x402 Explained: The HTTP 402 Payment Protocol for AI Agents, APIs, and Stablecoin Payments

Executive Summary: x402 is an open payment protocol created by Coinbase and Cloudflare that uses the HTTP 402 "Payment Required" status code to embed stablecoin payments directly into web requests. It allows any application, API, or AI agent to send and receive instant payments in USDC over HTTP without accounts, credit cards, or manual intervention. As of March 2026, x402 has processed over 119 million transactions on Base and 35 million on Solana, handles roughly $600 million in annualized volume, and charges zero protocol fees. The protocol supports Base, Ethereum, Arbitrum, Polygon, and Solana, and is backed by the x402 Foundation co-governed by Coinbase and Cloudflare. Major integrations include World (Sam Altman's AgentKit for human-verified AI payments), Solana's native developer tooling, and Cloudflare Workers. x402 is positioned as the core payment infrastructure for the emerging AI agent economy and a key narrative for the next crypto bull cycle.

There is a status code that has been sitting dormant in the HTTP specification since 1997. HTTP 402: Payment Required. For nearly three decades, every major browser and server framework has recognized it, but nobody built anything meaningful on top of it. The spec literally says "reserved for future use." In May 2025, Coinbase shipped that future. The protocol is called x402, and it is quietly becoming the payment layer for the next generation of the internet.

At Sherlock, we spend our time deep in the infrastructure layer of Web3, auditing the smart contracts and protocols that move real value on-chain. x402 is one of the most significant pieces of infrastructure to emerge in this cycle, and it is worth understanding thoroughly, both as a technology and as a market catalyst.

What x402 Actually Is

x402 is an open payment protocol that embeds stablecoin payments directly into HTTP, the same request/response cycle that powers every website and API on the internet. Instead of bolting payments on as a separate integration (Stripe checkout pages, OAuth token exchanges, invoice emails), x402 makes payment a native step in the HTTP flow itself.

The concept is simple. A client, whether that is a browser, a mobile app, an AI agent, or a backend service, makes a request to a server. If the resource costs money, the server responds with HTTP 402 Payment Required along with a payment specification: which token, how much, which wallet address, which blockchain. The client signs a transaction, attaches the payment proof to the request header, and retries. A facilitator (a lightweight middleware component) verifies the payment settled on-chain, and the server delivers the resource. Start to finish, the process takes roughly two seconds.

There are no accounts to create. No API keys to manage. No credit card forms. No invoicing. No payment processor taking 2.9% plus 30 cents. The protocol itself charges zero processing fees. The only cost is the blockchain transaction fee on the settlement chain, which on Base or Solana is typically a fraction of a cent.

Why It Matters Now

The timing of x402 is not coincidental. Two trends are converging that make HTTP-native payments not just useful but necessary.

The first is the AI agent economy. As of early 2026, autonomous agents are no longer a research curiosity. They are making API calls, consuming data feeds, executing trades, and orchestrating multi-step workflows across dozens of services. These agents need to pay for things, and they cannot fill out credit card forms or wait for invoice approvals. They need a payment mechanism that is as programmable and instant as the HTTP calls they are already making. x402 is precisely that: a payment primitive that any piece of software can use without human intervention.

The second is stablecoin maturity. The stablecoin market cap sits above $230 billion in March 2026. The GENIUS Act, signed in July 2025, gave stablecoins a clear regulatory framework in the US. Visa is processing $3.5 billion in annualized stablecoin settlement volume. Stablecoins have crossed from crypto-native curiosity to legitimate payment rail, and x402 gives that rail a native interface on the web.

The Technical Architecture

x402 is designed to be modular and chain-agnostic. The protocol has three components that work together.

The resource server is any API or web service that wants to charge for access. It implements the x402 middleware, which intercepts incoming requests and checks for payment headers. If no payment is present, it returns 402 with the payment requirements. If payment is present, it forwards the proof to the facilitator for verification before serving the resource. Adding x402 to an existing Express, Next.js, or Python server takes a handful of lines of code.

The client is whatever is making the request. Coinbase provides SDKs for JavaScript/TypeScript (@x402/client), and the community has built libraries for Python, Go, and Rust. When a client receives a 402 response, it parses the payment requirements, signs a transaction using the wallet it has access to, and retries the request with the payment proof in the header. For AI agents, this is entirely autonomous. For browser-based applications, it can prompt a wallet signature.

The facilitator sits between the client and server and handles payment verification. It confirms that the signed transaction is valid, that the payment amount and recipient match the server's requirements, and that the transaction has settled on-chain. Coinbase runs a hosted facilitator with a free tier of 1,000 transactions per month, but the protocol is designed so anyone can run their own. The facilitator is the trust layer, and its open architecture means the protocol does not depend on any single company.

In terms of chain support, x402 currently runs on Base, Ethereum, Arbitrum, Polygon, and Solana. The EVM chains are handled through the @x402/evm package, and Solana through @x402/svm. On the EVM side, the protocol supports USDC and other ERC-20 tokens. On Solana, it supports all SPL tokens. Base dominates in cumulative transaction volume with over 119 million x402 transactions and $35 million in value processed. Solana has emerged as a strong second settlement layer, accounting for a significant share of activity thanks to sub-second finality and fees around $0.00025 per transaction.

Who Is Building on x402

The ecosystem is growing faster than most people realize. Here is a snapshot of the major players as of March 2026.

Coinbase created the protocol and operates the primary facilitator service through the Coinbase Developer Platform (CDP). They have integrated x402 into their broader agent infrastructure, including AgentKit, which gives developers a toolkit for building autonomous agents that can transact on-chain. Coinbase processes the largest share of x402 transactions by volume.

Cloudflare co-founded the x402 Foundation with Coinbase in September 2025 and has built native x402 support into Cloudflare Workers. This is significant because Cloudflare's edge network handles a substantial percentage of all internet traffic. Having x402 as a first-class primitive in Workers means any developer deploying serverless functions on Cloudflare can add stablecoin payment gates with minimal code.

World (formerly Worldcoin, co-founded by Sam Altman) launched AgentKit in March 2026, integrating x402 to enable human-verified AI agents to make autonomous payments. The integration uses World ID to prove there is a real person behind every AI transaction, addressing one of the biggest concerns around autonomous agent commerce: knowing whether you are transacting with a human-authorized entity or a rogue bot.

Solana has embraced x402 aggressively, publishing dedicated developer guides and integrations. Since the Solana launch, x402 has processed over 35 million transactions and $10 million in volume on the chain. The ultra-low latency and fees make Solana a natural fit for the micropayment use cases that x402 enables.

Beyond the major names, a growing ecosystem of projects are building on x402: Daydreams Systems is a significant contributor by transaction volume, developers are building MCP servers that connect AI models directly to x402-enabled services, and teams are launching agent marketplaces where services are discovered and paid for entirely through the protocol.

The Numbers So Far

x402 launched in May 2025. By December 2025, it had processed 75 million transactions worth $24 million in paid API calls and AI agent interactions. As of March 2026, the numbers have grown substantially: total transactions across all chains exceed 119 million on Base alone, daily on-chain volume sits around $28,000 (up 20x in a single month earlier this year), and the protocol is handling roughly $600 million in annualized payment volume across the ecosystem.

These are early numbers. For context, Stripe processes over $1 trillion annually. But the growth trajectory is steep, and the use cases are fundamentally different. x402 is not competing with Stripe for e-commerce checkout flows. It is creating an entirely new category of machine-to-machine payments that did not exist before, payments that happen without human involvement, at price points (fractions of a cent) that traditional payment processors cannot economically serve.

What x402 Means for the Next Bull Run

Every crypto cycle has a narrative that captures developer attention and capital allocation. In 2017, it was ICOs. In 2021, it was DeFi and NFTs. The emerging narrative for the next sustained rally is the convergence of AI and crypto, specifically the infrastructure that allows autonomous agents to operate as economic participants on-chain.

x402 sits at the exact center of this narrative for several reasons.

First, it provides real utility with real volume. Unlike many crypto primitives that see speculative volume disconnected from actual usage, x402 transactions represent genuine payments for genuine services: API calls, data feeds, compute, content access. This is revenue, not speculation. As the number of AI agents in production scales from thousands to millions, the payment volume flowing through x402 scales proportionally. Goldman Sachs estimates that AI agent spending on digital services could reach $50 billion annually by 2028, and x402 is positioned to capture a meaningful share of that flow.

Second, it is a stablecoin accelerant. Every x402 transaction moves USDC or another stablecoin on-chain. As x402 adoption grows, it drives incremental demand for stablecoins, which drives demand for the blockchains those stablecoins settle on. Base, Solana, Arbitrum, and Polygon all benefit from x402 transaction volume in the form of gas fees and network activity metrics that institutional investors track.

Third, it creates a composable payment primitive that other protocols can build on. DeFi protocols can use x402 to charge for premium data feeds. NFT platforms can use it for pay-per-view content. Gaming studios can use it for in-game micropurchases without app store cuts. Any service with an API can monetize it instantly. The protocol is simple enough that a single developer can integrate it in an afternoon, which means adoption does not bottleneck on enterprise sales cycles.

Fourth, it has institutional backing that matters. Coinbase is a publicly traded company with regulatory credibility. Cloudflare is critical internet infrastructure. The x402 Foundation gives the protocol governance independence from any single company. This is not a VC-funded startup that might disappear. It is an open standard backed by companies that are not going anywhere, which makes it safer for other companies to build on.

The Security Angle

Any protocol that handles financial transactions at scale needs to be scrutinized for security. From Sherlock's perspective, x402's architecture has some thoughtful design choices, but also surfaces new attack vectors that the ecosystem needs to take seriously.

On the positive side, x402 transactions are standard on-chain token transfers. The cryptographic verification happens at the facilitator layer, and the payment itself settles through the same ERC-20 or SPL transfer mechanisms that have been battle-tested across DeFi. There is no novel token standard or complex smart contract logic introducing new vulnerability surfaces at the settlement layer.

The facilitator is the critical trust component. A compromised or malicious facilitator could approve payments that never settled, reject valid payments, or leak payment metadata. The protocol's open architecture mitigates this by allowing anyone to run their own facilitator, but in practice, most early adoption is flowing through Coinbase's hosted service. As the ecosystem matures, facilitator diversity will be important for resilience.

For builders integrating x402, the same smart contract security practices that apply to any on-chain integration apply here: validate payment amounts server-side, do not trust client-supplied payment proofs without facilitator verification, implement rate limiting, and monitor for replay attacks. The audit contest model that Sherlock pioneered is well-suited for reviewing x402 integrations, where the middleware and payment verification logic represent concentrated attack surfaces that benefit from adversarial review.

How to Start Building with x402

If you want to experiment, the barrier to entry is remarkably low. The x402 GitHub repository contains the full protocol specification, reference implementations, and SDK packages. Coinbase's developer documentation walks through setting up a resource server, configuring the facilitator, and making your first paid API call. The free tier (1,000 transactions/month through Coinbase's hosted facilitator) means you can build and test without spending anything.

For a minimal integration, you need a Node.js server with the x402 middleware, a wallet for receiving payments (any EVM or Solana wallet works), and a client SDK. The QuickNode guide is one of the better step-by-step tutorials for getting a working x402 paywall up and running.

For more advanced use cases, building AI agents that autonomously pay for services, the Base documentation on autonomous payment agents covers the agent architecture patterns, wallet management, and transaction signing flows that make agentic commerce work in practice.

The Bottom Line

x402 is not a token. It is not a chain. It is a protocol, an open standard that makes payments a native part of how the internet works. That distinction matters because it means x402 does not need to convince people to adopt a new cryptocurrency or migrate to a new blockchain. It works with the stablecoins people already hold, on the chains people already use, through the HTTP infrastructure that already runs the web.

The protocol is early. $600 million in annualized volume is meaningful but small relative to where this could go if the AI agent economy scales the way the market expects. The x402 Foundation, the Coinbase and Cloudflare backing, the multi-chain support, and the zero-fee model all point toward a protocol designed for long-term adoption rather than short-term hype.

For builders in the Web3 ecosystem, x402 is worth understanding deeply. Whether you are building AI agents, monetizing APIs, creating paid content, or exploring new business models that were not possible before programmable payments, this protocol is the infrastructure layer that makes it work. The HTTP 402 status code waited 29 years for someone to build something real on top of it. Reach out to Sherlock today for help building your x402 technology

Frequently Asked Questions

What is x402?

x402 is an open payment protocol built by Coinbase and Cloudflare that uses the HTTP 402 "Payment Required" status code to enable instant stablecoin payments directly over HTTP. It allows applications, APIs, and AI agents to send and receive payments like USDC without accounts, credit cards, or manual intervention. The entire payment flow settles in roughly two seconds.

How does x402 work?

When a client requests a paid resource, the server responds with HTTP 402 Payment Required along with payment details (price, token, wallet address, chain). The client signs a stablecoin transaction, attaches the payment proof to the request header, and resends it. A facilitator verifies the payment on-chain, and the server delivers the resource. The whole process takes about two seconds and requires no accounts or API keys.

What blockchains does x402 support?

x402 supports Base, Ethereum, Arbitrum, Polygon, and Solana. The protocol is chain-agnostic by design, with EVM chains supported through the @x402/evm package and Solana through the @x402/svm package. Base currently leads in transaction volume with over 119 million cumulative x402 transactions, while Solana offers the fastest finality at around 400 milliseconds.

Is x402 only for AI agents?

No. While AI agent payments are the most prominent use case, x402 works with any HTTP client: browsers, mobile apps, SDKs, CLI tools, and server-to-server calls. Any scenario where you want to charge for API access, content, compute, or data without requiring user accounts or credit card integrations is a fit for x402.

Does x402 charge fees?

The x402 protocol itself charges zero processing fees. Users only pay the blockchain transaction fee on the settlement chain, which on Base and Solana is typically a fraction of a cent. Coinbase's hosted facilitator offers a free tier of 1,000 transactions per month for developers getting started.

Who created x402?

x402 was created by Coinbase and launched in May 2025. In September 2025, Coinbase and Cloudflare jointly announced the x402 Foundation to govern the protocol as an open standard. The protocol is fully open source on GitHub and designed to be vendor-neutral, meaning anyone can run their own facilitator without depending on Coinbase infrastructure.