A friend in the agent-infra space (DDG Agent Services, 16k followers, they build this for a living) replied to one of my posts this week with a take that landed hard:
right that discovery moved to machine-readable files. but llms.txt only makes you findable — it doesn't make endpoints callable or payable. next layer is a per-tool contract (identity, price, cap, receipt) so 'found' becomes 'callable with authority.' discovery isn't execution.
He's right. So we shipped Pack v3.
The gap
/llms.txt, schema.org JSON-LD, A2A agent-card, MCP server-card, /openapi.json — the read layer. AI agents know you exist, know what you offer, can read your docs.
What's missing from 99% of sites: the callable layer. When the agent decides to actually invoke your endpoint:
- Identity: which service is this? Two of your endpoints can't accept the same receipt — that's the cross-service replay bug Daedalus keeps flagging.
- Price: how much per call? In what currency? Fiat, USDC?
- Cap: max per transaction? Per minute? Per day?
- Receipt: how does the agent prove it paid, and how do you verify it?
x402 (HTTP 402 Payment Required, reborn) is the spec everyone is converging on. It's a discovery manifest + a challenge/response over HTTP.
What Pack v3 ships
Every $1 / $29 / $99 AgentFix Pack now includes:
/.well-known/x402.json — discovery manifest. Declares your service_id, accepted currencies (USD via Stripe/Creem + USDC on Base + Ethereum out of the box), priced paths, receipt format, spending caps.
{
"protocol": { "name": "x402", "version": "0.1" },
"service_id": "https://yoursite.com/",
"accepted_currencies": [
{ "type": "fiat", "code": "USD", "settlement": "stripe_or_creem" },
{ "type": "crypto", "code": "USDC", "chain": "base", "contract": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913" }
],
"priced_paths": [
{ "path": "/api/v1/search", "method": "POST", "price": { "amount": "0.001", "currency": "USD" } }
],
"caps": {
"max_single_transaction": { "amount": "10.00", "currency": "USD" },
"per_minute_request_cap": 60,
"per_day_spend_cap": { "amount": "100.00", "currency": "USD" }
}
}
/.well-known/acp.json + ucp — upgraded with a payment object pointing at the manifest, the receipts endpoint, and the service_id binding.
9-x402-payment-layer/cloudflare-worker-x402.js — drop-in Cloudflare Worker. Sits in front of your priced paths, returns HTTP 402 with the challenge metadata, verifies HMAC-signed receipts on retry (with anti-replay svc binding), forwards valid requests to origin.
async function verifyReceipt(receipt, env, expectedSvc) {
const [bodyPart, sigPart] = receipt.split('.');
const body = JSON.parse(atob(bodyPart.replace(/-/g, '+').replace(/_/g, '/')));
if (body.svc !== expectedSvc) return false; // anti-replay
if (Date.now() - body.iat * 1000 > 1000 * 60 * 10) return false; // 10 min TTL
const key = await crypto.subtle.importKey('raw',
new TextEncoder().encode(env.RECEIPT_HMAC_SECRET),
{ name: 'HMAC', hash: 'SHA-256' }, false, ['verify']);
return crypto.subtle.verify('HMAC', key, base64ToBytes(sigPart),
new TextEncoder().encode(bodyPart));
}
Why additive matters
This is folder 9. The pack still installs 1, 2, 3 in the obvious order — llms.txt, schema, A2A, MCP, all the things that already work. Folder 9 is for buyers who expose paid APIs. Buyers who don't can delete it without breaking anything.
That's the brand decision: discovery is the first sale, callable-with-authority is the second. Most sites need the first. Some need both.
What the scanner now flags
agentfix-mini-scanner@latest yoursite.com already detects the manifest paths. The next OSS release (1.2.0) will validate the structure — service_id present, caps declared, receipt format spelled out.
If you're building agent-payable services and want to swap notes on the receipt format, ping @LLlkoJla on X or support@agentfix.pro. The spec is still wet and the more sites converge, the cheaper agents are to build.
Try it
npx agentfix-mini-scanner yoursite.com
OSS scanner: https://github.com/Virt92/agentfix-oss-scanner
Full Pack with x402 + receipts ($1 / $29 / $99 one-time): https://agentfix.pro
Iceberg viz: https://workspace.agentfix.pro
Building solo. Iterating in the open. Feedback shapes the next pack revision.
Top comments (1)
The interesting part is that agents need both readable context and enforceable transaction rules. llms.txt helps with discovery and interpretation, but paid or privileged actions need a separate contract: who is allowed to call, what is being bought, and what evidence is left afterward.