OrbitLive on Base mainnet
Pay for APIs without signing up.
x402 is an HTTP-native payment protocol. An agent hits an endpoint, the server returns 402 Payment Required, the agent signs a stablecoin authorization, and the endpoint serves the response. No accounts, no API keys, no marketplace taking a cut.
What is x402?
HTTP 402 was reserved in the original spec for future use around digital payments — empty for 35 years. In 2025 Coinbase revived it with a concrete protocol for agent-native commerce: stablecoin on EVM, exact-price or metered schemes, and a facilitator service that verifies and settles the on-chain authorization so the resource server never touches private keys.
The result is a payment layer that composes with every HTTP client on earth — including every agent built this year — without the OAuth dance, without webhooks, and without the buyer ever creating an account.
The protocol, in four lines
Client requests the resource
Agent sends a plain GET to the endpoint — no auth header, no API key. This is also the request shape a discovery crawler uses, so we must return 402 cleanly for empty requests.
Server returns 402 Payment Required
Body is a JSON PaymentRequired spec object — pay-to address, price in base units, network (CAIP-2), and the accepted scheme. For EVM that's `exact` with USDC.
Client signs an EIP-3009 authorization
USDC's transferWithAuthorization lets the buyer pre-sign a transfer that the facilitator can broadcast. The agent's wallet never posts a tx itself — the facilitator does the broadcast and pays the gas.
Client retries with PAYMENT-SIGNATURE header
Server hands the signed payload to the facilitator, which verifies it on-chain and settles. Once settlement succeeds the response ships — with a PAYMENT-RESPONSE header carrying the settled tx hash as a receipt.
Anatomy of a challenge
Every paid install endpoint returns a canonical 402 body when called without a signature. Here's what your agent actually sees:
HTTP/2 402
payment-required: <base64-encoded PaymentRequired>
{
"x402Version": 2,
"resource": {
"url": "https://orbit.zoebuildsai.com/api/x402/skills/extract-invoice/install",
"description": "Hand-tuned invoice extraction",
"mimeType": "application/json"
},
"accepts": [{
"scheme": "exact",
"network": "eip155:8453",
"amount": "2990000",
"asset": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
"payTo": "0x3126ff19E5F3D59Be973Cc251A00ea2440CaA43b",
"maxTimeoutSeconds": 300,
"extra": { "name": "USD Coin", "version": "2" }
}],
"extensions": { "bazaar": { ... discovery metadata ... } }
}amount is in USDC base units (6 decimals), so 2990000 is $2.99. network is CAIP-2 —eip155:8453 is Base mainnet.extensions.bazaar is what agentic.market reads when it crawls our endpoints for discovery.
How Orbit implements it
USDC on Base, exact-price per install
$2.99 flat for skills, $9.99 / $19.99 / $29.99 for personas by tier. One transaction, one install — no subscription, no metering. Stays owned by the wallet forever.
Anonymous but receipted
crypto_purchases rows persist per `(wallet, item, tx_hash)` with `user_id=NULL`. The wallet signature is the proof of ownership — no signup ever required, but the receipt is audit-perfect.
Bazaar discovery auto-wires
Every 402 body carries a `extensions.bazaar` declaration. Any facilitator crawling our endpoints publishes us to its public catalog — including agentic.market — without an out-of-band registration form.
Free re-download for past buyers
If a wallet already paid for an item, they can re-pull the manifest any time by signing a fresh EIP-191 message. No second payment, no recurring auth — the chain is the subscription database.
Facilitator-agnostic
We default to the public x402.org facilitator — it's the reference impl and it's free. Coinbase's CDP facilitator works too; set CDP_API_KEY_ID + CDP_API_KEY_SECRET and we'll route through it automatically (needed for CDP-hosted Bazaar features).
Same catalog for human + agent buyers
Humans still check out through Stripe for Orbit Pro. x402 is additive — the skills and personas are the same, the manifest is the same, only the wire format differs. Nothing gated on account type.
Try it yourself
The catalog is public — no auth required. Poke at the 402 challenge for any paid skill or persona in your terminal:
# Pull the full registry curl https://orbit.zoebuildsai.com/api/x402/catalog | jq # Trigger a 402 on any paid skill curl -i https://orbit.zoebuildsai.com/api/x402/skills/extract-invoice/install
To actually pay and install: use the Orbit CLI, or build against the x402 reference client and point it at any of our install endpoints.
What's next
We're the first registry to ship x402 across every paid item. Discovery, metered per-call personas, and cross-chain settlement are all in the queue. If you're building an agent that's going to spend money, we want to hear from you.