x402 — HTTP 402 Payment Protocol
x402 is the leading candidate for the agent-economy payment rail: it lets an AI agent (or any HTTP client) pay for an API call inline, with no API key, no signup, and no human-in-the-loop. If you're building agentic apps, paid MCP servers, per-request data products, or anything where "charge for this request without a session" matters, x402 is the standard to know — supported by Coinbase, Cloudflare, Vercel AI Gateway, and a growing facilitator ecosystem.
What It Defines
Open protocol from Coinbase that operationalizes the long-dormant HTTP 402 Payment Required status code for machine-to-machine commerce. A resource server returns 402 with an `accepts` array describing payment requirements (scheme, network, asset, max amount, pay-to address, resource URL, nonce). The client picks a requirement, constructs a payload (e.g. an EIP-3009 transferWithAuthorization signature for the "exact" scheme on EVM chains, or an SPL Token authorization on Solana), and replays the request with an `X-PAYMENT` header carrying the base64-encoded JSON. The server forwards the payload to a pluggable Facilitator that verifies and broadcasts the on-chain settlement, then returns the resource plus an `X-PAYMENT-RESPONSE` settlement receipt. Chain- and asset-agnostic; the reference flow is USDC on Base.
Canonical (Normative)
Convenient (Practical)
Related References
Publisher and primary maintainer of the open x402 protocol — an HTTP 402–based payment standard for machine-payable APIs and AI agents. Coinbase also operates a reference x402 facilitator on the Coinbase Developer Platform (CDP) that settles stablecoin payments on Base, Solana, and other chains. The spec is open-source and chain-agnostic; the facilitator role is pluggable.
Related Specs
If you're returning 402 — or shopping for a way to monetize an API or MCP server — the spec hands you the code and nothing else. The meaning lives entirely in whatever protocol you layer above it: x402 (stablecoins, X-PAYMENT header), L402 (Lightning, WWW-Authenticate macaroon+invoice), or your own. Knowing that 402 itself is a blank canvas is the difference between shipping an interoperable agent-payable endpoint and a 402 response no client can negotiate against.
This is the core contract of every web API, browser request, and server response. You can't design or debug HTTP without knowing this.
EIP-3009 is the gasless transfer primitive USDC uses on Ethereum and Base. It's the on-chain mechanism behind the x402 "exact" scheme: the buyer signs an authorization, the seller (or facilitator) submits it on-chain to settle. If you're building anything that spends USDC on behalf of a user without them paying gas, this is the spec.
EIP-2612 is how DEXes, lending protocols, and meta-tx relayers achieve gasless approvals. If you're integrating ERC-20s into any UX where the user shouldn't need ETH first, permit() is the canonical solution. DAI, USDC, and most modern stablecoins implement it.
EIP-712 is the standard for secure off-chain message signing used in permit() flows, meta-transactions, and Sign-In with Ethereum. Prevents blind signing attacks.
EIP-4337 is the deployed standard powering smart wallets across Base, Optimism, Arbitrum, and Polygon (Coinbase Smart Wallet, Safe{Core}, Biconomy, Pimlico, Alchemy AA). Required knowledge for building AI agents that pay gas through Paymasters, gasless onboarding flows, and any wallet experience that doesn't start with "buy ETH first."
ERC-20 is the most widely deployed standard in the Ethereum ecosystem. Every DeFi integration, exchange, and wallet interacts with ERC-20 tokens constantly.
JSON is the lingua franca of web APIs. RFC 8259 is short and worth reading once — it clarifies edge cases around numbers, encoding, and trailing commas.
L402 is the Bitcoin-native counterpart to x402: same HTTP 402 surface, but settled off-chain on Lightning instead of on-chain via stablecoins. Useful when you need true micropayments (sub-cent), instant finality without facilitators, and Bitcoin economics. Powers paid LLM access (e.g. Fewsats), paid storage gateways, and a small but real ecosystem of metered Lightning APIs.