DEV Community: Daniel Buchner The latest articles on DEV Community by Daniel Buchner (@danielbuchner). https://dev.to/danielbuchner https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4001284%2F6a550aa5-2233-4c91-a718-781b59b3c956.jpg DEV Community: Daniel Buchner https://dev.to/danielbuchner en Introducing x401: Bringing Proof of Identity to the Agentic Web Daniel Buchner Thu, 25 Jun 2026 13:11:36 +0000 https://dev.to/danielbuchner/introducing-x401-bringing-identity-exchange-to-the-agentic-web-70d https://dev.to/danielbuchner/introducing-x401-bringing-identity-exchange-to-the-agentic-web-70d <p>HTTP has had a payment status code since 1997. It still doesn't have a native identity one. x401 fixes that.</p> <p>If you've worked with x402, Coinbase's HTTP-native payment protocol built on the long-dormant <code>402 Payment Required</code> status code, x401 is the identity-layer counterpart. Where x402 answers "how does a server tell an agent what to pay?", x401 answers "how does a server tell an agent what identity proof to provide?"</p> <p>Today, every API that gates access by <em>who you are</em> rather than whether you have a token builds this plumbing from scratch. x401 defines a standard HTTP mechanism for expressing credential requirements, and a standard way for agents to satisfy them automatically.</p> <p><strong>The problem, concretely</strong></p> <p>Here's what today's identity-gated API flow looks like for an agent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">POST</span> <span class="nn">/accounts/applications</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">bank.example.com → 401 Unauthorized</span> </code></pre> </div> <p>The 401 just says "no." Nothing in the response tells the agent <em>what it needs</em> — which credential type, from which issuer, expressing which claims. The agent can't self-serve the identity requirement. A human has to get involved.</p> <p>Compare to x402:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET /api/resource → 402 Payment Required X-Payment: {"amount": "0.01", "currency": "USDC", ...} </span></code></pre> </div> <p>An agent reads the 402, pays, retries, done — no human in the loop. x401 brings the same pattern to identity.</p> <p><strong>How x401 works</strong></p> <p>The protocol uses three dedicated HTTP header fields:</p> <ul> <li> <strong><code>PROOF-REQUIRED</code></strong> (server → agent): carries the proof requirement </li> <li> <strong><code>PROOF-PRESENTATION</code></strong> (agent → server): carries the credential presentation </li> <li> <strong><code>PROOF-RESPONSE</code></strong> (server → agent): carries verification results and error details</li> </ul> <p>Step 1 — Initial request:</p> <p>http<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">POST</span> <span class="nn">/accounts/applications</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">bank.example.com</span> </code></pre> </div> <p>Step 2 — Server returns a response with <code>PROOF-REQUIRED</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="m">401</span> <span class="ne">Unauthorized</span> <span class="na">PROOF-REQUIRED</span><span class="p">:</span> <span class="s">&lt;base64url-x401-payload&gt;</span> <span class="na">Cache-Control</span><span class="p">:</span> <span class="s">no-store</span> </code></pre> </div> <p>The <code>PROOF-REQUIRED</code> value is a base64url-encoded JSON payload. Decoded:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scheme"</span><span class="p">:</span><span class="w"> </span><span class="s2">"x401"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.2.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"credential_requirements"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"digital"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"requests"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"openid4vp-v1-signed"</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"request"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"oauth"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"token_endpoint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://bank.example.com/oauth/token"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"trust_establishment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://bank.example.com/.well-known/x401/trust/financial-customer-v1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"proof-template-financial-customer-v1"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The key field is <code>credential_requirements</code>. It contains a complete, Verifier-authored Digital Credentials API request — specifically an OpenID4VP request the agent can execute directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">navigator</span><span class="p">.</span><span class="nx">credentials</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="nx">credential_requirements</span><span class="p">);</span> <span class="c1">// result =&gt; { protocol: "openid4vp-v1-signed", data: { /* signed VP */ } }</span> </code></pre> </div> <p>The Verifier authors and signs this request. The agent does not compose it — it only executes it or relays it to a wallet. Inside the signed request is the actual credential query, expressed in DCQL (Digital Credentials Query Language):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"response_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vp_token"</span><span class="p">,</span><span class="w"> </span><span class="nl">"response_mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dc_api"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"x509_san_dns:bank.example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"expected_origins"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"https://bank.example.com"</span><span class="p">],</span><span class="w"> </span><span class="nl">"nonce"</span><span class="p">:</span><span class="w"> </span><span class="s2">"uX7Vq3mZJH6MeN0qz2L7SQ"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dcql_query"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"credentials"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"financial_customer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"format"</span><span class="p">:</span><span class="w"> </span><span class="s2">"jwt_vc_json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"meta"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type_values"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"FinancialCustomerCredential"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"claims"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"credentialSubject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"assurance_level"</span><span class="p">],</span><span class="w"> </span><span class="nl">"values"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"VC-AL2"</span><span class="p">,</span><span class="w"> </span><span class="s2">"VC-AL3"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1746557100</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Step 3 — Agent obtains a presentation:</p> <p>The agent passes <code>credential_requirements</code> to a credential wallet. The wallet constructs an OpenID4VP authorization request, selects the matching credential, and returns a signed Verifiable Presentation bound to the Verifier as relying party.</p> <p>Step 4 — Retry with <code>PROOF-PRESENTATION</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">POST</span> <span class="nn">/accounts/applications</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">bank.example.com</span> <span class="na">PROOF-PRESENTATION</span><span class="p">:</span> <span class="s">&lt;base64url-vp-artifact-json&gt;</span> </code></pre> </div> <p>The <code>PROOF-PRESENTATION</code> value is a "VP Artifact":<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"request_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"proof-template-financial-customer-v1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"response"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"openid4vp-v1-signed"</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;wallet-returned-presentation-result&gt;"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Step 5 — Verifier validates and grants access:</p> <p>The Verifier checks the presentation cryptographically — no shared secrets, no PII in transit. Either the credential validates against the issuer's public keys, or it doesn't. On success, the Verifier returns the protected resource.</p> <p>If something fails, you get an x401 Error Object back in <code>PROOF-RESPONSE</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scheme"</span><span class="p">:</span><span class="w"> </span><span class="s2">"x401"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.2.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="s2">"invalid_presentation"</span><span class="p">,</span><span class="w"> </span><span class="nl">"error_description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Credential from untrusted issuer."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>The optional OAuth leg</strong></p> <p>Rather than submitting a full VP Artifact on every request, the agent can exchange a VP for a short-lived Verification Token via standard OAuth 2.0 Token Exchange:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">POST</span> <span class="nn">/oauth/token</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">bank.example.com</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/x-www-form-urlencoded</span> grant_type=urn:ietf:params:oauth:grant-type:token-exchange&amp; subject_token_type=urn:x401:params:oauth:token-type:vp_artifact&amp; subject_token=&lt;base64url-vp-artifact-json&gt; </code></pre> </div> <p>On success, the Verifier returns a Bearer token usable on subsequent requests without re-presenting credentials.</p> <p><strong>What are Verifiable Credentials (and why not JWTs)?</strong></p> <p>Verifiable Credentials are W3C-standardized cryptographically-signed assertions. Unlike ordinary JWTs or session tokens, VCs are:</p> <ul> <li> <strong>Issued by an authoritative third party</strong> — not self-asserted by the agent or the application </li> <li> <strong>Verifiable without a live roundtrip to the issuer</strong> — the issuer's public key is sufficient </li> <li> <strong>Revocable</strong> via a credential status endpoint </li> <li> <strong>Selectively disclosable</strong> — the holder presents only the claims required</li> </ul> <p>x401 doesn't define a new credential format. It works with any format expressible in OpenID4VP: <code>jwt_vc_json</code>, <code>mso_mdoc</code>, <code>sd-jwt</code>, and others.</p> <p><strong>Status code independence</strong></p> <p>One design decision worth noting: x401 does not require the server to return <code>401</code>. The <code>PROOF-REQUIRED</code> header is the protocol carrier, not the status code. A server can return <code>200 OK</code> with <code>PROOF-REQUIRED</code> if the response body is still useful without proof, or any <code>4xx</code> when the operation can't proceed. This means x401 composes cleanly with routes that already use <code>WWW-Authenticate</code> for other auth schemes.</p> <p>Payment and identity stay separate: if payment is also required after proof is satisfied, the Verifier returns <code>402 Payment Required</code> and the agent runs the x402 flow separately.</p> <p><strong>What's live now</strong></p> <p>The spec is published at <a href="https://x401.proof.com/spec/latest/" rel="noopener noreferrer">x401.proof.com/spec/latest</a> (v0.2.0). It covers the full protocol: payload structure, header semantics, presentation requirements, VP Artifact format, OAuth token exchange, agent binding options, and security/privacy considerations.</p> <p>It's an open spec — read it, open issues on GitHub at <a href="https://github.com/x401-protocol/x401" rel="noopener noreferrer">x401-protocol/x401</a>, or reply here if you're working on agent infrastructure and want to coordinate.</p> <p><em>Proof is the identity provider that authored x401. Learn more at <a href="https://proof.com" rel="noopener noreferrer">proof.com</a>.</em></p> ai identity webdev agents