HTTP/1.1 402 PAYMENT REQUIRED agent402.base.eth · BASE · SOLANA · POLYGON · ARBITRUM · ROBINHOOD · USDC · USDG
Agent402 / tools / x402-audit

x402 security audit

$0.01 per call · USDC via x402 · GET /api/x402-audit

Grade any x402 seller's payment-security posture from the outside — a read-only black-box check mapped to the 'Five Attacks on x402' failure modes. Probes the URL's 402 challenge (never pays) and scores TLS transport, gated-response cache hygiene (Attack III / cache leakage), error/info-leak hygiene, and payment-terms well-formedness, then returns a letter grade with per-check findings and an honest note on what only insider/active testing can confirm. ?url=https://api.example.com/paid&method=GET

Input

FieldTypeDescription
url *stringURL of the paid resource to audit
methodstringHTTP method to probe with (default GET)

Example output

{
  "url": "https://api.example.com/paid",
  "reachable": true,
  "status": 402,
  "paymentRequired": true,
  "x402Version": 2,
  "score": 92,
  "grade": "A",
  "checks": [
    {
      "id": "transport-tls",
      "title": "Payment challenge served over TLS",
      "attack": "credential interception",
      "severity": "high",
      "status": "pass",
      "detail": "https"
    },
    {
      "id": "cache-hygiene",
      "title": "Gated response is not shared-cacheable",
      "attack": "III — cache leakage",
      "severity": "high",
      "status": "pass",
      "detail": "Cache-Control: no-store, private"
    }
  ],
  "summary": "A (92/100) — 6 passed, 1 warning, 0 failed. Note: replay/idempotency (II) and router Sybil (IV) can't be graded from outside."
}

Try it — see the 402 challenge (free)

curl -i "https://agent402.tools/api/x402-audit?url=https%3A%2F%2Fagent402.tools%2Fapi%2Fhash&method=POST"

The response is HTTP 402 Payment Required with exact payment requirements. Any x402 v2 client pays automatically and retries:

Paid call (JavaScript agent)

import { wrapFetchWithPayment } from "@x402/fetch";
import { x402Client } from "@x402/core/client";
import { registerExactEvmScheme } from "@x402/evm/exact/client";
import { privateKeyToAccount } from "viem/accounts";

const client = new x402Client();
registerExactEvmScheme(client, { signer: privateKeyToAccount(KEY) });
const payFetch = wrapFetchWithPayment(fetch, client);

const res = await payFetch("https://agent402.tools/api/x402-audit?url=https%3A%2F%2Fagent402.tools%2Fapi%2Fhash&method=POST");
Wallet-only. This tool reaches the network/browser/storage, so it is paid in USDC via x402 (no proof-of-work tier).

Related tools

x402 quote

$0.003 · GET /api/x402-quote

Probe any URL and decode its HTTP 402 payment requirements (price, asset, network, pay-to) into clean JSON — what an age…

USDC balance

$0.003 · GET /api/usdc-balance

Read the USDC balance of any address on Base, Polygon, Arbitrum, Optimism, or Ethereum. Read-only on-chain call. ?addres…

Transaction status

$0.003 · GET /api/tx-status

Check the confirmation status of a transaction by hash on Base/Polygon/Arbitrum/Optimism/Ethereum/Robinhood Chain: succe…