the guard rails.</p> <h2> Protocol Landscape </h2> <h3> x402 — HTTP-Native Payments </h3> <p><strong>How it works:</strong> HTTP 402 status code triggers a payment negotiation. The server responds with <code>402 Payment Required</code>, includes payment details in headers, and the client (agent) executes the payment before retrying the request.</p> <p><strong>Strengths:</strong></p> <ul> <li>Simple, web-native protocol</li> <li>Largest transaction volume in production</li> <li>Minimal overhead for microtransactions</li> </ul> <p><strong>Weaknesses:</strong></p> <ul> <li>125+ open issues on <code>coinbase/x402</code> GitHub repo</li> <li> <a href="https://github.com/coinbase/x402/issues/1062" rel="noopener noreferrer">Issue #1062</a>: Payment timeout race conditions causing duplicate charges</li> <li>Retry storms can drain wallets — agents don't know when to stop retrying</li> <li>No built-in spending limits or approval workflows</li> </ul> <p><strong>Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">GET</span> <span class="nn">/api/data</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">api.provider.com</span> HTTP/1.1 402 Payment Required X-Payment-Amount: 0.05 X-Payment-Currency: USDC X-Payment-Facilitator: https://pay.x402.network </code></pre> </div> <p>The agent sees 402, executes the payment, retries the GET. If the network hiccups between payment confirmation and retry, the agent may execute the payment twice. This isn't theoretical — it's documented in issue #1062 and has cost real money.</p> <h3> ACP — Agent Commerce Protocol </h3> <p><strong>How it works:</strong> Structured agent-to-agent payment negotiation with multi-step handshake. Designed for scenarios where agents need to negotiate terms, not just pay a fixed price.</p> <p><strong>Strengths:</strong></p> <ul> <li>Built for multi-agent workflows</li> <li>Supports payment mandates (pre-authorized recurring payments)</li> <li>Richer metadata for compliance and audit trails</li> </ul> <p><strong>Weaknesses:</strong></p> <ul> <li>Early adoption — limited tooling ecosystem</li> <li>Heavier protocol overhead (not ideal for sub-cent microtransactions)</li> <li>Trust model is undefined — how do you verify an agent's payment request is legitimate?</li> </ul> <p><strong>Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"payment_request"</span><span class="p">,</span><span class="w"> </span><span class="nl">"from"</span><span class="p">:</span><span class="w"> </span><span class="s2">"agent://research-agent"</span><span class="p">,</span><span class="w"> </span><span class="nl">"to"</span><span class="p">:</span><span class="w"> </span><span class="s2">"agent://data-provider-agent"</span><span class="p">,</span><span class="w"> </span><span class="nl">"amount"</span><span class="p">:</span><span class="w"> </span><span class="mf">10.00</span><span class="p">,</span><span class="w"> </span><span class="nl">"currency"</span><span class="p">:</span><span class="w"> </span><span class="s2">"USDC"</span><span class="p">,</span><span class="w"> </span><span class="nl">"terms"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"deliverable"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Market analysis dataset"</span><span class="p">,</span><span class="w"> </span><span class="nl">"deadline"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-07T18:00:00Z"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> AP2 — Agent Payment Protocol v2 </h3> <p><strong>How it works:</strong> Next-generation protocol addressing x402's known issues. Better error handling, built-in receipts, explicit settlement confirmation.</p> <p><strong>Strengths:</strong></p> <ul> <li>Lessons learned from x402's production failures</li> <li>Better retry semantics (idempotency keys, explicit timeouts)</li> <li>Protocol-level receipts and settlement proofs</li> </ul> <p><strong>Weaknesses:</strong></p> <ul> <li>Not yet battle-tested at scale</li> <li>Fragmentation risk — if AP2 adoption is slow, we're stuck maintaining two protocols</li> <li>No backward compatibility with x402</li> </ul> <p><strong>Reality check:</strong> AP2 is the "clean slate" approach. It fixes x402's rough edges, but it also fractures the ecosystem. If you're building an agent today, you probably need to support both x402 (for existing services) and AP2 (for forward compatibility).</p> <h3> Visa TAP — Traditional Rails for Agents </h3> <p><strong>How it works:</strong> Virtual card numbers issued per agent. Agent payments flow through existing Visa infrastructure. Merchants see a normal card transaction.</p> <p><strong>Strengths:</strong></p> <ul> <li>Instant merchant acceptance (millions of merchants already accept Visa)</li> <li>Familiar compliance model (PCI DSS, chargebacks, fraud detection)</li> <li>No protocol adoption required on merchant side</li> </ul> <p><strong>Weaknesses:</strong></p> <ul> <li>Not designed for microtransactions (minimum ~$0.50 due to interchange fees)</li> <li>High per-transaction overhead (2-3% + $0.10 fixed fee)</li> <li>Slower settlement (batch processing, not real-time)</li> </ul> <p><strong>Use case:</strong> Visa TAP makes sense for SaaS subscriptions and larger purchases. It's overkill for $0.01 API calls.</p> <h2> The Middleware Gap </h2> <p>Here's what <strong>none</strong> of these protocols provide:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>x402</th> <th>ACP</th> <th>AP2</th> <th>Visa TAP</th> </tr> </thead> <tbody> <tr> <td><strong>Unified observability</strong></td> <td>❌</td> <td>❌</td> <td>❌</td> <td>❌</td> </tr> <tr> <td><strong>Spending limits</strong></td> <td>❌</td> <td>❌</td> <td>❌</td> <td>✅ (card limits)</td> </tr> <tr> <td><strong>Policy enforcement</strong></td> <td>❌</td> <td>❌</td> <td>❌</td> <td>❌</td> </tr> <tr> <td><strong>Approval workflows</strong></td> <td>❌</td> <td>❌</td> <td>❌</td> <td>❌</td> </tr> <tr> <td><strong>Sandbox/test mode</strong></td> <td>❌</td> <td>❌</td> <td>❌</td> <td>❌</td> </tr> <tr> <td><strong>Multi-protocol analytics</strong></td> <td>❌</td> <td>❌</td> <td>❌</td> <td>❌</td> </tr> <tr> <td><strong>Audit trail</strong></td> <td>Partial</td> <td>✅</td> <td>✅</td> <td>✅</td> </tr> </tbody> </table></div> <p>Every payment system has a sandbox mode — Stripe test mode, PayPal sandbox, Square developer mode. Except agent payments. You're testing with real money or you're not testing.</p> <p><strong>MCP integration gap:</strong> The Model Context Protocol (MCP) lets agents call tools via MCP servers. You can expose a "pay" tool. But MCP has no native payment layer, no concept of spending limits, no approval workflows. An agent can call your payment tool with arbitrary amounts, and MCP will happily pass it through.</p> <p><strong>Compliance pressure:</strong> The EU AI Act enforcement began in 2026. Autonomous financial decisions require audit trails. Only 1 in 5 enterprises have any AI agent governance in place. The other 4 are flying blind — and hoping they don't get audited.</p> <h2> PaySentry Architecture </h2> <p>PaySentry is a <strong>control plane</strong>, not a data plane. It doesn't touch the money. It controls the flow.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ┌─────────────────────────────────────────────┐ │ PaySentry │ │ Agent Payment Control Plane │ └─────────────────────────────────────────────┘ │ ┌─────────────┬───────────────┼───────────────┬──────────────┐ │ │ │ │ │ ┌─────────┐ ┌───────────┐ ┌──────────────┐ ┌─────────┐ ┌──────────┐ │ OBSERVE │ │ CONTROL │ │ PROTECT │ │ TEST │ │ CORE │ │ │ │ │ │ │ │ │ │ │ │ Tracker │ │ Policy │ │ Provenance │ │ MockX402│ │ Types │ │Analytics│ │ Engine │ │ Disputes │ │ MockACP │ │ Utils │ │ Alerts │ │ Rules │ │ Recovery │ │ MockAP2 │ │ Factory │ │ │ │Middleware │ │ │ │Scenarios│ │ │ └─────────┘ └───────────┘ └──────────────┘ └─────────┘ └──────────┘ │ │ │ │ └─────────────┴───────────────┴───────────────┘ │ ┌─────────────────────┼─────────────────────┐ │ │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ x402 │ │ ACP │ │ AP2 │ │HTTP 402 │ │ Stripe/ │ │Agent-to-│ │Protocol │ │Commerce │ │ Agent │ └─────────┘ └─────────┘ └─────────┘ </code></pre> </div> <h3> Design Philosophy: Control Plane, Not Data Plane </h3> <p>PaySentry doesn't handle the actual payment execution. It sits <strong>before</strong> the payment protocol and decides: allow, deny, require approval, or flag for review. The actual money movement happens through x402/ACP/AP2/TAP as usual — PaySentry just enforces the rules first.</p> <h3> Core Components </h3> <h4> 1. Observer — Real-time transaction stream </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">SpendTracker</span><span class="p">,</span> <span class="nx">SpendAnalytics</span><span class="p">,</span> <span class="nx">SpendAlerts</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/observe</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">tracker</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SpendTracker</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">analytics</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SpendAnalytics</span><span class="p">(</span><span class="nx">tracker</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">alerts</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SpendAlerts</span><span class="p">(</span><span class="nx">tracker</span><span class="p">);</span> <span class="c1">// Alert when daily spend exceeds 80% of $500 budget</span> <span class="nx">alerts</span><span class="p">.</span><span class="nf">addRule</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">daily-budget</span><span class="dl">'</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">budget_threshold</span><span class="dl">'</span><span class="p">,</span> <span class="na">severity</span><span class="p">:</span> <span class="dl">'</span><span class="s1">warning</span><span class="dl">'</span><span class="p">,</span> <span class="na">config</span><span class="p">:</span> <span class="p">{</span> <span class="na">threshold</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">USDC</span><span class="dl">'</span><span class="p">,</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">86400000</span><span class="p">,</span> <span class="c1">// 24 hours</span> <span class="na">alertAtPercent</span><span class="p">:</span> <span class="mf">0.8</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">alerts</span><span class="p">.</span><span class="nf">onAlert</span><span class="p">((</span><span class="nx">alert</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">slack</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">`[</span><span class="p">${</span><span class="nx">alert</span><span class="p">.</span><span class="nx">severity</span><span class="p">}</span><span class="s2">] </span><span class="p">${</span><span class="nx">alert</span><span class="p">.</span><span class="nx">message</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Every transaction is indexed by agent, service, protocol, and time. You get:</p> <ul> <li>Per-agent spend breakdowns</li> <li>Time-series analytics (hourly/daily/weekly/monthly)</li> <li>Anomaly detection (z-score based)</li> <li>Rate spike detection</li> <li>New recipient alerts</li> </ul> <h4> 2. Controller — Per-agent spending limits, velocity checks, approval workflows </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PolicyEngine</span><span class="p">,</span> <span class="nx">blockAbove</span><span class="p">,</span> <span class="nx">requireApprovalAbove</span><span class="p">,</span> <span class="nx">allowAll</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/control</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">engine</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PolicyEngine</span><span class="p">();</span> <span class="nx">engine</span><span class="p">.</span><span class="nf">loadPolicy</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Production Controls</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">rules</span><span class="p">:</span> <span class="p">[</span> <span class="nf">blockAbove</span><span class="p">(</span><span class="mi">1000</span><span class="p">,</span> <span class="dl">'</span><span class="s1">USDC</span><span class="dl">'</span><span class="p">),</span> <span class="c1">// Hard block above $1000</span> <span class="nf">requireApprovalAbove</span><span class="p">(</span><span class="mi">100</span><span class="p">,</span> <span class="dl">'</span><span class="s1">USDC</span><span class="dl">'</span><span class="p">),</span> <span class="c1">// Human approval above $100</span> <span class="nf">allowAll</span><span class="p">(),</span> <span class="c1">// Allow everything else</span> <span class="p">],</span> <span class="na">budgets</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">window</span><span class="p">:</span> <span class="dl">'</span><span class="s1">daily</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAmount</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">USDC</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">window</span><span class="p">:</span> <span class="dl">'</span><span class="s1">monthly</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAmount</span><span class="p">:</span> <span class="mi">5000</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">USDC</span><span class="dl">'</span> <span class="p">},</span> <span class="p">],</span> <span class="na">cooldownMs</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 1 second between transactions</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">engine</span><span class="p">.</span><span class="nf">evaluate</span><span class="p">(</span><span class="nx">transaction</span><span class="p">);</span> <span class="c1">// result.allowed: boolean</span> <span class="c1">// result.action: 'allow' | 'deny' | 'require_approval' | 'flag'</span> </code></pre> </div> <p>Policies are <strong>declarative</strong>. No LLM can override them. If the policy says deny, it's denied. You can version-control policies in YAML or JSON and apply them via GitOps.</p> <p>HTTP middleware for Express/Fastify:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createPolicyMiddleware</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/control</span><span class="dl">'</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/pay</span><span class="dl">'</span><span class="p">,</span> <span class="nf">createPolicyMiddleware</span><span class="p">({</span> <span class="nx">engine</span><span class="p">,</span> <span class="na">approvalHandler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">tx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">approved</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">slack</span><span class="p">.</span><span class="nf">requestApproval</span><span class="p">(</span><span class="nx">tx</span><span class="p">);</span> <span class="k">return</span> <span class="nx">approved</span><span class="p">;</span> <span class="p">},</span> <span class="p">}));</span> </code></pre> </div> <h4> 3. Protector — Prompt injection detection, transaction signing verification, circuit breakers </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">TransactionProvenance</span><span class="p">,</span> <span class="nx">DisputeManager</span><span class="p">,</span> <span class="nx">RecoveryEngine</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/protect</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">provenance</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TransactionProvenance</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">disputes</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DisputeManager</span><span class="p">({</span> <span class="nx">provenance</span> <span class="p">});</span> <span class="c1">// Provenance records every step automatically</span> <span class="nx">provenance</span><span class="p">.</span><span class="nf">recordIntent</span><span class="p">(</span><span class="nx">tx</span><span class="p">,</span> <span class="p">{</span> <span class="na">originalPrompt</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Buy market data</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">provenance</span><span class="p">.</span><span class="nf">recordPolicyCheck</span><span class="p">(</span><span class="nx">tx</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pass</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">policyId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">provenance</span><span class="p">.</span><span class="nf">recordExecution</span><span class="p">(</span><span class="nx">tx</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pass</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">txHash</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0xabc...</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">provenance</span><span class="p">.</span><span class="nf">recordSettlement</span><span class="p">(</span><span class="nx">tx</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="dl">'</span><span class="s1">fail</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Service returned 500</span><span class="dl">'</span> <span class="p">});</span> <span class="c1">// File a dispute — provenance is automatically attached as evidence</span> <span class="kd">const</span> <span class="nx">dispute</span> <span class="o">=</span> <span class="nx">disputes</span><span class="p">.</span><span class="nf">file</span><span class="p">({</span> <span class="na">transactionId</span><span class="p">:</span> <span class="nx">tx</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">agentId</span><span class="p">:</span> <span class="nx">tx</span><span class="p">.</span><span class="nx">agentId</span><span class="p">,</span> <span class="na">reason</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Service failed to deliver after payment</span><span class="dl">'</span><span class="p">,</span> <span class="na">requestedAmount</span><span class="p">:</span> <span class="nx">tx</span><span class="p">.</span><span class="nx">amount</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Resolve and recover</span> <span class="nx">disputes</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">dispute</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">resolved_refunded</span><span class="dl">'</span><span class="p">,</span> <span class="na">liability</span><span class="p">:</span> <span class="dl">'</span><span class="s1">service_provider</span><span class="dl">'</span><span class="p">,</span> <span class="na">resolvedAmount</span><span class="p">:</span> <span class="nx">tx</span><span class="p">.</span><span class="nx">amount</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Immutable provenance chain: intent → policy → approval → execution → settlement. When things go wrong, you have the evidence to file disputes and automate recovery.</p> <h4> 4. Protocol Adapter Pattern — Write once, enforce everywhere </h4> <p>PaySentry doesn't care which protocol you use. The policy engine evaluates an <code>AgentTransaction</code> — a protocol-agnostic representation of a payment. Adapters translate protocol-specific details into <code>AgentTransaction</code> objects.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Core transaction type (from @paysentry/core/src/types.ts)</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">AgentTransaction</span> <span class="p">{</span> <span class="k">readonly</span> <span class="nx">id</span><span class="p">:</span> <span class="nx">TransactionId</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">agentId</span><span class="p">:</span> <span class="nx">AgentId</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">recipient</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">amount</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">currency</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">purpose</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">protocol</span><span class="p">:</span> <span class="nx">PaymentProtocol</span><span class="p">;</span> <span class="c1">// 'x402' | 'acp' | 'ap2' | 'stripe'</span> <span class="nl">status</span><span class="p">:</span> <span class="nx">TransactionStatus</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">service</span><span class="p">?:</span> <span class="nx">ServiceId</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">createdAt</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">updatedAt</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">protocolTxId</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">metadata</span><span class="p">:</span> <span class="nb">Readonly</span><span class="o">&lt;</span><span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;&gt;</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Same policy file governs x402, ACP, AP2, and Visa TAP payments. You write the rules once. PaySentry enforces them across all protocols.</p> <h2> Quick Start: Adding PaySentry to an x402 Agent </h2> <h3> Prerequisites </h3> <ul> <li>Node.js 20+</li> <li>An x402-enabled agent (or use the mock for testing)</li> </ul> <h3> Step 1: Install </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @paysentry/core @paysentry/observe @paysentry/control </code></pre> </div> <h3> Step 2: Configure Policy </h3> <p>Create <code>paysentry-policy.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"default"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Default Spend Policy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"rules"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"block-large"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Block transactions above $1000"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="p">,</span><span class="w"> </span><span class="nl">"conditions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"minAmount"</span><span class="p">:</span><span class="w"> </span><span class="mi">1000</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"deny"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"approval-medium"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Require approval above $100"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">20</span><span class="p">,</span><span class="w"> </span><span class="nl">"conditions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"minAmount"</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"require_approval"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"allow-all"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow everything else"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">9999</span><span class="p">,</span><span class="w"> </span><span class="nl">"conditions"</span><span class="p">:</span><span class="w"> </span><span class="p">{},</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"allow"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"budgets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"window"</span><span class="p">:</span><span class="w"> </span><span class="s2">"daily"</span><span class="p">,</span><span class="w"> </span><span class="nl">"maxAmount"</span><span class="p">:</span><span class="w"> </span><span class="mi">500</span><span class="p">,</span><span class="w"> </span><span class="nl">"currency"</span><span class="p">:</span><span class="w"> </span><span class="s2">"USDC"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"window"</span><span class="p">:</span><span class="w"> </span><span class="s2">"monthly"</span><span class="p">,</span><span class="w"> </span><span class="nl">"maxAmount"</span><span class="p">:</span><span class="w"> </span><span class="mi">5000</span><span class="p">,</span><span class="w"> </span><span class="nl">"currency"</span><span class="p">:</span><span class="w"> </span><span class="s2">"USDC"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"cooldownMs"</span><span class="p">:</span><span class="w"> </span><span class="mi">1000</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Step 3: Wrap Your Agent's Payment Calls </h3> <p><strong>Before PaySentry:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Agent makes payment directly</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.provider.com/data</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-Payment-Amount</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0.05</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">X-Payment-Currency</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">USDC</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p><strong>After PaySentry:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PolicyEngine</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/control</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createTransaction</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/core</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">engine</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PolicyEngine</span><span class="p">();</span> <span class="nx">engine</span><span class="p">.</span><span class="nf">loadPolicy</span><span class="p">(</span><span class="nx">policyConfig</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">tx</span> <span class="o">=</span> <span class="nf">createTransaction</span><span class="p">({</span> <span class="na">agentId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">research-agent</span><span class="dl">'</span><span class="p">,</span> <span class="na">recipient</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://api.provider.com/data</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mf">0.05</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">USDC</span><span class="dl">'</span><span class="p">,</span> <span class="na">purpose</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Market data API call</span><span class="dl">'</span><span class="p">,</span> <span class="na">protocol</span><span class="p">:</span> <span class="dl">'</span><span class="s1">x402</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">evaluation</span> <span class="o">=</span> <span class="nx">engine</span><span class="p">.</span><span class="nf">evaluate</span><span class="p">(</span><span class="nx">tx</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">evaluation</span><span class="p">.</span><span class="nx">allowed</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`Payment blocked: </span><span class="p">${</span><span class="nx">evaluation</span><span class="p">.</span><span class="nx">reason</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">evaluation</span><span class="p">.</span><span class="nx">action</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">require_approval</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">approved</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">requestHumanApproval</span><span class="p">(</span><span class="nx">tx</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">approved</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Now execute the actual payment</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.provider.com/data</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-Payment-Amount</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0.05</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">X-Payment-Currency</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">USDC</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Record the transaction for analytics</span> <span class="nx">engine</span><span class="p">.</span><span class="nf">recordTransaction</span><span class="p">(</span><span class="nx">tx</span><span class="p">);</span> </code></pre> </div> <h3> Step 4: Sandbox Mode — Test Without Real Money </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">MockX402</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/sandbox</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">x402</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">MockX402</span><span class="p">({</span> <span class="na">latencyMs</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">failureRate</span><span class="p">:</span> <span class="mf">0.1</span> <span class="c1">// 10% simulated failures</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">x402</span><span class="p">.</span><span class="nf">processPayment</span><span class="p">(</span><span class="nx">tx</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Sandbox result: </span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">success</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> </code></pre> </div> <p>Set <code>PAYSENTRY_MODE=sandbox</code> in your environment to route all payments through mock protocols. Test your entire payment flow without spending a cent.</p> <h2> Multi-Protocol Configuration </h2> <p>An agent that uses <strong>x402 for API calls</strong>, <strong>ACP for agent-to-agent payments</strong>, and <strong>Visa TAP for SaaS subscriptions</strong> — all governed by a single policy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PolicyEngine</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/control</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SpendTracker</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@paysentry/observe</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">tracker</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SpendTracker</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">engine</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PolicyEngine</span><span class="p">();</span> <span class="c1">// Single policy governs all protocols</span> <span class="nx">engine</span><span class="p">.</span><span class="nf">loadPolicy</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">multi-protocol</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Multi-Protocol Policy</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">rules</span><span class="p">:</span> <span class="p">[</span> <span class="c1">// x402: Allow microtransactions, block above $10</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">x402-limit</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">priority</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">conditions</span><span class="p">:</span> <span class="p">{</span> <span class="na">protocols</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">x402</span><span class="dl">'</span><span class="p">],</span> <span class="na">minAmount</span><span class="p">:</span> <span class="mi">10</span> <span class="p">},</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">deny</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="c1">// ACP: Require approval for agent-to-agent above $50</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">acp-approval</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">priority</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="na">conditions</span><span class="p">:</span> <span class="p">{</span> <span class="na">protocols</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">acp</span><span class="dl">'</span><span class="p">],</span> <span class="na">minAmount</span><span class="p">:</span> <span class="mi">50</span> <span class="p">},</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">require_approval</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="c1">// Visa TAP: Block subscriptions above $200/month</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">tap-subscription-limit</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">priority</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="na">conditions</span><span class="p">:</span> <span class="p">{</span> <span class="na">protocols</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">stripe</span><span class="dl">'</span><span class="p">],</span> <span class="na">minAmount</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">subscription</span><span class="dl">'</span> <span class="p">}</span> <span class="p">},</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">deny</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="na">budgets</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">window</span><span class="p">:</span> <span class="dl">'</span><span class="s1">daily</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAmount</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">USDC</span><span class="dl">'</span> <span class="p">},</span> <span class="p">],</span> <span class="p">});</span> <span class="c1">// All transactions flow through the same tracker</span> <span class="nx">tracker</span><span class="p">.</span><span class="nf">record</span><span class="p">(</span><span class="nx">x402Tx</span><span class="p">);</span> <span class="nx">tracker</span><span class="p">.</span><span class="nf">record</span><span class="p">(</span><span class="nx">acpTx</span><span class="p">);</span> <span class="nx">tracker</span><span class="p">.</span><span class="nf">record</span><span class="p">(</span><span class="nx">tapTx</span><span class="p">);</span> <span class="c1">// Unified analytics across all protocols</span> <span class="kd">const</span> <span class="nx">analytics</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SpendAnalytics</span><span class="p">(</span><span class="nx">tracker</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">report</span> <span class="o">=</span> <span class="nx">analytics</span><span class="p">.</span><span class="nf">getAgentAnalytics</span><span class="p">(</span><span class="dl">'</span><span class="s1">my-agent</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">report</span><span class="p">.</span><span class="nx">spendByProtocol</span><span class="p">);</span> <span class="c1">// Map {</span> <span class="c1">// 'x402:USDC' =&gt; { totalAmount: 12.50, transactionCount: 250 },</span> <span class="c1">// 'acp:USDC' =&gt; { totalAmount: 75.00, transactionCount: 3 },</span> <span class="c1">// 'stripe:USD' =&gt; { totalAmount: 149.00, transactionCount: 1 }</span> <span class="c1">// }</span> </code></pre> </div> <p>One audit log. One dashboard. One policy file.</p> <h2> What's Next </h2> <p>PaySentry is open-source (MIT license) and under active development. Here's the roadmap:</p> <ul> <li> <strong>AP2 adapter</strong> (Q1 2026)</li> <li> <strong>Visa TAP integration</strong> (Q2 2026)</li> <li> <strong>Hosted dashboard</strong> (self-hosted option available now, managed version coming)</li> <li> <strong>Prompt injection detection</strong> for payment-triggering context (experimental)</li> </ul> <h3> Get Involved </h3> <ul> <li> <strong>GitHub:</strong> <a href="https://github.com/mkmkkkkk/paysentry" rel="noopener noreferrer">github.com/mkmkkkkk/paysentry</a> </li> <li> <strong>Docs:</strong> <a href="https://paysentry.dev" rel="noopener noreferrer">paysentry.dev</a> <em>(coming soon)</em> </li> <li> <strong>Discord:</strong> <a href="https://discord.gg/paysentry" rel="noopener noreferrer">discord.gg/paysentry</a> <em>(coming soon)</em> </li> <li> <strong>Contributing:</strong> See <code>CONTRIBUTING.md</code> in the repo</li> </ul> <p>We're looking for contributors who've felt the pain of agent payment governance. If you've built a custom solution, battled x402 timeout bugs, or filed disputes with flaky services — we want to hear from you.</p> <h2> Final Thoughts </h2> <p>The agent payment protocols are maturing. x402 has production volume. ACP has the spec. AP2 has the vision. But the middleware layer — the control plane that sits above all of them and enforces sanity — is still wide open.</p> <p>PaySentry is our answer. It's not a protocol. It's not a wallet. It's the missing governance layer that makes agent payments safe, observable, and compliant.</p> <p>If you're building agents that spend money, you need three things:</p> <ol> <li>A payment protocol (x402, ACP, AP2, TAP)</li> <li>A payment control plane (PaySentry)</li> <li>A way to test without burning money (PaySentry sandbox)</li> </ol> <p>The protocols give you the "how". PaySentry gives you the "should we?".</p> <p><strong>Try PaySentry:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @paysentry/core @paysentry/observe @paysentry/control @paysentry/protect @paysentry/sandbox </code></pre> </div> <p><strong>Run the quickstart:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/mkmkkkkk/paysentry.git <span class="nb">cd </span>paysentry npm <span class="nb">install </span>npm run build node examples/quickstart.js </code></pre> </div> <p>See all 4 pillars in action in under 5 minutes.</p> ai payments opensource security