Stablecoin AtlasStable402.com · Coinbase × Cloudflare · x402 compliance middleware
May 2026 · Vol. III · Integrations
x402 Compliance Middleware

Drop-in compliance for x402-gated endpoints.

Abstract. HTTP 402 Payment Required has been a reserved status code since 1997. Coinbase's x402 protocol finally gives it meaning: any HTTP endpoint can gate access behind a stablecoin micropayment on Base. The compliance gap is immediate — a raw x402 payment has no sanctions screening, no agent identity verification, no audit trail. This middleware fills that gap.

C1 IdentityC2 SanctionsC3 AMLC4 FraudC7 Travel RuleC8 ResilienceC16 Programmable
Capability metrics
6 Checkpoints
7 C-Domains
1 Worker
$0 /month
Architecture

Six checkpoints between facilitator and endpoint.

The middleware sits between the x402 facilitator and your gated endpoint. When a payment arrives, it runs six compliance checkpoints in sequence before the request reaches your code. Four are hard gates (block on failure), two are soft monitors (log and proceed).

The entire pipeline deploys as a single Cloudflare Worker at the edge — sub-50ms latency, $0–5/month on the free tier. Every checkpoint produces an audit record; the final stage bundles them into a signed Verifiable Credential that serves as the compliance receipt.

Live endpoint

Try the pipeline against the deployed Worker.

The reference implementation runs at x402-middleware.stablecoinatlas.com. Hit it with any of the fixtures below to watch the six-stage pipeline fire. Approved payments return a W3C Verifiable Credential receipt URL you can fetch independently.

Health check
curl https://x402-middleware.stablecoinatlas.com/health
Clean pass — approved with receipt HTTP 200 · APPROVED
curl -X POST https://x402-middleware.stablecoinatlas.com/ \
  -H 'Content-Type: application/json' \
  -H 'X-402-Payment: {"payerAddress":"0x1111111111111111111111111111111111111111","amount":"50.00","asset":"USDC","action":"api-call","network":"base","requestToken":"demo_001","walletType":"smart"}'
Sanctions block — Lazarus Group / Harmony hack HTTP 451 · BLOCKED
curl -X POST https://x402-middleware.stablecoinatlas.com/ \
  -H 'Content-Type: application/json' \
  -H 'X-402-Payment: {"payerAddress":"0x098B716B8Aaf21512996dC57EB0615e2383E2f96","amount":"50.00","asset":"USDC","action":"api-call","network":"ethereum","requestToken":"demo_sanctions","walletType":"smart"}'
Structuring flag — pre-seeded address HTTP 403 · BLOCKED
curl -X POST https://x402-middleware.stablecoinatlas.com/ \
  -H 'Content-Type: application/json' \
  -H 'X-402-Payment: {"payerAddress":"0x2222222222222222222222222222222222222222","amount":"75.00","asset":"USDC","action":"api-call","network":"base","requestToken":"demo_struct","walletType":"smart"}'
Full source on GitHub ↗ /health ↗
Pipeline orchestrator
Pipeline summary
Six checkpoints. Four hard gates, two soft monitors. Seven C-domains covered (C1, C2, C3, C4, C7, C8, C16). The entire pipeline executes in a single Cloudflare Worker — sub-50ms at the edge, $0–5/month on the free tier. Every checkpoint produces an audit record; the final stage bundles them into a signed Verifiable Credential that serves as the compliance receipt for the transaction.
Fig. 0 — Six sequential checkpoints from request through receipt. Stages 1–2 and 4–6 are code-enforced; stage 3 is a policy-enforced monitor.
1

Wallet architecture verification

S1 IntentCode-enforced

Before any payment clears, the middleware inspects the requesting wallet's architecture. A Coinbase Smart Wallet with ERC-4337 session keys has code-enforced compliance at L3. A bare EOA has none. The compliance depth of the wallet determines which subsequent checks fire.

Hover the "YOUR WALLET" column to see each compliance block's enforcement type.

L5ApplicationL4MiddlewareL3ExecutionL2ConsensusL1Network▲ STATE TRANSITION▲ Above the STATE TRANSITION line: policy-enforced (off-chain). ▼ At or below: code-enforced (EVM bytecode).Self-Custody EOAWallet UIL5Coinbase Smart WalletYOUR WALLETPasskey UIOFAC / KYTERC-4337L3MPC WalletKYC GateMPC ThresholdL4Hosted / CustodialIdentityGas SponsorL4Agent WalletAgentKitSpend PolicySession KeysL3Code-enforcedPolicy-enforced
Fig. 1 — Wallet architecture inspector — Coinbase Smart Wallet vs EOA.
2

OFAC sanctions screening

S2 IdentityCode-enforced

The Chainalysis OFAC sanctions oracle is a free, public smart contract on Ethereum mainnet. A single eth_call returns whether the payer's address is sanctioned per the oracle's current list. Hard gate — flagged addresses are blocked before any funds move.

To demo a live block, pick an address the oracle currently returns as sanctioned (Lazarus Group addresses from the Harmony Horizon Bridge hack still return flagged); pick any other address for a clean pass. The middleware always mirrors whatever the oracle reports.

Chainalysis
Fig. 2 — On-chain SDN check via the Chainalysis sanctions oracle — free, public, read-only.
3

AML pattern analysis

S3–S4 DiscoveryPolicy-enforced

Behavioral pattern detection runs against the payer's recent transaction history. Four heuristics fire: structuring (below-threshold splitting), round-tripping (circular flows), rapid movement (multi-hop in under one hour), and smurfing (many-to-one consolidation).

The demo data is pre-loaded with examples that trigger structuring, round-tripping, and smurfing patterns.

Cloudflare
Fig. 3 — Pattern detection with statute citations per alert — the Worker logs and proceeds rather than blocking.
4

KYA delegation chain validation

S4 NegotiationCode-enforced

If the payer is an AI agent (not a human), the middleware walks the delegation chain: agent → parent agent → principal. Each link must have a valid DID, unexpired credentials, and spend authority that attenuates correctly down the chain. A sub-agent can't spend more than its parent authorised.

Click any node to inspect its DID, spend limit, and delegation metadata.

PrincipalAcme Corp Treasury$1000kExpires: 2027-01-01AgentOperations Agent$50kExpires: 2026-07-01Sub-AgentPayroll Bot$10kExpires: 2026-04-15AgentAnalytics AgentRead-onlyExpires: 2026-06-01
Fig. 4 — Delegation tree — agent → parent → principal — with per-node spend authority attenuation.
5

Capability envelope enforcement

S5 TransportCode-enforced

The agent's capability envelope defines what it's allowed to do: per-transaction limit, daily limit, permitted assets, permitted actions, and temporal bounds. The middleware evaluates the requested payment against all five constraints. One failure blocks the entire transaction.

Adjust the envelope on the left, then test a transaction on the right to see the five-check evaluation in real time.

$0 — $100,000
$0 — $500,000
TRANSACTION REJECTED
Per-Transaction Limit
amount <= $5,000
$3,500
Daily Limit
(used + amount) <= $25,000
$12,000 (8,500 used)
Asset Permitted
asset in [USDC, USDT]
USDC
Action Permitted
action in [transfer]
transfer
Temporal Bound
2026-03-01 to 2026-06-01
2026-06-10
Vendors: Coinbase AgentKit, Catena Labs ACK Rulebook
Fig. 5 — Five-check envelope — per-tx limit, daily limit, assets, actions, temporal bounds.
6

Receipt generation & verification

S8 FinalityCode-enforced

After the payment clears all five gates, the middleware generates a W3C Verifiable Credential receipt. The receipt binds the payer DID, payee DID, amount, settlement network, and original request token into a signed credential.

Any party can verify the receipt independently — no middleware access required. Click "Verify Receipt" below to watch the four-step VC verification pipeline.

Sample ACK Receipt (VC format)

{
"@context": [
"https://www.w3.org/2018/credentials/v1"
]
,
"type": [
"VerifiableCredential",
"ACKReceipt"
]
,
"issuer": "did:web:receipts.acme-psp.com",
"issuanceDate": "2026-04-01T14:32:18Z",
"credentialSubject": {
"payer": "did:web:agent.acme-corp.com",
"payee": "did:web:vendor.eu-payments.fr",
"amount": "3500.00",
"currency": "USDC",
"settlementNetwork": "Base",
"requestToken": "req_7f3a8b2c"
}
,
"proof": {
"type": "Ed25519Signature2020",
"verificationMethod": "did:web:receipts.acme-psp.com#key-1",
"signatureValue": "eyJhbGciOiJFZERTQSIsImtpZCI6ImRpZDp3ZWI6cmVjZWlwdHMuYWNtZS1wc3AuY29tI2tleS0xIn0"
}

};
1

Signature Validation

Gate
2

Issuer Trust Check

Gate
3

Revocation Check

Monitor
4

Claim Verification

Gate
Fig. 6 — Four-step VC verification — signature → issuer trust → revocation → claim verification.
Deploy it yourself

One repo, one Worker, five minutes.

The reference implementation is a single Cloudflare Worker in a standalone, MIT-licensed repo. Clone it, run the one-command deploy script, and you have your own compliance middleware running on Workers in under five minutes.

git clone https://github.com/leocarroll3/x402-compliance-middleware
cd x402-compliance-middleware
./scripts/deploy.sh
KV namespaces
SANCTIONS_CACHE · AUDIT_LOG
D1 database
TRANSACTIONS
R2 bucket
RECEIPTS
Cost
$0–5/mo (free tier)
Explore the architecture

Pick a thread.