A $1 verified-badge for x402 services — fully autonomous, machine-paid
TL;DR: We just shipped POST /api/v1/verified on x402station — a $1 USDC audit endpoint for x402 service operators. Pay once, get a 30-day signed certificate + HTML/SVG badge to embed in your docs. The badge re-runs the audit on every public-page render so it stays honest. Eligible services pulled from our independent probe data are listed live at x402station.io/verified. Pure machine-to-machine: your CI bot signs the X-PAYMENT, no human signups, no email captured. 59 endpoints in the catalog already pass the criteria right now.
Why this exists
Half a year into the x402 agentic-commerce protocol, two things are true:
The catalog is noisy. Of ~35,000 active endpoints we probe every 10 minutes, ~17% are landmines (decoy honeypots, zombie services, dead endpoints). Our earlier post covered the long tail in detail.
Honest operators have no way to differentiate. A well-built x402 service has the same surface as a Questflow $1000-USDC honeypot, from an agent's perspective. Both return 402 with payment requirements, both have a .well-known/x402 manifest, both look the same in the Coinbase Bazaar.
We've been the oracle solving the agent side: "is this URL safe to pay?" → /api/v1/preflight ($0.001 USDC). Today we shipped the operator side: "prove my URL is safe to pay" → /api/v1/verified ($1 USDC).
What you get for $1
POST https://x402station.io/api/v1/verified
{ "url": "https://your-endpoint.example.com/route", "name": "Your Service" }
Response includes:
certId — UUID v4
verified — boolean (yes/no diagnostic with full pass/fail reasons)
tier — verified or verified_plus (more on tiers below)
badgeUrl — SVG you can embed in your README
pageUrl — public verification page
htmlSnippet — drop-in HTML
validUntil — 30 days from issuance
Embed:
/badge.svg"
alt="Verified by x402station" height="20"/>
The SVG re-fetches every 5 minutes (cache-control). The public page re-runs the audit on every render. If your service degrades after issuance, the badge auto-flips to "failing" within minutes. Honesty enforced by infrastructure, not pinky-promise.
Audit criteria
Five predicates, applied at issuance AND on every public-page recheck:
Criterion Threshold Why
probes_7d ≥ 20 Need real signal, not 1-2 probes
uptime_7d_pct ≥ 95% Below this, agents would routinely fail calls
Critical signals none firing dead, zombie, decoy_price_extreme, dead_7d, mostly_dead, never_paid_zombie
latency_p99_ms ≤ 5000 Long-tail timeouts ruin agent UX
price_usdc ∈ [$0.0001, $5] Sane band — out of range = price trap or freebie
The same predicates drive the live /verified/ recheck — the badge can't claim more than the data supports today.
"Verified" vs "Verified+"
verified — passes all five baseline criteria
verified_plus — passes baseline AND CDP confirms ≥1 paid call in the last 30 days (cdp_l30d_calls > 0)
The + tier surfaces real-payer demand. We pull this from the Coinbase CDP raw discovery API — payment-volume data no probe-based source can derive (facilitator-based competitors only see their own settlements). More on that ingestion here. (forthcoming follow-up post)
Eligible services right now
Live snapshot at x402station.io/verified:
59 endpoints currently pass all five criteria
All 59 are verified_plus tier (CDP-confirmed real demand)
Top of list: Exa /search (api.exa.ai), Otto AI /supported-tokens (x402.ottoai.services), and others
If you operate one of these and want the badge, the page shows the exact @x402/fetch snippet your CI bot needs to mint a cert. One command, $1 USDC, 30-day cert.
Why this is pure machine-to-machine (and not a Stripe pivot)
x402station's core principle: no humans as customers. Every endpoint we ship is consumable by an agent without human intervention — no email signups, no OAuth, no dashboard logins.
The verified-badge endpoint preserves this:
Your CI bot signs the X-PAYMENT header with your wallet's private key
We verify the payment via Coinbase CDP's facilitator
We INSERT the cert row, return the response with embed-ready URLs
Your CI bot can store the badge URL in a CI-managed env file or commit it into your README
The only "human" thing is that a human DECIDES to set up the CI step the first time. After that, the renewal is whatever cron schedule the CI bot wants — every 25 days, weekly, daily. Pre-paid USDC sits in the bot's wallet.
Distribution
Endpoint manifest: x402station.io/.well-known/x402 (machine-readable)
OpenAPI: x402station.io/api/openapi.json (12 operations now, including verifiedBadge + getVerifiedCertificate)
A2A agent card: x402station.io/.well-known/agent-card.json (8 skills now, verified listed)
Coinbase Bazaar: auto-indexed via the bazaar extension — search "verified" in their discovery API to find us
MCP tool surface: forthcoming in x402station-mcp v1.1.0 (coming next week)
What's next
A single $1 cert from a single provider validates the channel. Two open questions:
Will providers actually mint? The eligibility list shows 59 candidates. We'll watch settlement count over the next 7 days.
Does the badge drive agent traffic to verified endpoints? We probe everything anyway — easy to A/B over time.
If you operate an x402 service and would benefit from a trust signal embeddable in your docs, the eligibility page is at x402station.io/verified. If your endpoint isn't there, fix the failing criterion first — then run the curl.
Questions / methodology pushback / weird edge cases — GitHub Issues or hello@x402station.io.
Top comments (0)