AgentPMT - The Agentic Economy
HTTP 402 Is Back: Building Pay-Per-Call APIs for Agents

HTTP 402 Is Back: Building Pay-Per-Call APIs for Agents

By Stephanie GoodmanFebruary 15, 2026

The HTTP status code reserved since 1997 finally has a job. Here is how x402 turns a 30-year placeholder into the payment layer for autonomous agents -- and what it means for every API that wants to get paid at machine speed.

Successfully Implementing AI AgentsAI Powered InfrastructureAgentPMTAI MCP Tool ManagementAgentic Payment SystemsSecurity In AI Systems

In October 2025, the x402 protocol processed roughly 46,000 transactions in a week. Four weeks later, that number was nearly 500,000 -- a 10,780% surge, according to Dune Analytics. By the end of November, weekly volume had crossed one million. As of early 2026, the protocol has facilitated over $600 million in total payment volume, with facilitators like Dexter, PayAI, and DayDreams each processing more than ten million transactions.

All of this runs on top of a single HTTP status code that sat unused for almost three decades. HTTP 402 -- Payment Required -- was reserved in the original HTTP/1.1 specification in 1997. The MDN documentation still calls it "a nonstandard response status code reserved for future use." The original intent was to support digital cash and micropayment schemes. None materialized. The code sat dormant while the web found other ways to charge for things: cookies, API keys, OAuth tokens, subscription paywalls, and a mountain of invoicing infrastructure that assumed a human was always somewhere in the loop.

That assumption is the one that broke. When your customer is an autonomous agent making four hundred API calls at 3 a.m., the loop has no human in it. And the payment infrastructure designed around human decision-making -- authorization flows, card-on-file, net-30 invoicing -- cannot keep up with a buyer that operates in milliseconds.

This is the gap that x402 fills -- not as a theoretical protocol, but as a working payment layer already processing hundreds of millions of dollars on Base and Solana. AgentPMT's x402Direct integration was built for exactly this use case: agents discover tools through DynamicMCP, pay per call through x402, and operators set budget limits without touching payment infrastructure directly.

The 28-Year Warm-Up Act

HTTP 402 has one of the longest gestation periods in internet history. When the HTTP/1.1 working group defined the 4xx client error codes in the late 1990s, they reserved 402 explicitly for future digital payment systems. The language in RFC 7231 is almost poetic in its restraint: the code "is reserved for future use." No behavior was defined. No headers were specified. No one could agree on what internet-native payments should look like, so the code sat on the shelf.

It was not for lack of trying. Several micropayment proposals surfaced over the years -- GNU Taler, W3C Web Payments working groups, and multiple cryptocurrency-adjacent attempts. They all hit the same wall: credit card minimums made sub-dollar transactions irrational, processing fees ate the revenue, and nobody could solve the chicken-and-egg problem of getting both buyers and sellers onto a new rail simultaneously.

What changed is not the idea. It is the buyer. When the consumer is a human, payment friction is tolerable. When the consumer is an autonomous agent making hundreds of tool calls per session, payment friction is a failure mode. An agent that pauses for human approval on a $0.003 call is not doing useful work. Agentic AI created the demand that HTTP 402 was always waiting for: a class of buyers that needs payments to be programmatic, instant, and embedded in the request itself.

Coinbase launched x402 in May 2025 to fill this gap. Rather than proposing a new protocol from scratch, they built on the existing HTTP status code, turning 402 from a placeholder into a functioning payment primitive. Payment becomes just another step in the HTTP conversation, not a side channel or a redirect to a third-party billing page.

How x402 Works at the Protocol Level

The x402 payment flow condenses the entire lifecycle -- pricing, authorization, settlement, and delivery -- into a single HTTP request-response cycle that completes in roughly two seconds. Here is what actually happens.

Step 1: The client requests a resource. A standard HTTP GET or POST with no special headers. The client does not need to know in advance whether payment is required.

Step 2: The server returns 402 Payment Required. Unlike the vague "reserved for future use" of the original spec, x402 defines exactly what this response contains. The server sends a structured JSON payload with payment terms: the amount required, the asset to pay in (typically USDC), the recipient address, the blockchain network (Base, Solana, or others), a timeout window, and critically, a nonce -- a unique identifier that ties this specific payment request to this specific resource request.

Step 3: The client signs a payment authorization. This is where x402 diverges from traditional payment flows. The client does not submit a blockchain transaction. Instead, it constructs an EIP-712 typed data signature that authorizes the transfer. The signed payload includes the payer address, recipient address, amount, validity timestamps (validAfter and validBefore), and the nonce from step 2. The client includes this signature in the X-PAYMENT header of a retry request. The signature is gasless -- the client pays nothing to create it.

Step 4: A facilitator verifies and settles. The server forwards the signed authorization to a facilitator service. The facilitator validates the signature, checks the nonce, confirms the timestamps, and then submits the authorization to the blockchain using USDC's transferWithAuthorization function (ERC-3009). The facilitator pays the gas. The payer never touches the blockchain directly.

Step 5: The server delivers the resource. Once settlement confirms, the server returns the requested content along with an X-PAYMENT-RESPONSE header containing the transaction hash, network, and payer address. The client has proof of payment. The server has proof of delivery. The whole exchange lives in standard HTTP.

This architecture is what makes x402 agent-native. An AI agent does not need a browser, a session, an account, or a stored credential. It needs a wallet that can sign EIP-712 messages and the ability to read a 402 response. That is it.

The Nonce Is the Whole Security Model

If there is one piece of the x402 flow that engineers implementing pay-per-call APIs need to internalize, it is the nonce lifecycle. Every other security property -- replay prevention, double-spend protection, request binding -- derives from the nonce.

A nonce in x402 is not just a random number to prevent replay attacks. It is a one-time binding between a payment authorization and a specific request. When the server issues a 402 response, the nonce it includes ties that payment requirement to that specific resource request at that specific moment. When the client signs a payment authorization with that nonce, the authorization is only valid for that exact context. Submit the same signature with a different request body and the facilitator rejects it. Submit it after the timeout window and it expires. Submit it twice and the blockchain's transferWithAuthorization function rejects the duplicate because the nonce has already been consumed on-chain.

This is the critical distinction from API-key-based billing. An API key is a static credential that authorizes unlimited calls until revoked. A nonce-bound payment authorization is a single-use token that authorizes exactly one call for exactly the agreed amount. The security surface is fundamentally smaller.

For developers building 402-enabled endpoints, this means nonce management is not optional plumbing -- it is the core of the trust model. Nonces need short expiry windows (sixty seconds is the x402 default). State transitions should be explicit: issued, presented, verified, consumed. And if you are running multiple server instances, nonce state must be shared. Otherwise, a retry on a different server becomes an unintentional replay.

The Economics of Sub-Cent Transactions

The reason HTTP 402 sat unused for decades was not that nobody wanted micropayments. It was that nobody could make them economically viable. Credit card processing has a floor -- typically $0.30 plus 2.9% per transaction. A $0.01 API call processed through Stripe costs $0.30 in fees. You would need to sell thirty calls just to break even on the payment processing for one.

Layer 2 blockchain networks changed this math. On Base, a typical transaction costs under $0.01 in gas -- often closer to $0.001. And with x402, the client does not even pay gas directly; the facilitator does. Coinbase offers a hosted facilitator with a free tier of 1,000 transactions per month. Even beyond the free tier, the economics of L2 settlement make sub-cent transactions viable in a way that was structurally impossible on traditional payment rails.

The comparison is stark. Process a thousand $0.01 API calls through credit card rails and you spend $300 in processing fees to collect $10 in revenue. Process the same thousand calls through x402 on Base and your settlement cost is under a dollar. That is not an incremental improvement. It is the difference between a business model that works and one that requires charitable donors.

This is why Ethereum's EIP-4844 (proto-danksharding) matters to anyone building pay-per-call APIs, even if you never think about blockchain infrastructure. By slashing L2 data posting costs by 50-90%, it pushed the break-even point for micropayments down to fractions of a cent. The infrastructure layer finally supports the transaction size that agents generate.

Building a 402-Enabled API Endpoint

If you are a developer who wants to accept x402 payments, the implementation is more straightforward than you might expect. The x402 reference SDK abstracts most of the blockchain interaction, but understanding the flow helps you make better design decisions.

Your server needs to do four things. First, define pricing for each endpoint. This means setting a price in USDC (or another supported stablecoin), specifying which networks you accept payment on, and configuring your payment address. Second, return a properly formatted 402 response when an unauthenticated request arrives. The response must include the payment terms, a unique nonce, and a timeout. Third, validate the X-PAYMENT header on retry requests by forwarding the payment payload to a facilitator for verification and settlement. Fourth, deliver the resource once the facilitator confirms settlement, including the transaction hash in the X-PAYMENT-RESPONSE header.

The V2 specification, released in December 2025, simplified this further. All payment data now lives in HTTP headers, freeing the response body for the actual 402 status message. V2 also introduced a formal extensions system, multi-chain support via CAIP standards, dynamic payment routing (so you can specify per-request recipients), and a discovery mechanism that lets facilitators crawl your endpoints for payment metadata.

For teams building on AgentPMT's infrastructure, x402Direct handles the facilitator role. When an agent using DynamicMCP encounters a paid tool, x402Direct manages the payment verification and settlement loop -- the agent signs, x402Direct verifies and settles, and the tool delivers. The agent does not need an account, a stored API key, or a pre-existing relationship with the tool provider. It needs a wallet and a budget policy.

Dispute Resolution When Settlement Is Final

Stablecoin settlement on blockchain has a property that makes traditional payment architects nervous: finality. When a credit card transaction settles, there is a chargeback window -- typically 60-120 days -- during which the buyer can dispute the charge. This is annoying for merchants but provides a safety net for buyers. On-chain settlement has no chargeback mechanism. Once transferWithAuthorization executes, the money has moved.

This is actually an advantage for pay-per-call APIs, not a problem. Chargebacks on $0.01 transactions are absurd -- the administrative cost of a dispute exceeds the transaction value by orders of magnitude. But it does mean that dispute resolution moves from the payment layer to the application layer.

In practice, this means building explicit refund and credit mechanisms into your API contract. If a tool call fails after payment, the server needs a defined path to issue a credit. If the response does not meet the agreed specification, the client needs a way to flag the discrepancy. These are product decisions, not payment infrastructure decisions -- and they are better made explicitly than inherited from a chargeback system designed for $200 sneaker purchases.

AgentPMT's credit system handles this by intermediating the transaction. When an agent pays credits for a tool call and the call fails, the credits are returned automatically. The finality of the underlying stablecoin settlement between AgentPMT and the tool provider does not create finality for the agent -- the credit layer provides the refund mechanism that on-chain settlement lacks. x402Direct handles the stablecoin movement; the credit system handles the trust relationship.

What This Means for API Developers

If you sell access to any capability -- data, compute, transformation, intelligence -- x402 eliminates the billing infrastructure standing between your API and every autonomous agent that wants to use it. No API key provisioning. No subscription tiers. No invoice reconciliation. The agent calls your endpoint, your server returns a 402, the agent pays, and you deliver. The entire customer acquisition cost for agent buyers drops to the cost of documenting your endpoint.

AgentPMT's marketplace already operates on this model. Tool providers list once, set per-call pricing, and every agent across every platform can discover and pay through DynamicMCP and x402Direct. Budget controls and audit trails are handled at the platform level -- tool providers do not need to build billing dashboards or chase payments. The settlement is automatic, the pricing is transparent, and the distribution reaches every MCP-compatible agent on the market.

What to Watch

The x402 Foundation, announced by Coinbase and Cloudflare, will formalize the protocol's governance and push toward broader adoption. Cloudflare is adding x402 support to its Agents SDK and MCP Servers, which means every application built on Cloudflare Workers can expose 402-enabled endpoints with minimal integration work. That is a distribution vector that dwarfs anything the protocol has had to date.

V2's multi-chain expansion and fiat compatibility through CAIP standards signal that x402 is positioning itself as a universal machine-to-machine payment layer, not just a crypto protocol. The specification explicitly supports legacy rails like ACH, SEPA, and card networks alongside stablecoin settlement. If that roadmap executes, the same 402 response format routes payments through whatever rail makes economic sense for the transaction size.

The adoption data supports the trajectory. Firecrawl, Freepik, and the Apexti Toolbelt are already selling per-call access to web data, image generation, and Web3 APIs via x402. When Cloudflare's distribution kicks in and the Foundation establishes interoperability standards, the ceiling moves considerably higher.

The status code that sat empty for 28 years is filling up fast. For every API that sells access to capabilities -- data, compute, intelligence, transformation -- the question is no longer whether to support pay-per-call. It is whether you want to define your payment terms or inherit someone else's. List your tools on AgentPMT and let x402Direct handle the rest.

Key Takeaways

  • The economics finally work. L2 settlement costs under $0.01 per transaction make sub-cent micropayments viable for the first time, eliminating the fee-floor problem that killed every previous attempt at HTTP-native payments.
  • Nonces are the security model, not a detail. Every replay attack, double-spend, and request-binding guarantee in x402 flows from the nonce lifecycle. If you are building a 402-enabled endpoint, get nonce management right before anything else.
  • x402 is infrastructure, not experiment. Over $600 million in payment volume, 100+ million payment flows processed, and backing from Coinbase and Cloudflare put x402 past the proof-of-concept stage. The Foundation and V2 specification signal long-term commitment to the standard.

Sources

  • x402 Analytics Dashboard — Dune Analytics
  • Introducing x402: A New Standard for Internet-Native Payments — Coinbase
  • Launching the x402 Foundation with Coinbase — Cloudflare Blog
  • Coinbase and Cloudflare Will Launch the x402 Foundation — Coinbase Blog
  • x402 V2: Evolving the Standard for Internet-Native Payments — x402.org
  • Open Payment Standard x402 Expands Capabilities in Major Upgrade — InfoQ
  • x402 Payment Flow Technical Architecture — Avalanche Builder Hub
  • HTTP 402 Payment Required — MDN Web Docs
  • x402 Payment Volume Reaches $600 Million — AInvest
  • Coinbase x402 Protocol Logs 500,000 Transactions — Crypto.news
  • EIP-3009: Transfer With Authorization — Ethereum Improvement Proposals
  • Welcome to x402 — Coinbase Developer Documentation
  • Network Fees — Base Documentation