[email protected]+44 20 7961 1560
Hexploits
Contact Us

x402: The Settlement Layer for Autonomous Agents

January 6, 2026

This is Part 3 of our three-part series on the Agentic Commerce Stack. Part 1 covered ACP, Stripe and OpenAI's commerce layer for checkout flows and merchant integration. Part 2 examined AP2, Google's trust framework for authorisation, identity, and mandates. This final instalment explores x402—the settlement layer that moves the money.

Executive Summary

With commerce orchestration handled by ACP and trust guarantees established by AP2, one critical layer remains: actually moving the funds. The x402 protocol—built on the dormant HTTP 402 status code—provides the settlement rail that completes the agentic commerce stack.

This report examines the technical architecture and economic implications of x402 as the settlement layer. We analyse the protocol's three-actor model, its reliance on EIP-3009 gasless transfers, and how it integrates with ACP and AP2 to form a complete payment infrastructure for autonomous agents.

Key findings:

  • x402 collapses the entire payment lifecycle into a single HTTP conversation, enabling sub-3-second settlement
  • The protocol's facilitator architecture abstracts blockchain complexity while maintaining cryptographic trust guarantees
  • Native integration with AP2's authorisation framework via the A2A x402 extension enables seamless handoff from mandate to settlement
  • Current limitations include token support (USDC-only via EIP-3009) and facilitator centralisation risks

The Problem: Payments Were Designed for Humans

When an AI agent needs to access a paid API, purchase compute resources, or retrieve premium data, it encounters systems designed around human limitations and trust assumptions.

Traditional payment infrastructure requires:

  • Identity verification and KYC processes
  • Billing addresses and fraud prevention checks
  • Account creation and credential management
  • Minimum transaction thresholds ($0.25-0.50 per transaction)
  • Multi-day settlement windows

None of these constraints map to autonomous agent requirements. An AI agent executing a complex research task might need to access dozens of paid resources in rapid succession—each requiring sub-second decisions about cost-benefit tradeoffs. The agent cannot fill out forms, wait for approvals, or manage rotating API keys across thousands of concurrent operations.

Gartner predicts that by 2028, 90% of B2B transactions will be intermediated by AI agents, representing over $15 trillion in spend. This creates a $175 billion market opportunity for agent payment infrastructure by 2030, according to industry analysts.

The question is not whether machines will transact autonomously, but which protocols will mediate those transactions.

How x402 Works: The Three-Actor Model

x402 introduces three distinct actors into the payment flow, each with specific responsibilities and trust boundaries.

x402 Payment Flow

1
Client Request
GET /api/resource
2
402 Response
Payment Required
3
Sign & Retry
Payment-Signature header
4
Resource Delivered
200 OK + data

Source: Coinbase Developer Platform Documentation

Actor 1: The Client

The client initiates payment requests—this may be a human developer testing an API, or an autonomous AI agent executing a task. The client's responsibilities are minimal:

  1. Request a resource via standard HTTP
  2. Parse payment requirements from 402 responses
  3. Sign a payment authorisation (off-chain, no gas required)
  4. Retry the request with payment attached

Critically, the client never submits blockchain transactions directly. This is what enables true gasless operation—the client signs a message authorising a specific transfer, but a third party (the facilitator) executes the actual on-chain transaction.

Actor 2: The Resource Server

The resource server provides the API, compute resource, or content being purchased. Its responsibilities include:

  1. Respond with HTTP 402 and payment requirements for protected resources
  2. Validate incoming payment signatures
  3. Request settlement verification from the facilitator
  4. Deliver the resource upon confirmed payment

Server integration is designed to be minimal—Coinbase's documentation describes it as achievable with "1 line for the server, 1 function for the client."

Actor 3: The Facilitator

The facilitator is the critical innovation in x402's architecture. It handles payment verification and on-chain settlement, abstracting blockchain complexity from both clients and servers.

Facilitator responsibilities:

  • Verify cryptographic signatures on payment authorisations
  • Submit transactions to the blockchain via transferWithAuthorization
  • Confirm settlement and return transaction receipts
  • Pay gas fees on behalf of clients

This separation is what enables the protocol to be gasless for end users. The client signs an authorisation message (no gas required), and the facilitator submits the actual blockchain transaction (paying gas from their own reserves).

Coinbase's hosted facilitator processes fee-free USDC payments on Base and Solana networks, providing a zero-cost entry point for developers.

The Payment Flow: 12 Steps in 2 Seconds

The complete x402 payment cycle executes in approximately 2 seconds. Here's the detailed breakdown, based on Avalanche's technical documentation:

Phase 1: Request & Challenge (Steps 1-2)

Step 1: Client sends standard HTTP request to a protected resource.

Step 2: Server responds with HTTP 402 status. The response body contains a JSON payload specifying:

  • Payment amount and recipient wallet address
  • Blockchain network identifier (using CAIP-2 format, e.g., eip155:8453 for Base)
  • Token contract address (typically USDC)
  • Payment scheme (e.g., exact for fixed amounts)
  • Validity window (typically 60 seconds)
  • Facilitator endpoint URL

Phase 2: Authorisation Construction (Step 3)

The client constructs an EIP-712 typed signature authorising the transfer. This message includes:

  • Sender and recipient addresses
  • Transfer amount in base units
  • Validity timeframe (validAfter / validBefore)
  • Random 32-byte nonce (prevents replay attacks)

The authorisation is encoded as base64 and attached to the X-PAYMENT header. No blockchain transaction is submitted at this stage.

Phase 3: Verification & Settlement (Steps 4-10)

Step 4: Client resubmits the original request with the X-PAYMENT header attached.

Steps 5-6: The server (or facilitator) validates the EIP-712 signature, confirming:

  • Signature authenticity against the claimed sender
  • Authorisation structure validity
  • Timestamp within acceptable range
  • Nonce uniqueness (not previously used)

Step 7: Invalid requests receive a new 402 response with error details. Valid requests proceed to settlement.

Steps 8-9: The facilitator submits the signed authorisation to the USDC contract's transferWithAuthorization function. On networks like Solana (400ms finality) or Base (sub-second), confirmation arrives almost immediately.

Step 10: Blockchain confirms the transaction, typically within 1-2 seconds.

Phase 4: Delivery (Steps 11-12)

Step 11: Facilitator returns settlement confirmation including the transaction hash.

Step 12: Server responds with HTTP 200, the requested resource, and an X-PAYMENT-RESPONSE header containing transaction details for client verification.

Total elapsed time: ~2.1 seconds

The Technical Foundation: EIP-3009

x402's gasless operation depends entirely on EIP-3009, a standard proposed by Circle in 2020 specifically for USDC.

The Problem EIP-3009 Solves

Traditional ERC-20 token transfers require a two-step process:

  1. Approve: User sends a transaction authorising a spender (costs gas)
  2. TransferFrom: Spender executes the transfer (costs gas again)

This creates the "gas token problem"—users must hold the network's native token (ETH, SOL, etc.) just to spend their stablecoins. For AI agents, this adds unnecessary complexity and failure modes.

How TransferWithAuthorization Works

EIP-3009 introduces transferWithAuthorization—a function that combines approval and transfer into a single, signature-based operation:

  1. User signs an off-chain message authorising a specific transfer
  2. Any third party (the relayer/facilitator) can submit this signature to the contract
  3. The contract validates the signature and executes the transfer atomically
  4. The submitter pays gas; the user pays nothing beyond the transfer amount

This is fundamentally different from EIP-2612 (permit), which only authorises an approval. EIP-3009 authorises the complete transfer, making it ideal for payment flows where you want atomic, gasless execution.

Current Limitations

The critical constraint: only USDC natively supports EIP-3009. This severely limits token choice and creates dependency on Circle's stablecoin infrastructure.

Additionally, Polygon's bridged USDC uses an incompatible implementation, restricting x402 to native USDC deployments on supported networks.

Completing the Stack: x402 as Settlement Layer

As we've explored throughout this series, the agentic commerce stack comprises three complementary layers:

ProtocolDeveloperLayerFocus
ACPStripe + OpenAICommerceCheckout flows, merchant integration
AP2Google + 60 partnersTrustAuthorisation, identity, mandates
x402Coinbase + CloudflareSettlementOn-chain payment execution

Part 1 demonstrated how ACP handles the commerce lifecycle—product discovery, cart management, and checkout orchestration. Part 2 showed how AP2's Verifiable Credentials establish cryptographic proof of user authorisation through Intent, Cart, and Payment Mandates.

Where x402 Fits

x402 operates as the settlement rail that executes the final step. Once ACP has orchestrated the checkout and AP2 has established what the agent is authorised to purchase, x402 handles the actual movement of funds via USDC.

Google has explicitly integrated x402 via the "A2A x402 extension"—a production-ready bridge between AP2's authorisation framework and x402's stablecoin settlement. When an agent presents a Payment Mandate authorised under AP2, x402 can verify the mandate and execute the corresponding transfer in a single HTTP conversation.

Key Ecosystem Partners

Coinbase
Protocol Creator
Cloudflare
Infrastructure
Anthropic
AI Integration
AWS
Cloud Support
Google
A2A Extension
Solana
L1 Network

Source: x402 Foundation, company announcements

Adoption Metrics: Protocol Traction

75M+
Transactions (30 days)
x402.org Dashboard
10,780%
Monthly Growth (Oct '25)
Dune Analytics
40+
Ecosystem Partners
x402 Foundation
$30T
Agentic Economy by 2030
Gartner

The numbers demonstrate meaningful adoption, though context is important:

Transaction Volume

According to Dune Analytics data, x402 processed nearly 500,000 transactions between October 14-20, 2025—a 10,780% increase compared to four weeks earlier. The x402.org dashboard shows over 75 million transactions in the trailing 30-day period.

x402 Transaction Growth (Millions)

May - October 2025

Source: x402.org, Coinbase Developer Platform

Ecosystem Development

The x402 Foundation, announced in September 2025 by Coinbase and Cloudflare, has attracted over 40 partners spanning:

  • Infrastructure: Cloudflare, AWS, Google Cloud
  • AI Platforms: Anthropic (via MCP integration)
  • Payment Networks: Visa (Trusted Agent Protocol), Circle
  • Blockchains: Base, Solana, Polygon, Avalanche, Sui, NEAR

Key Milestones

DateEvent
May 2025Coinbase launches x402 with AWS, Anthropic, Circle, NEAR
July 2025Cloudflare integrates x402 across infrastructure
September 15, 2025Google announces AP2 with x402 extension
September 23, 2025x402 Foundation announced
October 2025Visa announces x402 support via Trusted Agent Protocol

Technical Considerations for Implementation

Payment Schemes: Beyond "Exact"

x402 launches with the exact scheme—transferring a fixed amount for a resource (e.g., $0.01 per API call). The protocol architecture supports additional schemes:

  • upto: Transfer up to a maximum based on resource consumption (useful for LLM inference priced per token)
  • subscription: Recurring authorisations for ongoing access
  • Custom schemes: The plugin-driven SDK allows developers to implement domain-specific payment logic

Each scheme requires separate implementation per blockchain—"the way you need to implement exact on Ethereum is very different from the way you need to implement exact on Solana."

V2 Improvements

x402 V2 introduces several architectural refinements:

Wallet-Based Sessions: Clients can authenticate via wallet signature, skipping full payment flows for repeated access to previously-purchased resources. This reduces latency for high-frequency applications.

Automatic Discovery: The Bazaar extension allows facilitators to automatically index endpoints, keeping pricing and routing metadata current without manual configuration.

Lifecycle Hooks: Developers can inject custom logic at key points—before/after payment, before/after settlement. This enables conditional routing, custom metrics, and failure recovery.

Multi-Facilitator Support: Clients can express preferences ("prefer Solana", "only use USDC") with the SDK automatically selecting optimal routes.

Security Considerations

Replay Protection: Each payment authorisation includes a unique 32-byte nonce. The blockchain contract tracks used nonces, preventing double-spending.

Front-Running Risk: For contract-to-contract integrations, Circle recommends using receiveWithAuthorization instead of transferWithAuthorization. This adds a check ensuring the caller is the intended payee, preventing attackers from extracting and front-running authorisations from the mempool.

Facilitator Trust: While the protocol minimises trust requirements—facilitators cannot move funds beyond client authorisation—most implementations depend on centralised facilitators. This introduces availability risk if the facilitator experiences downtime.

Cost Comparison: Traditional vs x402

Transaction Fee Comparison

Cost per $1 transaction (cents)

Note: x402 costs are orders of magnitude lower (shown at minimum visible scale)

The economic case for x402 becomes compelling at scale:

Payment MethodCost per $1 TransactionSettlement Time
Credit Card$0.30 + 2.9%1-3 days
ACH$0.25-0.503-5 days
PayPal$0.30 + 2.9%Instant-1 day
x402 (Base)~$0.001~2 seconds
x402 (Solana)~$0.00025~2 seconds

For a system making 1 million API calls per month at $0.01 each:

  • Traditional payment processing: $3,000+ in fees (impossible due to minimums)
  • x402 on Solana: ~$250 in network costs

This 10-100x cost reduction unlocks business models that were economically unviable under traditional payment infrastructure.

Implications for Enterprise AI Deployments

For organisations building agentic AI systems, x402 addresses several operational challenges:

Cost Attribution

Every x402 transaction is tied to a specific HTTP request. Organisations can attribute AI spending to specific agents, tasks, or business units with precision impossible under subscription models. This enables true pay-per-use economics with granular cost accounting.

Vendor Flexibility

Agents aren't locked into pre-negotiated contracts. They can access the optimal resource for each task—whether that's a specific LLM, data source, or compute provider—based on real-time requirements and pricing.

Security Simplification

Eliminating API keys removes a significant attack surface. Wallet-based identity provides cryptographic authentication without the operational overhead of credential rotation. The agent's spending authority is bounded by its wallet balance, providing natural rate limiting.

Procurement Velocity

New AI capabilities can be accessed instantly without procurement cycles. An agent that discovers a useful API can begin using it immediately, paying per-request rather than negotiating enterprise agreements.

The Complete Stack: What This Means

Throughout this series, we've traced the full architecture of agentic commerce:

  1. ACP enables agents to navigate commerce—discovering products, managing carts, and orchestrating checkout flows through Stripe's established merchant infrastructure.

  2. AP2 establishes trust—cryptographic mandates that prove an agent is authorised to act, solving the "who approved this?" problem that enterprises require.

  3. x402 settles the transaction—moving USDC in sub-3-seconds via a single HTTP conversation, with costs 10-100x lower than traditional payment rails.

Together, these protocols form the infrastructure layer for a projected $1.7 trillion agentic commerce market by 2030.

For API providers: x402 offers a new monetisation path—per-request pricing without the overhead of subscription management, usage tracking, or payment processing integration.

For AI platform builders: Native payment capabilities become a competitive differentiator. Agents that can autonomously acquire resources will outperform those requiring human intervention for every paid interaction.

For enterprises: The complete stack—ACP for commerce, AP2 for trust, x402 for settlement—enables deploying agents with bounded financial authority, capable of spending within predefined limits without human approval.

The HTTP 402 status code waited three decades for its purpose. The machine economy has finally arrived to claim it.

This concludes our three-part series on the Agentic Commerce Stack. Read Part 1: ACP and Part 2: AP2 for the complete picture.

Hexploits specialises in AI infrastructure, agent architectures, and autonomous system design. If you're building systems that require programmatic payment capabilities, we should talk.