Stable402.com · Coinbase × Cloudflare

x402 Compliance Middleware

HTTP 402 Payment Required has been a reserved status code since 1997. Coinbase's x402 protocol finally gives it meaning: any HTTP endpoint can gate access behind a stablecoin micropayment on Base. The compliance gap is immediate — a raw x402 payment has no sanctions screening, no agent identity verification, no audit trail. This middleware fills that gap.

6

Checkpoints

7

C-Domains

1

Worker

$0

/month

C-Domains: C1 Identity C2 Sanctions C3 AML C4 Fraud C7 Travel Rule C8 Resilience C16 Programmable

Architecture

The middleware sits between the x402 facilitator and your gated endpoint. When a payment arrives, it runs six compliance checkpoints in sequence before the request reaches your code. Four are hard gates (block on failure), two are soft monitors (log and proceed). The entire pipeline deploys as a single Cloudflare Worker at the edge — sub-50ms latency, $0–5/month on the free tier. Every checkpoint produces an audit record; the final stage bundles them into a signed Verifiable Credential that serves as the compliance receipt.

Live Endpoint

Try the pipeline against the deployed Worker

The reference implementation runs at x402-middleware.stablecoinatlas.com. Hit it with any of the fixtures below to watch the six-stage pipeline fire. Approved payments return a W3C Verifiable Credential receipt URL you can fetch independently.

Health check


curl https://x402-middleware.stablecoinatlas.com/health

Clean pass — approved with receipt

HTTP 200 · APPROVED

curl -X POST https://x402-middleware.stablecoinatlas.com/ \
  -H 'Content-Type: application/json' \
  -H 'X-402-Payment: {"payerAddress":"0x1111111111111111111111111111111111111111","amount":"50.00","asset":"USDC","action":"api-call","network":"base","requestToken":"demo_001","walletType":"smart"}'

Sanctions block — Lazarus Group / Harmony hack

HTTP 451 · BLOCKED

curl -X POST https://x402-middleware.stablecoinatlas.com/ \
  -H 'Content-Type: application/json' \
  -H 'X-402-Payment: {"payerAddress":"0x098B716B8Aaf21512996dC57EB0615e2383E2f96","amount":"50.00","asset":"USDC","action":"api-call","network":"ethereum","requestToken":"demo_sanctions","walletType":"smart"}'

Structuring flag — pre-seeded address

HTTP 403 · BLOCKED

curl -X POST https://x402-middleware.stablecoinatlas.com/ \
  -H 'Content-Type: application/json' \
  -H 'X-402-Payment: {"payerAddress":"0x2222222222222222222222222222222222222222","amount":"75.00","asset":"USDC","action":"api-call","network":"base","requestToken":"demo_struct","walletType":"smart"}'

Full source on GitHub ↗ /health ↗

→

Pipeline Summary

Six checkpoints. Four hard gates, two soft monitors. Seven C-domains covered (C1, C2, C3, C4, C7, C8, C16). The entire pipeline executes in a single Cloudflare Worker — sub-50ms at the edge, $0–5/month on the free tier. Every checkpoint produces an audit record; the final stage bundles them into a signed Verifiable Credential that serves as the compliance receipt for the transaction.

Wallet Architecture Verification

S1 Intent

Before any payment clears, the middleware inspects the requesting wallet's architecture. A Coinbase Smart Wallet with ERC-4337 session keys has code-enforced compliance at L3. A bare EOA has none. The compliance depth of the wallet determines which subsequent checks fire. Hover over the "YOUR WALLET" column to see each compliance block's enforcement type.

L5ApplicationL4MiddlewareL3ExecutionL2ConsensusL1Network▲ STATE TRANSITION▲ Above the STATE TRANSITION line: policy-enforced (off-chain).  ▼ At or below: code-enforced (EVM bytecode).Self-Custody EOAWallet UIL5Coinbase Smart WalletYOUR WALLETPasskey UIOFAC / KYTERC-4337L3MPC WalletKYC GateMPC ThresholdL4Hosted / CustodialIdentityGas SponsorL4Agent WalletAgentKitSpend PolicySession KeysL3Code-enforcedPolicy-enforced

OFAC Sanctions Screening

S2 Identity

The Chainalysis OFAC sanctions oracle is a free, public smart contract on Ethereum mainnet. A single eth_call returns whether the payer's address is sanctioned per the oracle's current list. This is a hard gate — flagged addresses are blocked before any funds move. To demo a live block, pick an address the oracle currently returns as sanctioned (Lazarus Group addresses tied to the Harmony Horizon Bridge hack still return flagged as of this writing); pick any other address for a clean pass. The oracle's list evolves with OFAC's, so fixtures that worked yesterday may not tomorrow — the middleware always mirrors whatever the oracle reports.

Ethereum Address

Chainalysis

AML Pattern Analysis

S3–S4 Discovery policy-enforced

Behavioral pattern detection runs against the payer's recent transaction history. Four heuristics fire: structuring (below-threshold splitting), round-tripping (circular flows), rapid movement (multi-hop in under one hour), and smurfing (many-to-one consolidation). The demo data below is pre-loaded with examples that trigger structuring, round-tripping, and smurfing patterns.

Transaction Data (JSON)

[
  {
    "id": "tx_001",
    "sender": "0xAA00...",
    "recipient": "0xBB00...",
    "amount": 2900,
    "timestamp": 1000
  },
  {
    "id": "tx_002",
    "sender": "0xAA00...",
    "recipient": "0xBB00...",
    "amount": 2850,
    "timestamp": 3600000
  },
  {
    "id": "tx_003",
    "sender": "0xCC00...",
    "recipient": "0xDD00...",
    "amount": 5000,
    "timestamp": 7200000
  },
  {
    "id": "tx_004",
    "sender": "0xDD00...",
    "recipient": "0xCC00...",
    "amount": 5000,
    "timestamp": 10800000
  },
  {
    "id": "tx_005",
    "sender": "0xEE00...",
    "recipient": "0xFF00...",
    "amount": 1000,
    "timestamp": 14400000
  },
  {
    "id": "tx_006",
    "sender": "0x1111...",
    "recipient": "0xFF00...",
    "amount": 1500,
    "timestamp": 18000000
  },
  {
    "id": "tx_007",
    "sender": "0x2222...",
    "recipient": "0xFF00...",
    "amount": 1200,
    "timestamp": 21600000
  },
  {
    "id": "tx_008",
    "sender": "0x3333...",
    "recipient": "0xFF00...",
    "amount": 800,
    "timestamp": 25200000
  },
  {
    "id": "tx_009",
    "sender": "0x4444...",
    "recipient": "0xFF00...",
    "amount": 900,
    "timestamp": 28800000
  },
  {
    "id": "tx_010",
    "sender": "0x5555...",
    "recipient": "0xFF00...",
    "amount": 600,
    "timestamp": 32400000
  },
  {
    "id": "tx_011",
    "sender": "0x6666...",
    "recipient": "0xFF00...",
    "amount": 700,
    "timestamp": 36000000
  },
  {
    "id": "tx_012",
    "sender": "0xGGGG...",
    "recipient": "0xHHHH...",
    "amount": 10000,
    "timestamp": 39600000
  }
]

Cloudflare

KYA Delegation Chain Validation

S4 Negotiation

If the payer is an AI agent (not a human), the middleware walks the delegation chain: agent → parent agent → principal. Each link must have a valid DID, unexpired credentials, and spend authority that attenuates correctly down the chain. A sub-agent can't spend more than its parent authorized. Click any node below to inspect its DID, spend limit, and delegation metadata.

Capability Envelope Enforcement

S5 Transport

The agent's capability envelope defines what it's allowed to do: per-transaction limit, daily limit, permitted assets, permitted actions, and temporal bounds. The middleware evaluates the requested payment against all five constraints. One failure blocks the entire transaction. Adjust the envelope on the left, then test a transaction on the right to see the five-check evaluation in real time.

Agent Capability Envelope

Max Per-Transaction: $5,000

$0 — $100,000

Daily Limit: $25,000

$0 — $500,000

Permitted Assets

Permitted Actions

Temporal Window

Test Transaction

Amount ($)

Asset

Action

Recipient Address

✓

TRANSACTION APPROVED

Per-Transaction Limit

amount <= $5,000

$3,500

Daily Limit

(used + amount) <= $25,000

$12,000 (8,500 used)

Asset Permitted

asset in [USDC, USDT]

USDC

Action Permitted

action in [transfer]

transfer

Temporal Bound

2026-03-01 to 2026-06-01

2026-05-04

Vendors: Coinbase AgentKit, Catena Labs ACK Rulebook

Receipt Generation & Verification

S8 Finality

After the payment clears all five gates, the middleware generates a W3C Verifiable Credential receipt. The receipt binds the payer DID, payee DID, amount, settlement network, and original request token into a signed credential. Any party can verify the receipt independently — no middleware access required. Click "Verify Receipt" below to watch the four-step VC verification pipeline.

Sample ACK Receipt (VC Format)

{
"@context": [
"https://www.w3.org/2018/credentials/v1"
]
,
"type": [
"VerifiableCredential",
"ACKReceipt"
]
,
"issuer": "did:web:receipts.acme-psp.com",
"issuanceDate": "2026-04-01T14:32:18Z",
"credentialSubject": {
"payer": "did:web:agent.acme-corp.com",
"payee": "did:web:vendor.eu-payments.fr",
"amount": "3500.00",
"currency": "USDC",
"settlementNetwork": "Base",
"requestToken": "req_7f3a8b2c"
}
,
"proof": {
"type": "Ed25519Signature2020",
"verificationMethod": "did:web:receipts.acme-psp.com#key-1",
"signatureValue": "eyJhbGciOiJFZERTQSIsImtpZCI6ImRpZDp3ZWI6cmVjZWlwdHMuYWNtZS1wc3AuY29tI2tleS0xIn0"
}

};

Signature Validation

Gate

Issuer Trust Check

Gate

Revocation Check

Monitor

Claim Verification

Gate

Deploy It Yourself

The reference implementation is a single Cloudflare Worker in a standalone, MIT-licensed repo. Clone it, run the one-command deploy script, and you have your own compliance middleware running on Workers in under five minutes.

git clone https://github.com/leocarroll3/x402-compliance-middleware
cd x402-compliance-middleware
./scripts/deploy.sh

KV Namespaces

SANCTIONS_CACHE, AUDIT_LOG

D1 Database

TRANSACTIONS

R2 Bucket

RECEIPTS

Cost

$0–5/mo (free tier)

x402 Path (A1) KYA Framework AgentKit Integration x402 Protocol Spec ↗ GitHub ↗ All Vendors