DEV Community: WayforthOfficial

We rebuilt Wayforth from the ground up. Here's what we learned.

WayforthOfficial — Fri, 15 May 2026 18:55:30 +0000

We launched Wayforth as "the search engine and payment rail for AI agents."

That description was accurate. It just wasn't the
whole picture — and in some ways it was pointing at
the wrong thing.

Since then we've shipped 10 production releases,
removed a token we were planning to launch, rebuilt
the ranking algorithm, added two payment rails,
launched a provider intelligence dashboard, and
listed on x402scan and Agentic.Market.

Here's the honest version of what happened.

What Wayforth actually is

Wayforth is an API runtime for autonomous AI agents.

One MCP install. 3,000+ services. Three payment
rails. Discovery, payment, and execution in a
single tool call.

uvx wayforth-mcp

Your agent can now do this:

# Search by intent — plain English
wayforth_search("translate to Spanish")
# → DeepL WRI:82 · $0.00003/call · card | usdc | x402

# Execute — no API key needed
wayforth_execute(slug="deepl", text="Hello")
# → "Hola" · 312ms · 1 credit

No API key for DeepL. No DeepL account. No
integration code. Wayforth holds the key,
your agent gets the result.

That works for 15 managed services today. For
the other 3,000+ in the catalog, you bring your
own key and Wayforth handles the proxy,
monitoring, and payment.

The thing we got wrong

When we launched, we were planning a $WAYF token.

Staking pools. Verifier networks. Token-gated
rankings. The whole thing.

We cut all of it.

The token complicated the story, added regulatory
risk, and — most importantly — wasn't necessary.
WayforthRank doesn't need a token to be
defensible. It needs payment signal. And payment
signal comes from real agents paying real money,
which we can track without a blockchain token.

Wayforth is a centralized infrastructure company.
We own the ranking algorithm. We hold the managed
keys. We process the routing fees. That clarity
is the product.

What WayforthRank actually does

This is the part worth understanding.

Every service in the Wayforth catalog has a WRI
score from 0–100. The score is computed from:

Verified payment signal (real agents paying)
Uptime over the last 7 days
Average response latency
Tier verification status
x402 support

The payment signal is what makes it defensible.
A service can't buy a higher ranking — it can
only earn one. And the signal only accumulates
through Wayforth, which means it can't be
replicated by a directory or a payment processor
working separately.

We formalized this as the WayforthRank
Integrity Policy — permanently legally
enforceable, built into our Terms of Service:

No service can pay to rank higher.
Zero sponsored placements.
No advertising model. Ever.

Three payment rails

One of the biggest changes since launch: we
moved from crypto-only to three parallel rails.

Track A — Card (Stripe Treasury)
No crypto required. Developer tops up with a
credit card, calls execute, Wayforth routes
the credit. Mainstream developer, no wallet needed.

Track B — USDC on Base
Non-custodial. Agent holds its own wallet,
signs a transaction, WayforthEscrow routes
the payment on-chain.

Track C — x402
HTTP 402 native. Agent pays and retries in
one round-trip via Coinbase CDP.

Same 1.5% routing fee on all three. Same
WayforthRank signal from all three.

Self-healing payments

Shipped in v0.6.10 this week.

If an API call fails — 5xx, timeout, unreachable
— credits restore automatically. No dispute
process. No support ticket. No human in the loop.

{
  "error": "Service unavailable",
  "refunded": true,
  "credits_restored": 1,
  "calls_remaining": 3498
}

The WRI penalty still applies — a failed call
counts against the service's rank. But the
developer doesn't pay for it.

The numbers

3,271 services across 19 categories
809 Tier 2 verified (probed every 6h, auto-demoted on 3 consecutive failures)
277 x402-native services
15 managed services (zero API key needed)
298+ production API routes
133/133 end-to-end tests passing

What we built for providers

The Provider Dashboard launched as a separate
B2B product in v0.6.8.

Providers see:

Every search query that surfaced their service
WRI score breakdown and history
Anonymized competitor comparison
Masked agent IDs and call patterns
Estimated earnings at 98.5% of every payment

This was a deliberate choice: providers should
have enough intelligence to improve their service
and earn better rankings — but not enough to
game the system.

The x402 ecosystem

We're now listed on x402scan as a native seller:
GET https://gateway.wayforth.io/x402/search
→ HTTP 402
{
"x402Version": 2,
"accepts": [{
"scheme": "exact",
"network": "eip155:8453",
"amount": "2000",
"asset": "0x833589fcd6edb6e08f4c7c32d4f71b54bda02913",
"payTo": "0xb59f678a1bd568b3599756947ad965760038cf40",
"maxTimeoutSeconds": 300
}]
}

$0.002 USDC per search query. An agent can
discover and pay for Wayforth without any
prior relationship or API key.

We're also x402 v2 compliant with Bazaar
discovery extension — Agentic.Market indexes
us automatically when the first real payment
goes through.

What's next

v0.7.0 — Gravity.

First real revenue. Stripe subscriptions live.
Provider payouts. Base mainnet deployment
(post-audit). The flywheel starts.

If you're building AI agents and need external
APIs, try it:

uvx wayforth-mcp

100 free calls. No card. No setup.

GitHub: github.com/WayforthOfficial/wayforth

Docs: wayforth.io

How We Hardened the Wayforth Gateway - Complete Security Audit

WayforthOfficial — Tue, 05 May 2026 01:58:32 +0000

We shipped Wayforth — a search and payment rail
for AI agents — and before expanding the managed
services catalog we ran a full security audit.

Here's how we fixed it.

The Stack

FastAPI · PostgreSQL · Railway · Base blockchain

Supabase Auth · Stripe · Fernet AES-128 · BSL 1.1

uvx wayforth-mcp

Critical Findings (5)

C1 — JWT not cryptographically verified

Fix: JWKS-based ES256 verification via Supabase's
public endpoint — no shared secret needed.

def verify_supabase_jwt(token: str) -> dict:
    jwks = get_jwks()  # cached 1hr
    header = jwt.get_unverified_header(token)
    key = next(k for k in jwks if k["kid"] == header["kid"])
    public_key = ECAlgorithm.from_jwk(key)
    return jwt.decode(token, public_key,
        algorithms=["ES256"], audience="authenticated")

C2 — CORS wildcard + credentials

Fix: Explicit origins only.

allow_origins=[
    "https://wayforth.io",
    "https://www.wayforth.io",
    "http://localhost:3000",
    "http://localhost:5173",
]

C3 — Admin key timing oracle

Fix: secrets.compare_digest() in all 11 places.

C4 — BYOK silent plaintext fallback

Fix: Both now raise HTTP 500 instead of
silently degrading security.

C5 — Webhook IDOR

Fix: Ownership verified before delete.

High Findings (5)

H1 — Fernet key entropy: invalid keys now raise ValueError at call time
H2/H3 — BYOK encrypt/decrypt fail silently: both raise HTTP 500
H4 — No security headers: added X-Frame-Options, X-Content-Type-Options, HSTS, Referrer-Policy, Permissions-Policy
H5 — supabase_id echoed in 401 body: removed (account enumeration vector)

Frontend Findings

API key written to localStorage on signup → moved to sessionStorage
Admin token in localStorage → sessionStorage
No expired session handler → global 401 interceptor now redirects to /login
innerHTML with API responses → escaped

What Was Already Clean

SQL injection — parameterized everywhere, zero
string concatenation. No eval() or exec().

API keys — SHA-256 hashed, never logged.

Admin passwords — bcrypt.

Key generation — secrets.token_urlsafe().

.env in .gitignore.

Result

20 findings. All resolved.
Zero open findings before expanding the catalog.

Try it: uvx wayforth-mcp

GitHub: github.com/WayforthOfficial/wayforth

Docs: wayforth.io

Wayforth — A Search Engine and Payment Rail for AI Agents

WayforthOfficial — Wed, 29 Apr 2026 01:23:35 +0000

The Problem

Every AI agent that calls external services — inference, translation,
data, images, audio — requires the developer to manually find each API,
sign up, manage keys, write integration code, and handle billing
separately for every provider.

One agent workflow can touch a dozen services. That doesn't scale.

The Solution

Wayforth. One install:

uvx wayforth-mcp

Then two tool calls from any agent:

# Discover
wayforth_search("translate text to Spanish")
# → DeepL API       WRI: 82  Tier 2 Verified  $0.0000025/req
# → LibreTranslate  WRI: 71  Tier 2 Verified  Free
# → ModernMT        WRI: 68  Tier 2 Verified  $0.000003/req

# Pay
wayforth_pay(service_id, owner_address, amount_usdc=0.001)
# → Non-custodial calldata. Settles on Base in ~2 seconds.

No API keys. No billing relationships. No integration code.

Works in Claude Code, Cursor, Windsurf, and any MCP-compatible runtime.

What's Live

200+ real API endpoints across 7 categories — inference, data,
translation, image, code, audio, embeddings.

165+ Tier 2 verified services — automatically probed every 6 hours,
90%+ uptime required, auto-demoted after 3 consecutive failures.
No paid placement. Ever.

WayforthRank — a proprietary ranking engine combining semantic
relevance, reliability history, and real agent payment conversion
signals. Rankings improve with every query. (Patent pending)

Smart contracts on Base Sepolia — non-custodial escrow, audited,
Basescan verified. Mainnet Q3 2026.

Tiered routing fee 0.75%–1.5% — the only cost. No fixed fee.
Viable for sub-cent micro-transactions.

The Architecture

Four layers:

Settlement Layer — Base blockchain, WayforthEscrow, USDC
Verification Layer — Coverage tier system, automated probing
Intelligence Layer — WayforthRank, Service Graph, Wayforth Identity
Agent Layer — MCP server, Python SDK, TypeScript SDK, WayforthQL

WayforthRank — How Ranking Works

WRI (Wayforth Reliability Index) is a score from 0–100 combining:

Signal	Points
Base score	50
Tier 2 verified	+20
Zero failures	+10
Probed within 24h	+10
x402 protocol	+5
Agent popularity (7d)	+5 max
Payment conversions (7d)	+8 max

The payment conversion signal is the strongest — it only accumulates
from real agent payments. A competitor needs 12+ months of real agent
payment data to replicate it.

The Data Flywheel

Every search query links to a query_id. When an agent pays for a
service, that payment converts the search record and feeds WayforthRank.
Rankings improve with every real transaction.

WayforthQL — Structured Queries

For agents that need more control:

POST /query
{
  "query": "fast inference for coding agents",
  "tier_min": 2,
  "protocol": "x402",
  "sort_by": "wri",
  "price_max": 0.001,
  "limit": 5
}

Developer Dashboard

Every developer gets a personal dashboard at wayforth.io/dashboard:

API key management
Usage and quota tracking
Search history and analytics
Service reliability trends
Agent identity trust scores

Free tier — 1,000 searches/month. No credit card required.

Try It

uvx wayforth-mcp

Website: https://wayforth.io
GitHub: https://github.com/WayforthOfficial/wayforth (BSL 1.1)
PyPI: https://pypi.org/project/wayforth-mcp/
Quickstart: https://wayforth.io/quickstart
Whitepaper: https://wayforth.io/wayforth-whitepaper-v3.pdf

Happy to answer questions about the WayforthRank architecture,
payment routing design, or the coverage tier system.