What x402 actually does
x402 is the missing client half. The protocol shipped in 2025. Here is what a paid request looks like end to end:
- Client calls a paid endpoint with no auth.
- Server returns 402 with a JSON body that includes
accepts[], the array of acceptable payment options. Each option carries scheme (exact, upto), network (CAIP-2, e.g. eip155:8453 for Base), amount (atomic units), asset (USDC contract on Base), payTo (recipient wallet), maxTimeoutSeconds, and extra (the EIP-712 domain name and version for the asset).
- Client picks an option. The wallet signs an EIP-3009
TransferWithAuthorization over those exact terms.
- Client base64-encodes the signed payload and replays the request with an
X-PAYMENT header.
- Server verifies the signature, settles the transfer on-chain via a facilitator, and serves the response.
The whole flow is HTTP. No new infrastructure. Your existing API gets paid endpoints by emitting a 402. Your client library learns to sign and replay. That is it.
Why now
Agents need a payment primitive that does not require accounts. Stripe and the rest of the SaaS billing stack assume a human is at the door. Wallets do not. A wallet signing typed data is a clean, programmable, account-less primitive that any agent can use.
For the supply side, x402 turns a single endpoint into a paid endpoint with one HTTP middleware. No new vendor relationship. No new contract. No new auth surface. The agentic.market directory indexes the providers so agents can discover them.
I built a paid memory API on top of this. The Coinbase CDP facilitator handles on-chain settlement on Base. The whole round-trip is three seconds.
Watch it move real money: bmdpat.com/memory/demo
What I had to learn the hard way
CDP's V2 facilitator enforces an undocumented minimum payment threshold somewhere between 100 and 1000 atomic USDC. Below the floor, V2 verify rejects with a generic invalid_payload and no message. The V1 endpoint with the same body said "amount is too low." Took three PRs of payload-shape fixes to figure out the body was always fine and the number was the bug. Bumped my prices to a uniform 0ドル.001 per call and the rejections went away.
If you are building on x402 and getting invalid_payload from CDP, the first thing to try is bumping the amount.
What's next
The next problem isn't whether agents can pay. It's giving them a budget.
A typical 4-tool agent loop hits five priced endpoints per turn. A long-running task does this thousands of times a day. A single rogue loop drains a wallet in minutes. Per-tool caps, per-agent budgets, kill switches, spend visibility — that's the next layer.
AgentGuard.
Originally published on bmdpat.com. I run a one-person AI agent company and write about what actually works.
Want these in your inbox? Subscribe to the newsletter - no spam, unsubscribe anytime.