GET /api/x402-auditGrade any x402 seller's payment-security posture from the outside — a read-only black-box check mapped to the 'Five Attacks on x402' failure modes. Probes the URL's 402 challenge (never pays) and scores TLS transport, gated-response cache hygiene (Attack III / cache leakage), error/info-leak hygiene, and payment-terms well-formedness, then returns a letter grade with per-check findings and an honest note on what only insider/active testing can confirm. ?url=https://api.example.com/paid&method=GET
| Field | Type | Description |
|---|---|---|
url * | string | URL of the paid resource to audit |
method | string | HTTP method to probe with (default GET) |
{
"url": "https://api.example.com/paid",
"reachable": true,
"status": 402,
"paymentRequired": true,
"x402Version": 2,
"score": 92,
"grade": "A",
"checks": [
{
"id": "transport-tls",
"title": "Payment challenge served over TLS",
"attack": "credential interception",
"severity": "high",
"status": "pass",
"detail": "https"
},
{
"id": "cache-hygiene",
"title": "Gated response is not shared-cacheable",
"attack": "III — cache leakage",
"severity": "high",
"status": "pass",
"detail": "Cache-Control: no-store, private"
}
],
"summary": "A (92/100) — 6 passed, 1 warning, 0 failed. Note: replay/idempotency (II) and router Sybil (IV) can't be graded from outside."
}
curl -i "https://agent402.tools/api/x402-audit?url=https%3A%2F%2Fagent402.tools%2Fapi%2Fhash&method=POST"
The response is HTTP 402 Payment Required with exact payment requirements. Any x402 v2 client pays automatically and retries:
import { wrapFetchWithPayment } from "@x402/fetch";
import { x402Client } from "@x402/core/client";
import { registerExactEvmScheme } from "@x402/evm/exact/client";
import { privateKeyToAccount } from "viem/accounts";
const client = new x402Client();
registerExactEvmScheme(client, { signer: privateKeyToAccount(KEY) });
const payFetch = wrapFetchWithPayment(fetch, client);
const res = await payFetch("https://agent402.tools/api/x402-audit?url=https%3A%2F%2Fagent402.tools%2Fapi%2Fhash&method=POST");
GET /api/x402-quoteProbe any URL and decode its HTTP 402 payment requirements (price, asset, network, pay-to) into clean JSON — what an age…
GET /api/usdc-balanceRead the USDC balance of any address on Base, Polygon, Arbitrum, Optimism, or Ethereum. Read-only on-chain call. ?addres…
GET /api/tx-statusCheck the confirmation status of a transaction by hash on Base/Polygon/Arbitrum/Optimism/Ethereum/Robinhood Chain: succe…