aisthetic·services/ agenttrust gateway
ExplorerProductDocsPricingSecurityEnterpriseSign inSign up free
Payments

Payment lifecycle

Verified, paid, audited. Or 401 / 402 / refused. The gateway never proxies a paid call without a verified identity and a verified payment proof bound to the exact request.

The four states

401 Unauthorized, unknown agent

Identity evidence missing or invalid. No wallet signature, expired VC, untrusted issuer, or missing principal mapping. The gateway returns a bounded reason. Nothing reaches the upstream.

402 Payment Required, verified, unpaid

Identity is good and policy allows the call, but the call is paid. The gateway emits a payment challenge bound to this exact request. Replay against another request is rejected.

HTTP/1.1 402 Payment Required
Content-Type: application/json

{
  "type": "payment_required",
  "protocol": "x402",
  "requestSha256": "<sha256>",
  "challengeId": "chl_<placeholder>"
}

Verify proof, verify-first / settle-once

The agent retries with payment proof. The gateway runs verification before settlement. Settlement happens at most once per challenge. On any error the gateway never automatically retries settle , retry is an explicit operator action with idempotency.

  • EIP-3009 authorization payloads shipped
  • Verify-first / settle-once / never-retry invariant shipped
  • Triple-gate production opt-in shipped

200 OK, verified, paid, audited

The upstream provider sees a clean request. Response carries an X-AgentTrust-Receipt-Id header pointing at the canonical receipt. Audit chain receives a signed event.

x402 compatibility

  • x402 facilitator (sandbox + public testnet) shipped
  • public_x402 wire compatibility operator-gated
  • per-provider sandbox-proof audit chain shipped

public_x402 wire shape is implemented and accepted by the public facilitator at the structural layer. A live funded settle on public testnet still requires a funded testnet wallet and USDC , that is the operator-gated lane.

Receipts

Every successful paid call produces a signed receipt. See Receipts & proof for the receipt schema, signing, and offline verification.

Boundaries

  • Live x402 funded settle on public testnet is operator-gated.
  • Production rails sit behind a triple-gate operator opt-in.
  • No automatic retry; failed settle is an explicit operator decision.