X402 policy enforcement is live. Your AI agents can now pay for HTTP 402 APIs with full spending controls—per-endpoint limits, recipient allowlists, rate limiting, and automatic endpoint discovery—all without PolicyLayer ever touching your private keys.
This makes PolicyLayer the first non-custodial policy layer for the X402 payment protocol. Coinbase and Cloudflare have built excellent infrastructure for facilitating X402 payments. We've built the missing piece: enforcement.
What's Now Possible
The X402 protocol enables AI agents to pay for resources autonomously. When an agent hits a paywalled API, the server returns HTTP 402 with payment details, the agent pays, and access is granted. It's elegant, frictionless, and terrifying without controls.
We've previously covered the threat models in depth: infinite payment loops, prompt injection via malicious endpoints, amount hallucination, and frequency-based drainage. These aren't theoretical—they're the inevitable failure modes of ungoverned agent wallets.
With X402 policy enforcement, you can now:
Deploy research agents that buy data feeds with confidence. Set daily budget caps per data provider, allowlist only trusted vendors, and get webhook notifications when agents discover new paid APIs.
Run customer service bots that purchase knowledge articles without fear of runaway costs. Configure per-article spending limits, duplicate payment prevention, and circuit breakers that pause payments after repeated failures.
Launch DeFi agents that access on-chain analytics with granular control. Restrict which currencies agents can spend, pin expected recipients to specific domains, and rate-limit requests to prevent exploitation.
These use cases were previously too risky for production. Now they're not.
The Feature Set
Here's what's included in X402 policy enforcement:
| Capability | What It Does |
|---|---|
| Per-Endpoint Policies | Different spending limits for different API domains. Cap how much agents spend on api.provider.com separately from data.vendor.io. |
| Daily Spending Limits | Aggregate caps that reset at midnight UTC. Agents can't exceed daily budgets regardless of how many requests they make. |
| Recipient Allowlist | Only permit payments to approved addresses. If an endpoint tries to bill an unknown recipient, payment blocked. |
| Recipient Blocklist | Explicitly block known-bad addresses. Takes precedence over all other rules. |
| Recipient Pinning | Pin specific payment addresses to specific domains. If api.example.com suddenly requests payment to a different address, that's a red flag—payment blocked. |
| Currency Restrictions | Limit which tokens agents can spend. Allow USDC, block everything else. |
| Frequency Limits | Rate-limit requests per minute. Prevents high-frequency drainage even when individual payments are small. |
| Duplicate Detection | Atomic prevention of double-payments. If an agent accidentally retries a request, the second payment is blocked. |
| Circuit Breaker | After 10 consecutive policy violations, all X402 payments pause automatically. Protects against cascading failures. |
| Audit Logging | Complete record of every X402 payment decision—allowed or denied—with full context. |
Every check runs before your agent signs anything. Keys never leave your infrastructure.
Endpoint Auto-Discovery
This is the feature we're most excited about.
When your agent encounters a new X402 API for the first time, PolicyLayer automatically:
- Detects the new endpoint based on the domain in the 402 response
- Creates a policy using your configured defaults (spending limits, rate limits, etc.)
- Records the discovery with timestamp and agent ID
- Sends a webhook to your systems (if configured)
You don't need to manually configure every API your agents might use. Set sensible defaults, let agents explore, and get notified when they find new paid services. Tighten policies later as needed.
This solves a real operational problem. In a world where agents autonomously discover and consume APIs, you can't pre-configure everything. Auto-discovery with default policies gives you control without requiring omniscience.
// Your defaults apply to every new endpoint
{
maxAmountPerRequest: "1000000", // 1 USDC max per request
maxAmountPerDay: "10000000", // 10 USDC max per day
maxRequestsPerMinute: 10,
notifyOnDiscovery: true, // Webhook when new APIs found
autoCreatePolicies: true // Auto-create from defaults
}
When the agent hits a new X402 endpoint, these defaults apply immediately. You can then adjust the specific endpoint's policy through the dashboard or API.
Why Non-Custodial Matters Here
Some X402 implementations require you to deposit funds into a hosted wallet or grant signing permissions to a third party. This creates custody risk that compounds with every agent you deploy.
PolicyLayer's approach is different:
- Agent requests authorisation before signing any payment
- PolicyLayer validates against your policies and returns a cryptographic approval
- Agent signs and broadcasts using its own keys
- PolicyLayer verifies the signed transaction matches the approved intent
Your private keys never leave your infrastructure. We never have the ability to move funds. If PolicyLayer goes offline, agents simply can't make new payments—fail-closed, not fail-open.
This is the same two-gate architecture we use for all transaction types. X402 payments get the same cryptographic guarantees: intent fingerprinting, single-use tokens, and immediate budget reservation.
Getting Started
X402 policy enforcement works with any X402-compatible wallet or agent framework:
- Configure your default policy in the PolicyLayer dashboard under X402 settings
- Set up your agent to call PolicyLayer's validate endpoint before making X402 payments
- Deploy and watch the audit log as your agents interact with paid APIs
If you're using Coinbase's Payments MCP or Cloudflare's Agent SDK, PolicyLayer sits between your agent and the payment execution. They handle the payment mechanics; we handle the rules.
What's Next
This release covers the core enforcement layer. On the roadmap:
- Deeper Coinbase MCP integration with pre-built middleware
- Cloudflare Agent SDK adapter for edge-native policy checks
- Endpoint risk scoring based on community-reported behaviour
- Spending analytics with per-endpoint cost breakdowns
We're building the governance layer for the agentic economy. X402 is one protocol; the principles apply broadly.
The Bigger Picture
X402 makes autonomous commerce possible. Agents will purchase billions of API calls, data feeds, and computational resources. The protocol works. The question was never "can agents pay?"—it was "should they?"
With policy enforcement, the answer is yes—within limits you define, to recipients you approve, at frequencies you control. Non-custodial, fail-closed, and auditable.
The payment web is here. Now it's governable.
Related reading:
- Securing the X402 Protocol: Why Autonomous Agent Payments Need Spending Controls — Deep dive into X402 threat models
- How Two-Gate Enforcement Works — The cryptographic architecture behind policy enforcement
- Non-Custodial Security Explained — Why we don't want your keys
Ready to secure your X402 agents?
- Dashboard — Configure your policies
- SDK on npm — Install and integrate
Top comments (0)