ERC-3009: The Protocol Powering x402 Payments

This article was originally published on PayIn Blog. Visit for more articles about x402 and stablecoin payments.

At the heart of x402's payment mechanism lies ERC-3009, a standard that enables gasless token transfers through cryptographic signatures. Understanding this protocol is key to grasping how x402 achieves frictionless payments without requiring users to hold native tokens for gas.

The Problem: Traditional ERC-20 Limitations

The standard ERC-20 approve/transferFrom pattern has significant UX problems:

1. Two transactions required: First approve, then transferFrom
2. Two gas fees: Users pay twice
3. Native token dependency: Must hold ETH just to move USDC
4. Sequential nonces: Transactions must be ordered, creating bottlenecks

ERC-3009: Transfer With Authorization

ERC-3009 solves these problems elegantly. Instead of on-chain approvals, the payer signs an off-chain authorization message that can be submitted by anyone.

The Core Functions

function transferWithAuthorization(
    address from,
    address to,
    uint256 value,
    uint256 validAfter,
    uint256 validBefore,
    bytes32 nonce,
    uint8 v,
    bytes32 r,
    bytes32 s
) external;

function receiveWithAuthorization(
    address from,
    address to,
    uint256 value,
    uint256 validAfter,
    uint256 validBefore,
    bytes32 nonce,
    uint8 v,
    bytes32 r,
    bytes32 s
) external;

How It Works

1. Payer signs a message conforming to EIP-712 typed data
2. Message is sent to a relayer or facilitator (off-chain)
3. Relayer submits the signature on-chain
4. Contract verifies the signature and executes the transfer
5. Relayer pays gas, not the payer

Why Random Nonces Matter

One of ERC-3009's key innovations is the use of random 32-byte nonces instead of sequential ones:

Approach	ERC-2612 (Sequential)	ERC-3009 (Random)
Nonce	0, 1, 2, 3...	Random bytes32
Parallel ops	❌ Must be ordered	✅ Fully independent
High-frequency	❌ Bottleneck	✅ Scales infinitely

For x402 and AI agents, this is transformative. An agent can generate thousands of concurrent payment authorizations without any conflicts.

ERC-3009 in x402

In the x402 protocol, ERC-3009 is the foundation for EVM payments:

1. Client requests a protected resource
2. Server returns 402 with payment requirements
3. Client constructs an ERC-3009 authorization message
4. Client signs with their wallet
5. Client retries with X-PAYMENT header
6. Facilitator verifies the signature
7. Server responds with the content
8. Facilitator settles by calling transferWithAuthorization

Token Support

Token	Issuer	ERC-3009 Support
USDC	Circle	✅ Yes (v2+)
EURC	Circle	✅ Yes
USDT	Tether	❌ No
DAI	MakerDAO	❌ No

This is precisely why x402 focuses on USDC rather than USDT.

Comparison with ERC-2612 (Permit)

Feature	ERC-2612	ERC-3009
Purpose	Approve allowance	Direct transfer
Steps	Sign → Approve → Transfer	Sign → Transfer
Nonce type	Sequential	Random
Use case	DeFi protocols	Payments, x402

Related Articles

• x402 Developer's Guide - Build your first paid API
• x402 Facilitators - Understanding the settlement infrastructure
• Why x402 Doesn't Support USDT - Token compatibility explained
• Solana's Authorization Mechanism - The non-EVM equivalent

References

• EIP-3009 Specification
• EIP-712: Typed Data Signing
• Circle's USDC Implementation

---

ERC-3009 transforms how we think about token transfers. By moving authorization off-chain, it enables the frictionless, gasless payments that make x402 possible.