Machine-to-machine payments via HTTP 402 status code. Agent discovers price, pays in USDC, receives resource — no human in the loop. Coinbase Smart Wallet on Base; Cloudflare Worker compliance middleware at the edge.
"The authenticated bank-app login — identity established, spending authority scoped by delegation token before any transaction instruction is composed."
A Coinbase Smart Wallet (ERC-4337) on Base, provisioned via the Coinbase CDP SDK or AgentKit, with session keys scoped to the current agent task. The agent's identity binds to a resolvable DID (did:pkh:eip155:8453 for self-custody agents, did:web for ACK-ID-attested agents); the spending envelope is encoded in the session key itself as a typed ERC-4337 UserOperation signer whose scope is enforced by the account contract.
Builder: `createSmartWallet({ delegation, spendLimit, allowedTargets })` through AgentKit; pair with Cloudflare Worker session-key issuance if you want the delegation signed at the edge rather than by a centralized key service.
Compliance officer: KYA checkpoint KYA-1 (Identity) fires here — the agent's DID must resolve to an identifiable human or organizational principal before any HTTP 402 response is honored. The wallet-provisioning step is the attachment point for the principal entity's customer identification program and transaction-monitoring obligations.
"The SWIFT gpi sanctions-screening leg — no value moves until the list check returns pass — plus the card-network fraud engine's velocity and structuring heuristics running in parallel on the same authorization."
A Cloudflare Worker intercepts the HTTP 402 response before the payment fires and runs the compliance pipeline at the edge. The OFAC gate fires against the Chainalysis sanctions oracle at 0x40C5...8fb on Base — results cached in Workers KV with a 1-hour TTL to keep the hot path under 100ms. Simultaneously, a transaction-pattern analyzer queries the agent's transaction history from D1 and checks for structuring, round-tripping, and smurfing patterns against GENIUS §104(d) monitoring heuristics.
Builder: `await middleware.screen(agentAddress, merchantAddress, amount)` returns a `ComplianceResult` with pass/fail flags for sanctions (hard gate) and pattern score (soft monitor); the pipeline halts on first hard-gate failure. The Worker reverts with HTTP 451 Unavailable For Legal Reasons if the OFAC gate fails, and logs a monitor event (non-halting) if AML patterns trip a soft threshold. The reference middleware implementation is live at `/integrations/x402` and deployable at $0–5/mo on Cloudflare's free tier — KV + D1 + R2 + Secrets, no servers.
Compliance officer: this step satisfies GENIUS §6 (AML/BSA) and §8 (sanctioned-counterparty screening for cross-jurisdictional flows). Edge-computed compliance with cached oracle reads keeps the agentic-payment latency budget intact while preserving the gate's enforcement properties.
"The corporate authorization matrix check — the purchasing agent proves it holds the delegated authority, within category and amount and window, to commit the principal's funds to this specific counterparty."
Before the USDC transfer fires, the Cloudflare Worker verifies that the agent is operating within its capability envelope. The ACK-ID delegation chain is resolved — the agent's session key must derive from a valid principal credential, and the target merchant must be within the delegation's permitted-counterparty set. The capability envelope (part of KYA-2 Authorization) enforces per-transaction limits, daily caps, permitted merchant categories (encoded as MCCs or ACK Rulebook category hashes), and temporal bounds.
Builder: `capabilityCheck({ agent, target, amount, timestamp })` returns `{ allowed: bool, reason?: string }` — the Worker reverts with 403 Forbidden if the agent is out of scope. The envelope is also evaluable off-chain in the Worker itself for latency-sensitive paths; the on-chain check remains the authoritative gate.
Compliance officer: this is the code-enforced KYA-2 (Authorization) checkpoint — delegation verification and capability-envelope evaluation are a single authorization decision. C5 Licensing attaches where the agent operates on behalf of a licensed entity (MTL, NYDFS BitLicense, OCC National Trust charter); the envelope must encode the licensee's permitted product scope and geographic restrictions.
"The beneficiary's credit-to-account event — authorization obtained, list checks passed, funds credit irrevocably to the merchant inside the settlement window."
The x402 payment fires atomically on Base. The agent signs an EIP-3009 `transferWithAuthorization` typed-data message committing to the amount, merchant address, and a single-use nonce; the merchant's contract relays the signed message to USDC's ERC-20 contract, which transfers the funds in a single settlement call. The full stack below the enforcement line (L1 Network, L2 Consensus, L3 Execution) processes the transfer in one Base block (~2s).
Builder: the Worker returns the signed authorization in the `X-Payment` HTTP header; the merchant's resource server calls `ERC20.transferWithAuthorization(from, to, value, validAfter, validBefore, nonce, v, r, s)` and serves the paid resource once the transfer mines. Base settlement finality is strong at one block for amounts under institutional thresholds; Coinbase recommends two-block confirmation for x402 flows above $10K.
Compliance officer: GENIUS §4 reserve-backing obligations apply to the USDC in transit — Circle must maintain 1:1 reserves in USD or short-term Treasuries for every token transferred. Recordkeeping (C11) attaches to the block's transaction hash, which becomes the anchoring reference for the downstream receipt.
"The merchant's daily settlement file plus the bank's Reg E recordkeeping bundle — one artifact for the counterparty, one for the examiner, cryptographically linked to the underlying transfer."
The Cloudflare Worker issues a W3C Verifiable Credential receipt (type `X402Receipt` or `ACKReceipt`) binding the agent's DID, the merchant's DID, the amount, the Base transaction hash, and the compliance screening results from Step 2. The VC is signed with the Worker's receipt-signing key (held as a Cloudflare Secret binding), written to Cloudflare R2 under a key derived from the transaction hash, and the R2 object key is indexed in Workers KV as the audit-log entry.
Builder: a public `GET /receipts/:id` endpoint returns the VC for independent verification — any third party can cryptographically verify the receipt's issuer, non-revocation, and claims without access to Cloudflare infrastructure. Receipts are indexed by tx-hash and queryable via the public verifier endpoint; see `src/workers/x402-middleware.ts` for the canonical schema and the KV/D1/R2 binding declarations.
Compliance officer: satisfies C7 (Travel Rule originator/beneficiary data if the transfer crossed $3,000), C11 (recordkeeping under GENIUS §6 and §4(c) books-and-records), and C12 (independent audit trail for the monthly reserve attestation under §4(b)). The verifiable receipt is the artifact an examiner subpoenas — cryptographically linked to the on-chain transfer, independently verifiable, stored in durable object storage.
Resolved 5 steps across 1 chain(s). 0 threshold(s) triggered. Frameworks: Common Reporting Standard / FATCA.
Coverage notes: 5 disclosed gap(s).
Interactive 8-stage STP visualization showing the x402 HTTP payment lifecycle from wallet connection through atomic settlement on Base — the signature view of the Coinbase × Cloudflare pipeline.
Compare smart wallet compliance depth across Coinbase Smart Wallet, MetaMask, Rabby, Safe, and Ledger — the Step 1 artifact showing which wallets can hold an ACK-ID-attested session key and carry a delegated spending envelope to the edge.
Query the Chainalysis OFAC sanctions oracle at 0x40C5...8fb — the code-enforced gate the Cloudflare Worker runs at Step 2, cached in Workers KV with 1h TTL to keep the hot path under 100ms.
Evaluate the Step 3 capability envelope: per-transaction limits, daily caps, permitted merchant categories, temporal bounds, and delegation depth — the code-enforced KYA-3 gate that blocks out-of-scope agent payments.
Step 4 settlement-side compliance depth across off-chain ledger, Base L2, and Ethereum L1 — showing where value crosses the enforcement line and why Base is the canonical x402 settlement target.
Verify the Step 5 Verifiable Credential receipt issued by the Cloudflare Worker — signature check, issuer validation, revocation check, and claims evaluation. The audit artifact an examiner can subpoena and verify independently.
{"@context": ["https://www.w3.org/2018/credentials/v1"],"type": ["VerifiableCredential","ACKReceipt"],"issuer": "did:web:receipts.acme-psp.com","issuanceDate": "2026-04-01T14:32:18Z","credentialSubject": {"payer": "did:web:agent.acme-corp.com","payee": "did:web:vendor.eu-payments.fr","amount": "3500.00","currency": "USDC","settlementNetwork": "Base","requestToken": "req_7f3a8b2c"},"proof": {"type": "Ed25519Signature2020","verificationMethod": "did:web:receipts.acme-psp.com#key-1","signatureValue": "eyJhbGciOiJFZERTQSIsImtpZCI6ImRpZDp3ZWI6cmVjZWlwdHMuYWNtZS1wc3AuY29tI2tleS0xIn0"}};