x402: How Agents Pay for APIs with HTTP

The HTTP 402 status code ("Payment Required") has existed since 1997. It was reserved for future use. Nearly three decades later, it finally has a real implementation.

The x402 protocol gives 402 actual payment semantics. When an agent calls a paid API and gets a 402 response, the body includes payment requirements: how much, to whom, on which chain. The agent pays, retries the request with a payment header, and gets the data. No API keys, no subscriptions, no invoices. Just HTTP and money.

The Flow

An x402 interaction has three steps:

1. Agent calls API - gets a 402 with payment requirements
2. Agent pays - sends USDC onchain to the facilitator address
3. Agent retries - includes the payment signature, gets the response

For the agent, it's one extra round trip. For the API provider, every request is paid for at the time of use.

Why This Needs Controls

The simplicity of x402 is also its risk. An agent that can pay for any API, at any price, with no limits, is a cost management problem waiting to happen.

Consider an agent that queries a paid data API in a loop. Each request costs $0.05. Harmless in isolation. At 1,000 requests per hour, that's $50/hour, or $1,200/day. Without controls, nobody notices until the monthly bill arrives.

Conto's x402 policy rules address this directly:

• Per-request ceiling - cap the maximum any single x402 payment can cost
• Per-service daily limit - cap total spending on a specific API domain
• Service allowlist - restrict which APIs the agent can pay for at all
• Velocity limits - rate-limit how many paid requests an agent can make per hour

These rules are evaluated during the pre-authorization step, before any money moves.

Pre-Authorize, Pay, Record

When running x402 payments through Conto, the agent adds a pre-authorization step before paying:

# 1. Pre-authorize against policies
curl -X POST https://conto.finance/api/sdk/x402/pre-authorize \
  -H "Authorization: Bearer $CONTO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "amount": 0.05,
    "recipientAddress": "0xFacilitator",
    "resourceUrl": "https://api.example.com/data",
    "serviceDomain": "api.example.com"
  }'

If authorized, the agent proceeds with the payment. After the onchain transaction completes, it records the payment back to Conto for tracking and spend accounting.

This three-step flow (pre-authorize, pay, record) means every x402 payment is policy-checked, onchain verified, and fully auditable.

The Bigger Picture

x402 is one of the first payment protocols built for machine-to-machine commerce. It removes the friction of API key management and subscription billing, replacing it with pay-per-use at the protocol level.

But protocol-level payments without controls create new risks. Conto adds the governance layer: visibility and spending limits over agents' x402 usage, just like you'd govern traditional payments.

The full implementation guide with TypeScript examples and policy configuration is in the docs: Paying for APIs with x402. Quick-reference commands are on the Recipes page.

Related

• MPP: Session-Based Payments for Agents on Tempo - the session-based alternative for high-frequency use cases
• Five Layers of Security for Agents That Spend Money - where x402 controls fit in a layered policy strategy

---

Want to add x402 controls to your agents? Start building with Conto or reach out at support@conto.finance.