AI agents are about to start spending real money.
Not hypothetically. The x402 protocol (HTTP 402 Payment Required) enables agents to pay for services programmatically an agent requests a resource, gets a 402 response with payment instructions, executes the payment, and retries with proof. No human in the loop.
This is already happening. Anthropic published agentic commerce patterns. Google's AP2 protocol standardizes agent-to-agent transactions. Base chain is positioning itself as the settlement layer for agent economies.
But here's the problem nobody is solving: how does Agent B know it should trust Agent A with a $500 transaction?
The Trust Gap
Today, when a human buys something online, there's an entire infrastructure of trust that makes it work:
- Identity: Your credit card is tied to your verified identity
- Reputation: The merchant has reviews, ratings, and a track record
- Escrow: Your bank holds the funds and can reverse charges
- Insurance: Fraud protection covers both sides
AI agents have none of this.
When Agent A sends a payment to Agent B, there's:
- No verified identity (just an API key or wallet address)
- No reputation score (has this agent completed 1,000 successful transactions or zero?)
- No escrow (payment is instant and irreversible on-chain)
- No recourse (if Agent B takes the money and delivers garbage, there's no dispute mechanism)
This isn't a theoretical concern. The moment autonomous agents start transacting at scale, we'll see:
- Scam agents that accept payment and deliver nothing
- Compromised agents whose credentials were stolen and used to drain funds
- Manipulated agents tricked by prompt injection into sending funds to attackers
- Runaway agents that exceed their authorized spending limits
The answer isn't to prevent agents from transacting. The answer is to build the trust infrastructure that makes safe transactions possible.
What a Trust Layer Looks Like
I've been building Agntor an open-source trust and payment rail for AI agents. Here's the architecture we've arrived at after thinking through these problems:
1. Audit Tickets (Sub-Second Identity Verification)
Before an agent can transact, it needs a cryptographically signed JWT that proves:
- Who it is (agent ID)
- What it's allowed to do (constraints)
- How much it can spend (max operation value)
- When the authorization expires (short-lived by design)
import { TicketIssuer } from "@agntor/sdk";
const issuer = new TicketIssuer({
signingKey: process.env.SIGNING_KEY,
issuer: "your-org.com",
algorithm: "HS256",
defaultValidity: 300, // 5 minutes
});
const ticket = issuer.generateTicket({
agentId: "agent-123",
auditLevel: "Gold",
constraints: {
max_op_value: 50, // Can't spend more than $50 per tx
allowed_mcp_servers: ["finance-node"],
kill_switch_active: false,
requires_x402_payment: true, // Must use x402 protocol
},
});
The ticket is attached to every request as X-AGNTOR-Proof. The receiving agent validates the signature, checks the constraints, and only then proceeds with the transaction.
Key design decisions:
- Short-lived: Default 5-minute expiry. A stolen ticket is only useful briefly.
- Constraint-bound: Even a valid ticket can't exceed its authorized limits.
-
Kill switch: If an agent is compromised, flip
kill_switch_activeand all its tickets are instantly rejected.
2. Escrow (Don't Pay Until the Work Is Done)
Irreversible payments are the core risk in agent-to-agent transactions. Escrow solves this:
import { Agntor } from "@agntor/sdk";
const agntor = new Agntor({
apiKey: "agntor_live_xxx",
agentId: "agent://buyer",
chain: "base",
});
// Create an escrow funds are locked, not transferred
const escrow = await agntor.escrow.create({
counterparty: "agent://worker",
amount: 100,
condition: "api_returns_200",
timeout: 3600, // 1 hour to complete
});
// Worker does the job...
// If successful, release the funds
await agntor.settle.release(escrow.escrowId);
// If the worker failed or cheated, slash
await agntor.settle.slash(escrow.escrowId);
The funds are locked until either:
- The buyer releases them (work was satisfactory)
- The buyer slashes them (work was unsatisfactory)
- The timeout expires (dispute resolution kicks in)
3. Reputation (Track Record Matters)
Every completed transaction feeds into a reputation score:
const rep = await agntor.reputation.get("agent://counterparty");
console.log(rep.successRate); // 0.97 (97% success rate)
console.log(rep.escrowVolume); // 15000 (total USDC escrowed)
console.log(rep.slashes); // 2 (times they were penalized)
console.log(rep.counterpartiesCount); // 45 (unique agents transacted with)
Before entering a transaction, you can check: has this agent been reliable? Have they been slashed before? How much volume have they handled?
4. Settlement Guard (Scam Detection)
Even with escrow, you want to catch scams before locking funds. The settlement guard runs heuristic and optional LLM-based analysis on payment requests:
import { settlementGuard, createOpenAIGuardProvider } from "@agntor/sdk";
const result = await settlementGuard(
{
amount: "5000",
currency: "USDC",
recipientAddress: "0xabc...",
serviceDescription: "stuff", // Suspiciously vague
reputationScore: 0.2, // Low reputation
},
{
deepScan: true,
provider: createOpenAIGuardProvider(),
}
);
// result.classification === "block"
// result.riskFactors === ["low-reputation", "high-value", "vague-description"]
The heuristic checks catch:
- Known-bad/sanctioned addresses
- Low counterparty reputation (< 0.3 threshold)
- High-value transactions (> $500)
- Vague or missing service descriptions
- Zero-address transactions (sending to 0x000...000)
5. Safety Controls (Defense in Depth)
Beyond financial trust, agents need protection against manipulation:
- Guard: Three-layer prompt injection detection (regex + heuristics + LLM)
- Redact: Strips PII, API keys, and crypto private keys from agent output
- Tool Guard: Policy-based allow/blocklists for tool execution
- SSRF Protection: Validates URLs against private IP ranges before fetching
-
Transaction Simulator: Dry-runs on-chain transactions via
eth_callbefore signing
These aren't separate products
they compose into a single pipeline via wrapAgentTool():
import { wrapAgentTool } from "@agntor/sdk";
const safeFetch = wrapAgentTool(myFetchFunction, {
policy: {
toolBlocklist: ["shell.exec"],
injectionPatterns: [/transfer.*funds/i],
},
});
// Every call through safeFetch is automatically:
// 1. Checked against tool allowlist/blocklist
// 2. Inputs redacted for PII
// 3. Inputs scanned for prompt injection
// 4. URLs validated against SSRF
// 5. Then executed
Why This Has to Be Open Source
Trust infrastructure only works if it's auditable. If Agntor were a black box, you'd have to trust us which defeats the purpose.
The core packages (@agntor/sdk, @agntor/trust-proxy, @agntor/mcp) are MIT licensed. The trust verification logic, the constraint enforcement, the guard patterns all open for inspection and contribution.
The agent economy is going to be built on open standards: x402 for payments, ERC-8004 for agent registration, MCP for tool discovery. The trust layer should be open too.
The x402 Handshake
Here's how it all comes together in a single transaction:
Agent A (Buyer) Agntor Trust Proxy Agent B (Seller)
| | |
|--- Request resource ---->| |
| | |
|<-- 402 Payment Required -| |
| (price, payment addr) | |
| | |
|--- Retry with: | |
| X-AGNTOR-Proof (JWT) | |
| x402 payment proof | |
| | |
| [Verify JWT signature] |
| [Check constraints] |
| [Validate x402 proof] |
| [Check reputation] |
| | |
| |--- Execute service ----->|
| | |
|<-- Result + settlement --+<-- Result ---------------|
Every step is verified. The buyer proves identity and authorization. The proxy validates constraints. The seller's reputation is checked. The payment is escrowed until delivery is confirmed.
Where We Are
Agntor is at v0.1.0. The SDK, trust proxy, and MCP server are functional. The escrow and reputation systems work against the API. The safety controls (guard, redact, tool guard) work entirely client-side with zero external dependencies for the basic tier.
What's next:
- On-chain identity registry
- Decentralized reputation aggregation
- Validator workflows for dispute resolution
- Integration guides for LangChain, CrewAI, and Vercel AI SDK
Try It
npm install @agntor/sdk
The guard and redact features work standalone with no API key you can start protecting your agents today without buying into the full protocol.
Full source: github.com/agntor/agntor
_The agent economy is coming whether the trust infrastructure is ready or not. I'd rather it be ready. If you're building in this space, I'd like to hear what trust problems you're running into
open an issue or reach out._
Top comments (0)