Abstract. HTTP 402 Payment Required has been a reserved status code since 1997. Coinbase's x402 protocol finally gives it meaning: any HTTP endpoint can gate access behind a stablecoin micropayment on Base. The compliance gap is immediate — a raw x402 payment has no sanctions screening, no agent identity verification, no audit trail. This middleware fills that gap.
The middleware sits between the x402 facilitator and your gated endpoint. When a payment arrives, it runs six compliance checkpoints in sequence before the request reaches your code. Four are hard gates (block on failure), two are soft monitors (log and proceed).
The entire pipeline deploys as a single Cloudflare Worker at the edge — sub-50ms latency, $0–5/month on the free tier. Every checkpoint produces an audit record; the final stage bundles them into a signed Verifiable Credential that serves as the compliance receipt.
The reference implementation runs at x402-middleware.stablecoinatlas.com. Hit it
with any of the fixtures below to watch the six-stage
pipeline fire. Approved payments return a W3C Verifiable
Credential receipt URL you can fetch independently.
curl https://x402-middleware.stablecoinatlas.com/health curl -X POST https://x402-middleware.stablecoinatlas.com/ \
-H 'Content-Type: application/json' \
-H 'X-402-Payment: {"payerAddress":"0x1111111111111111111111111111111111111111","amount":"50.00","asset":"USDC","action":"api-call","network":"base","requestToken":"demo_001","walletType":"smart"}' curl -X POST https://x402-middleware.stablecoinatlas.com/ \
-H 'Content-Type: application/json' \
-H 'X-402-Payment: {"payerAddress":"0x098B716B8Aaf21512996dC57EB0615e2383E2f96","amount":"50.00","asset":"USDC","action":"api-call","network":"ethereum","requestToken":"demo_sanctions","walletType":"smart"}' curl -X POST https://x402-middleware.stablecoinatlas.com/ \
-H 'Content-Type: application/json' \
-H 'X-402-Payment: {"payerAddress":"0x2222222222222222222222222222222222222222","amount":"75.00","asset":"USDC","action":"api-call","network":"base","requestToken":"demo_struct","walletType":"smart"}' Before any payment clears, the middleware inspects the requesting wallet's architecture. A Coinbase Smart Wallet with ERC-4337 session keys has code-enforced compliance at L3. A bare EOA has none. The compliance depth of the wallet determines which subsequent checks fire.
Hover the "YOUR WALLET" column to see each compliance block's enforcement type.
The Chainalysis OFAC sanctions oracle is a free, public
smart contract on Ethereum mainnet. A single eth_call returns whether the payer's address is
sanctioned per the oracle's current list. Hard gate — flagged
addresses are blocked before any funds move.
To demo a live block, pick an address the oracle currently returns as sanctioned (Lazarus Group addresses from the Harmony Horizon Bridge hack still return flagged); pick any other address for a clean pass. The middleware always mirrors whatever the oracle reports.
Behavioral pattern detection runs against the payer's recent transaction history. Four heuristics fire: structuring (below-threshold splitting), round-tripping (circular flows), rapid movement (multi-hop in under one hour), and smurfing (many-to-one consolidation).
The demo data is pre-loaded with examples that trigger structuring, round-tripping, and smurfing patterns.
If the payer is an AI agent (not a human), the middleware walks the delegation chain: agent → parent agent → principal. Each link must have a valid DID, unexpired credentials, and spend authority that attenuates correctly down the chain. A sub-agent can't spend more than its parent authorised.
Click any node to inspect its DID, spend limit, and delegation metadata.
The agent's capability envelope defines what it's allowed to do: per-transaction limit, daily limit, permitted assets, permitted actions, and temporal bounds. The middleware evaluates the requested payment against all five constraints. One failure blocks the entire transaction.
Adjust the envelope on the left, then test a transaction on the right to see the five-check evaluation in real time.
After the payment clears all five gates, the middleware generates a W3C Verifiable Credential receipt. The receipt binds the payer DID, payee DID, amount, settlement network, and original request token into a signed credential.
Any party can verify the receipt independently — no middleware access required. Click "Verify Receipt" below to watch the four-step VC verification pipeline.
{"@context": ["https://www.w3.org/2018/credentials/v1"],"type": ["VerifiableCredential","ACKReceipt"],"issuer": "did:web:receipts.acme-psp.com","issuanceDate": "2026-04-01T14:32:18Z","credentialSubject": {"payer": "did:web:agent.acme-corp.com","payee": "did:web:vendor.eu-payments.fr","amount": "3500.00","currency": "USDC","settlementNetwork": "Base","requestToken": "req_7f3a8b2c"},"proof": {"type": "Ed25519Signature2020","verificationMethod": "did:web:receipts.acme-psp.com#key-1","signatureValue": "eyJhbGciOiJFZERTQSIsImtpZCI6ImRpZDp3ZWI6cmVjZWlwdHMuYWNtZS1wc3AuY29tI2tleS0xIn0"}};
The reference implementation is a single Cloudflare Worker in a standalone, MIT-licensed repo. Clone it, run the one-command deploy script, and you have your own compliance middleware running on Workers in under five minutes.
git clone https://github.com/leocarroll3/x402-compliance-middleware
cd x402-compliance-middleware
./scripts/deploy.sh