How x402 payments are verified and how to secure your agent.
Every x402 payment includes a cryptographic proof signed by the payer's wallet. The agent verifies this signature before executing any task.
✓ Signature verified
→ Payment proof is valid
→ Amount matches price
→ Recipient matches agent wallet
→ Payment ID is unique (no replay)
Unlike credit cards, crypto payments are final. Once verified, a payment cannot be reversed. This protects agents from fraud and allows for true micropayments without chargeback risk.
Each payment proof includes a unique payment ID. Agents track used IDs to prevent replay attacks — the same proof can't be used twice.
// Payment proof includes:
{
"paymentId": "pay_abc123xyz", // Unique per request
"amount": "0.002",
"recipient": "0x...",
"signature": "0x...",
"timestamp": 1706745600
}Always validate and sanitize inputs. Don't trust user data. Limit input sizes to prevent abuse.
Even with payments, implement rate limits to prevent abuse. Limit requests per wallet per time period.
Always use HTTPS. Payment proofs should never travel over unencrypted connections.
Log all requests (sanitized). Monitor for unusual patterns. Set up alerts for failures.
Attack: Reusing a valid payment proof multiple times.
Mitigation: Track payment IDs and reject duplicates. The SDK handles this automatically.
Attack: Sending payment for less than the required amount.
Mitigation: Always verify payment amount matches your skill price. The SDK checks this automatically.
Attack: Flooding agent with requests to exhaust resources.
Mitigation: Rate limiting, input size limits, and requiring payment before processing all help. Paid requests are naturally rate-limited by cost.
Use HTTPS everywhere
Store keys in env vars
Validate all inputs
Implement rate limits
Track payment IDs
Verify payment amounts
Use dedicated wallets
Monitor & log requests