x402 HTTP Purchase
Machine-to-machine payments via HTTP 402 status code. Agent discovers price, pays in USDC, receives resource — no human in the loop. Coinbase Smart Wallet on Base; Cloudflare Worker compliance middleware at the edge.
CTR (USD 10,000+)TRAVEL-RULE (USD 3,000+)ENHANCED-DUE-DILIGENCE (USD 50,000+)
Step 1 · Agent Wallet (Coinbase Smart Wallet on Base)Policy-EnforcedBlockchain-Native
The authenticated bank-app login — identity established, spending authority scoped by delegation token before any transaction instruction is composed.
A Coinbase Smart Wallet (ERC-4337) on Base, provisioned via the Coinbase CDP SDK or AgentKit, with session keys scoped to the current agent task. L4 Account and L5 Application are lit — both above the enforcement line, policy-enforced. The agent's identity is bound to a resolvable DID (did:pkh:eip155:8453 for self-custody agents, did:web for ACK-ID-attested agents) and the spending envelope is encoded in the session key itself — a typed ERC-4337 UserOperation signer whose scope is enforced by the account contract. Builder: `createSmartWallet({ delegation, spendLimit, allowedTargets })` through AgentKit; pair with Cloudflare Worker session-key issuance if you want the delegation signed at the edge rather than by a centralized key service. Compliance officer: KYA checkpoint KYA-1 (Resolve Principal) fires here — the agent's DID must resolve to an identifiable human or organizational principal before any HTTP 402 response is honored. GENIUS §6 AML/BSA obligations attach to the principal, not the agent itself; the principal's BSA program is inherited by the agent for the duration of the delegation. Where the agent operates on behalf of a US financial institution, the wallet-provisioning step is the attachment point for that institution's customer identification program and transaction-monitoring obligations.
Step 2 · Compliance Middleware — Sanctions + AMLCode-EnforcedBlockchain-Native
The SWIFT gpi sanctions-screening leg — no value moves until the list check returns pass — plus the card-network fraud engine's velocity and structuring heuristics running in parallel on the same authorization.
A Cloudflare Worker intercepts the HTTP 402 response before the payment fires and runs the compliance pipeline at the edge. The OFAC gate fires against the Chainalysis sanctions oracle at 0x40C5...8fb on Base — results cached in Workers KV with a 1-hour TTL to avoid rate-limiting the oracle and to keep the hot path under 100ms. Simultaneously, a transaction pattern analyzer queries the agent's transaction history from D1 and checks for structuring, round-tripping, and smurfing patterns against GENIUS §104(d) monitoring heuristics. L3 Execution lit, code-enforced: the Worker reverts with HTTP 451 Unavailable For Legal Reasons if the OFAC gate fails, and logs a monitor event (non-halting) if AML patterns trip a soft threshold. Builder: `await middleware.screen(agentAddress, merchantAddress, amount)` returns a `ComplianceResult` with pass/fail flags for sanctions (hard gate) and pattern score (soft monitor); the pipeline halts on first hard-gate failure. The reference middleware implementation is live at `/integrations/x402` and deployable as a Worker at $0–5/mo on Cloudflare's free tier — KV + D1 + R2 + Secrets, no servers. Compliance officer: this step satisfies GENIUS §6 (AML/BSA) and §8 (sanctioned-counterparty screening for cross-jurisdictional flows). Honesty marker: the Chainalysis oracle returns a boolean on-chain, not attestation detail — dispute resolution requires off-chain escalation. AML pattern detection is heuristic, not definitive; monitor events become SAR candidates only after human review.
Step 3 · Capability Envelope + ACK-ID DelegationCode-EnforcedBlockchain-Native
The corporate authorization matrix check — the purchasing agent proves it holds the delegated authority, within category and amount and window, to commit the principal's funds to this specific counterparty.
Before the USDC transfer fires, the Cloudflare Worker verifies that the agent is operating within its capability envelope. The ACK-ID delegation chain is resolved — the agent's session key must derive from a valid principal credential, and the target merchant must be within the delegation's permitted-counterparty set. The capability envelope (KYA-3) enforces per-transaction limits, daily caps, permitted merchant categories (encoded as MCCs or ACK Rulebook category hashes), and temporal bounds. L3 Execution and L4 Account lit: execution runs the envelope check against on-chain delegation state, and the agent's session key is verified to match the scope. Builder: `capabilityCheck({ agent, target, amount, timestamp })` returns `{ allowed: bool, reason?: string }` — the Worker reverts with 403 Forbidden if the agent is out of scope. The envelope is also evaluable off-chain in the Worker itself for latency-sensitive paths; the on-chain check remains the authoritative gate. Compliance officer: this is the code-enforced KYA-2 (Verify Delegation) and KYA-3 (Evaluate Capability Envelope) checkpoint pair. GENIUS §6 attribution to the principal depends on this step passing — a payment that bypasses the capability envelope cannot be cleanly attributed to the principal's BSA program. C5 Licensing attaches where the agent operates on behalf of a licensed entity (MTL, NYDFS BitLicense, OCC National Trust charter); the envelope must encode the licensee's permitted product scope and geographic restrictions.
Step 4 · Atomic x402 Settlement on BaseCode-EnforcedBlockchain-Native
The beneficiary's credit-to-account event — authorization obtained, list checks passed, funds credit irrevocably to the merchant inside the settlement window.
The x402 payment fires atomically on Base. The agent signs an EIP-3009 `transferWithAuthorization` typed-data message committing to the amount, merchant address, and a single-use nonce; the merchant's contract relays the signed message to USDC's ERC-20 contract, which transfers the funds in a single settlement call. L1 Network, L2 Consensus, and L3 Execution are all lit: the full stack below the enforcement line processes the transfer in one Base block (~2s). Builder: the Worker returns the signed authorization in the `X-Payment` HTTP header; the merchant's resource server calls `ERC20.transferWithAuthorization(from, to, value, validAfter, validBefore, nonce, v, r, s)` and serves the paid resource once the transfer mines. Base settlement finality is strong at one block for amounts under institutional thresholds; for larger x402 flows (>$10K), Coinbase recommends two-block confirmation. Compliance officer: GENIUS §4 reserve-backing obligations apply to the USDC in transit — Circle must maintain 1:1 reserves in USD or short-term Treasuries for every token transferred. Recordkeeping (C11) attaches to the block's transaction hash, which becomes the anchoring reference for the downstream receipt. No account relationship is created between agent and merchant — the HTTP 402 flow is intentionally headless, which simplifies the merchant's compliance footprint (no customer data to protect under C14) but also means no relationship-based continuity for repeat Travel Rule screening.
Step 5 · Verifiable Receipt + Audit Trail (Cloudflare R2)Code-EnforcedBlockchain-Native
The merchant's daily settlement file plus the bank's Reg E recordkeeping bundle — one artifact for the counterparty, one for the examiner, cryptographically linked to the underlying transfer.
The Cloudflare Worker issues a W3C Verifiable Credential receipt (type `X402Receipt` or `ACKReceipt`) binding the agent's DID, the merchant's DID, the amount, the Base transaction hash, and the compliance screening results from Step 2. The VC is signed with the Worker's receipt-signing key (held as a Cloudflare Secret binding), written to Cloudflare R2 under a key derived from the transaction hash, and the R2 object key is indexed in Workers KV as the audit-log entry. A public `GET /receipts/:id` endpoint returns the VC for independent verification — any third party can cryptographically verify the receipt's issuer, non-revocation, and claims without access to Cloudflare infrastructure. L4 Account and L5 Application lit: receipt issuance is off-chain, policy-enforced by the Worker's signing policy, but the binding to the on-chain transaction hash is cryptographic. Builder: receipts are indexed by tx-hash and queryable via the public verifier endpoint; see `src/workers/x402-middleware.ts` for the canonical schema and the KV/D1/R2 binding declarations. Compliance officer: satisfies C7 (Travel Rule originator/beneficiary data if the transfer crossed $3,000), C11 (recordkeeping under GENIUS §6 and §4(c) books-and-records), and C12 (independent audit trail for the monthly reserve attestation under §4(b)). The verifiable receipt is the artifact an examiner subpoenas — cryptographically linked to the on-chain transfer, independently verifiable, stored in durable object storage. Honesty marker: R2 is durable object storage, not a regulated recordkeeping service — jurisdictions with WORM-storage requirements (FINRA Rule 4511, SEC 17a-4(f)) require additional compliance-grade storage layered on top.
Resolved 5 steps across 1 chain(s). 3 threshold(s) triggered. Frameworks: Bank Secrecy Act, GENIUS Act, OFAC Sanctions Program, FATF Recommendation 16 (Travel Rule), Common Reporting Standard / FATCA.
x402 Payment Journey
Interactive 8-stage STP visualization showing the x402 HTTP payment lifecycle from wallet connection through atomic settlement on Base — the signature view of the Coinbase × Cloudflare pipeline.
Wallet Compliance Depth (Coinbase Smart Wallet focus)
Compare smart wallet compliance depth across Coinbase Smart Wallet, MetaMask, Rabby, Safe, and Ledger — the Step 1 artifact showing which wallets can hold an ACK-ID-attested session key and carry a delegated spending envelope to the edge.
Chainalysis Sanctions Oracle (Cloudflare Worker call)
Query the Chainalysis OFAC sanctions oracle at 0x40C5...8fb — the code-enforced gate the Cloudflare Worker runs at Step 2, cached in Workers KV with 1h TTL to keep the hot path under 100ms.
ACK-ID Capability Envelope
Evaluate the Step 3 capability envelope: per-transaction limits, daily caps, permitted merchant categories, temporal bounds, and delegation depth — the code-enforced KYA-3 gate that blocks out-of-scope agent payments.
Settlement Stack (Base L2 vs Ethereum L1)
Step 4 settlement-side compliance depth across off-chain ledger, Base L2, and Ethereum L1 — showing where value crosses the enforcement line and why Base is the canonical x402 settlement target.
VC Receipt Verifier (R2-backed)
Verify the Step 5 Verifiable Credential receipt issued by the Cloudflare Worker — signature check, issuer validation, revocation check, and claims evaluation. The audit artifact an examiner can subpoena and verify independently.
Sample ACK Receipt (VC Format)
{"@context": ["https://www.w3.org/2018/credentials/v1"],"type": ["VerifiableCredential","ACKReceipt"],"issuer": "did:web:receipts.acme-psp.com","issuanceDate": "2026-04-01T14:32:18Z","credentialSubject": {"payer": "did:web:agent.acme-corp.com","payee": "did:web:vendor.eu-payments.fr","amount": "3500.00","currency": "USDC","settlementNetwork": "Base","requestToken": "req_7f3a8b2c"},"proof": {"type": "Ed25519Signature2020","verificationMethod": "did:web:receipts.acme-psp.com#key-1","signatureValue": "eyJhbGciOiJFZERTQSIsImtpZCI6ImRpZDp3ZWI6cmVjZWlwdHMuYWNtZS1wc3AuY29tI2tleS0xIn0"}};