x402: The HTTP Protocol That Lets AI Agents Pay Your Website Directly
x402: The HTTP Protocol That Lets AI Agents Pay Your Website Directly
HTTP 402 has been in the spec since 1996. The status code is literally called "Payment Required." For three decades, every server implementation returned it as a joke, a placeholder, a curiosity. Nobody used it.
In September 2025, Coinbase and Cloudflare changed that. They co-developed x402 — an open standard that finally implements HTTP 402 for real, using on-chain micropayments. Within seven months, it processed over 100 million transactions totaling $24 million. Stripe, Google, Anthropic, and Visa are founding members.
This week, Sam Altman's World project launched AgentKit on top of it — and the developer conversation shifted from "this is interesting" to "this is infrastructure."
Here's what x402 is, how it works, and what it means for your website.
The Problem x402 Solves
AI agents don't have wallets. They don't have credit cards. When an agent needs to access paid API endpoints, premium content, or per-request services, the only current options are:
- Pre-authorized API keys — static, easy to leak, no per-request granularity
- OAuth flows — designed for humans, break in headless agent contexts
- Subscription billing — flat-rate, no usage-based monetization
None of these work well when an AI agent is autonomously browsing the web, making dozens of requests per minute, across sites it's never visited before.
x402 solves this with a simple HTTP handshake.
How x402 Works
The flow looks like this:
1. Agent makes a request to your endpoint
2. Your server returns HTTP 402 with a payment requirement header
3. Agent reads the header, executes an on-chain micropayment
4. Agent retries the request with a payment proof header
5. Your server verifies, serves the content
In HTTP terms:
# Step 2 — server response
HTTP/1.1 402 Payment Required
X-Payment-Required: {"amount": "0.10", "currency": "USDC", "network": "base", "address": "0x..."}
# Step 4 — agent retry
GET /api/data HTTP/1.1
X-Payment: {"txHash": "0x...", "amount": "0.10"}
The average transaction cost is $0.31. Confirmation on Base (Coinbase's L2) is under 2 seconds. From the agent's perspective, it's a blocking call that costs a few hundred milliseconds and a fraction of a dollar.
Implementing x402 on Your API
If you're running a Cloudflare Worker, the x402 library (published jointly by Coinbase and Cloudflare) gives you a middleware wrapper:
import { withX402 } from "@coinbase/x402-cloudflare";
export default {
fetch: withX402(
async (request, env) => {
// Your normal handler — only reached after payment verified
return new Response(JSON.stringify({ data: await fetchPremiumData() }), {
headers: { "Content-Type": "application/json" },
});
},
{
price: "$0.10", // per request price
network: "base", // Coinbase L2
payTo: env.WALLET_ADDRESS // your receiving address
}
)
};
That's it. Every request that hits your worker now requires a valid x402 payment. Agents that support x402 (Claude via MCP, OpenAI agents, Gemini Deep Research) handle this automatically. Human users in a browser get a payment UI. Everyone else gets a 402.
For Node.js / Express:
import { x402Express } from "@coinbase/x402-node";
app.use("/api/premium", x402Express({
price: "$0.05",
network: "base",
payTo: process.env.WALLET_ADDRESS
}));
The World AgentKit Layer: Verifying the Human Behind the Agent
x402 handles payment. But there's a second problem: who authorized this agent?
When an AI shopping agent places an order on your site, you want to know: is there a real human behind this, or is it a bot trying to drain your inventory? This is where World's AgentKit comes in.
AgentKit lets users delegate their World ID (biometric iris verification, 18 million verified users) to an AI agent. The agent carries a cryptographic proof of human authorization. Websites can verify this proof via a simple HTTP header check before or alongside the x402 payment flow.
import { verifyAgentKit } from "@worldcoin/agent-kit";
app.post("/checkout", async (req, res) => {
const humanProof = req.headers["x-world-agent-proof"];
if (humanProof) {
const verified = await verifyAgentKit(humanProof);
if (verified) {
// Legitimate agent with verified human behind it
// Skip CAPTCHA, allow purchase, log as agent traffic
}
}
// Continue with checkout...
});
Within days of AgentKit's launch this week, 1.6 million agents registered. Agentic commerce is already estimated at 25% of US e-commerce and projected to hit $3–5 trillion globally by 2030. The identity layer isn't optional much longer.
x402 vs MPP (Stripe/Tempo)
x402 isn't the only contender. Stripe and Tempo are building MPP (Monetization and Payment Protocol) — a competing standard aimed at the same market, but with Stripe's traditional card-based infrastructure.
The key difference:
| | x402 | MPP | |---|---|---| | Settlement | On-chain (USDC, Base) | Card/ACH | | Latency | ~2 sec | ~2–5 sec | | Minimum viable tx | $0.001 | ~$0.10 (card floor) | | Agent support (today) | MCP-native | Browser/API only | | Requires crypto wallet | Yes | No |
For micropayments below $0.10 — common in per-request API pricing — x402 wins on economics. For commerce transactions in the $10+ range, MPP's card rails are simpler for most teams.
The real answer is: implement both. Several platforms (Cloudflare, Anthropic) already support both.
What This Means for Your Website
You don't have to implement x402 today. But you should understand what's changing:
AI agents are about to become paying customers. If your content, data, or API is valuable, x402 gives you a way to charge for it on a per-request basis — with no signup flow, no OAuth dance, no friction.
Your current free-tier content might start getting hammered. Agents that browse freely today will soon have the infrastructure to pay for premium access. The sites that haven't built a paid tier are leaving money on the table.
Bot detection needs an update. A valid x402 payment + AgentKit World ID proof is the highest-quality signal you can get that a request is legitimate. Your WAF rules should know the difference between a scraper and a paying agent.
Gotchas
- USDC on Base only (for now) — x402 doesn't yet support other chains or fiat
- Agent wallet management is still early — most users run agents with a shared custodial wallet, not per-agent keys; this will evolve
- No standard for refunds — if your agent makes a 402 payment and gets bad data, there's no x402-native chargeback mechanism
- Not a replacement for API keys — for server-to-server integrations with trusted partners, API keys are simpler; x402 is for untrusted/anonymous agent access
Where to Start
- Add an x402-gated endpoint to your API (even one) and see how agent traffic responds. The Cloudflare and Node.js libraries make this a 20-line change.
- Check your AgentSpeed score — if you're already exposing structured APIs and llms.txt, adding x402 is the logical next step toward full agent-readiness.
- Watch Google I/O 2026 — Google is expected to announce "Agent-Ready" search badges, and x402 support is rumored to be a factor in that scoring.
The web got mobile-friendly in 2015 or got left behind in search. Agent-ready is the next inflection. x402 is the payment rail that makes it real.