x402 Protocol Trust and Security Guide

x402 is the HTTP-based payment protocol created by Coinbase that enables AI agents to pay for services using USDC stablecoins. While the protocol itself is well-designed and secure, the ecosystem of services built on it has significant trust gaps. ScoutScore's monitoring of 500+ unique service domains shows an average fidelity score of just 52 out of 100 - meaning most services do not deliver what they advertise. This guide explains the protocol, its security properties, the ecosystem's trust problems, and what developers should do about it.

What Is the x402 Protocol?

The x402 protocol extends standard HTTP to support machine-to-machine payments. The name comes from HTTP status code 402 (Payment Required), which has existed in the HTTP specification since the 1990s but was reserved for future use until Coinbase gave it a purpose.

Here is how a typical x402 transaction works:

1. An AI agent sends an HTTP request to a service endpoint.
2. The service responds with HTTP 402 (Payment Required), including payment instructions: wallet address, amount, and currency (USDC).
3. The agent sends USDC to the specified wallet on Base or Solana.
4. The agent retries the original request, including proof of payment.
5. The service verifies payment and delivers the requested output.

The protocol is simple, elegant, and builds on existing HTTP infrastructure. The ecosystem processes over 500,000 weekly transactions and continues to grow as more AI agent frameworks add x402 support.

Is the x402 Protocol Secure?

The protocol design is secure. It uses standard cryptographic primitives for payment verification, operates on established blockchains (Base and Solana), and leverages USDC - a regulated, audited stablecoin. The HTTP layer is protected by TLS as with any HTTPS communication.

However, protocol security and ecosystem trustworthiness are different things. A helpful analogy: HTTPS makes web communication secure, but it does not guarantee that the website you are communicating with is legitimate. You need additional trust signals - domain reputation, SSL certificates, fraud detection - on top of the secure channel.

The same applies to x402. The protocol secures the payment channel, but it does not verify that the service is worth paying. That is where trust scoring comes in.

What Are the Trust Problems in the x402 Ecosystem?

ScoutScore - Trust Infrastructure for AI Agents - has cataloged and monitored the x402 ecosystem extensively. The data reveals several systemic issues:

• Average fidelity: 52/100 - Fidelity probes send real requests to services every 6 hours and compare responses against advertised behavior. The average score across all monitored services is just 52. Most services fail to deliver what they promise.
• Massive spam presence - One spam farm wallet registered 10,658 services, all with identical descriptions. These services exist solely to collect payments from agents that do not check trust scores.
• Schema phantoms - Services that advertise capabilities in their metadata but fail when actually called. They look legitimate during discovery but break during use.
• Price mismatches - The price listed in metadata does not always match what the service actually charges via the 402 response. This creates unexpected costs for paying agents.
• No quality gate - Anyone can register an x402 service. There is no review process, no minimum quality standard, and no centralized authority filtering services.

These problems are not bugs in the x402 protocol. They are consequences of an open ecosystem that lacks trust infrastructure. The protocol needs a trust layer on top of it - which is exactly what ScoutScore provides.

How Many x402 Services Are Legitimate?

ScoutScore has cataloged 19,000+ total endpoint entries across the x402 ecosystem. After deduplication, spam detection, and quality analysis, approximately 1,500+ unique service domains are identified as legitimate.

The breakdown is stark:

• 1,500+ legitimate services - These have meaningful descriptions, respond to health checks, and show varying degrees of fidelity.
• ~17,500 spam, duplicate, or inactive entries - These include spam farm registrations, template-generated listings, dead endpoints, and duplicate entries for the same service.

This means roughly 87% of raw x402 endpoint entries are not worth paying. Without trust scoring, an agent encountering a random x402 service has an 87% chance of hitting spam. These numbers are why checking a trust score before every payment is essential. You can browse the full directory of scored services on our leaderboard.

How Does Trust Scoring Work for x402 Services?

ScoutScore applies its 4-pillar scoring model specifically to x402 service behavior:

• Contract Clarity (20%) - Does the x402 service metadata accurately describe the service? Is the schema complete? Does the 402 response price match the metadata price? Only ~10% of services provide complete schemas.
• Availability (30%) - Does the endpoint respond reliably? Health checks run every 30 minutes. Note that in x402, a 402 response is considered healthy - it means the service is online and ready to accept payment. ScoutScore correctly interprets 402 as UP, not as an error.
• Response Fidelity (30%) - After the payment flow completes, does the service deliver what it advertised? Fidelity probes test this every 6 hours. An average of 52/100 means most services fail this check.
• Identity & Safety (20%) - Wallet analysis is particularly important for x402 because the wallet is the payment destination. If that wallet operates a spam farm, the payment is going to a bad actor.

The resulting 0-100 score maps to four levels: HIGH (75-100), MEDIUM (50-74), LOW (25-49), VERY_LOW (0-24). For details on what each level means practically, see What Is an AI Agent Trust Score?

What Should x402 Developers Know About Service Trust?

If you are building on x402, here are the critical practices:

1. Always check trust before payment - Never let your agent pay an x402 service without querying a trust score first. One API call prevents the vast majority of fraud.
2. Set a minimum threshold - Require a score of 75+ (HIGH) for production payments. Adjust lower only for non-critical, low-value operations.
3. Hard-block spam flags - Always block WALLET_SPAM_FARM, TEMPLATE_SPAM, and MASS_LISTING_SPAM. These are unambiguous fraud signals.
4. Use the SDK - npm install @scoutscore/sdk gives you type-safe trust scoring in a few lines of code. See the developer guide for full integration examples.
5. Monitor your payment patterns - Track what percentage of payment attempts your agent blocks. A high block rate might mean your agent is discovering services from a spam-heavy source.

import { ScoutScore } from '@scoutscore/sdk';

const scout = new ScoutScore();

// Before any x402 payment
const check = await scout.scoreBazaarService(domain);
if (check.score < 75 || check.flags.includes('WALLET_SPAM_FARM')) {
  // Block payment
} else {
  // Safe to proceed with x402 payment flow
}

The x402 protocol is an important piece of infrastructure for the AI agent economy. With proper trust scoring, it can fulfill its potential as a safe, efficient payment mechanism for autonomous agents. Without it, the 52/100 fidelity average will continue to erode confidence in agent commerce. For a broader view of how trust infrastructure fits into the AI agent ecosystem, see our full landscape analysis.

Frequently Asked Questions

What is the x402 protocol?

x402 is an HTTP-based payment protocol created by Coinbase that enables AI agents to pay for services using USDC stablecoins. It uses the HTTP 402 (Payment Required) status code to signal that payment is needed before a service will deliver results.

How many x402 services exist?

ScoutScore has cataloged 19,000+ total endpoint entries. After deduplication and spam filtering, approximately 1,500+ unique legitimate service domains remain.

What is the average trust score for x402 services?

The average fidelity score is 52 out of 100. This means most x402 services do not deliver what they advertise when tested with real requests.

How do I check if an x402 service is trustworthy?

Install the ScoutScore SDK with npm install @scoutscore/sdk and call scoreBazaarService(domain) before any payment. A score of 75+ indicates HIGH trust.

Who created the x402 protocol?

The x402 protocol was created by Coinbase. It builds on the HTTP 402 status code to enable native agent-to-service payments using USDC on Base and Solana blockchains.