x402 Is for Services That Don't Need to Know You

Cloudflare is now serving roughly a billion HTTP 402 responses a day. AWS launched AgentCore Payments on May 7 with managed wallets, policy controls and a full audit trail out of the box. Arbitrum went live with x402 settlement on May 15. The x402 Foundation is incubated under the Linux Foundation with more than 20 institutional backers behind it — Stripe, Visa, Circle, Google, AWS, Solana Foundation. Coinbase reports around 69,000 active agents on the protocol.

That is the supply side of the story. It is real, it is shipping, and it is more institutionally backed than almost anything else in the agent space.

What it does not have is demand.

What the activity actually shows

The supply side looks healthy in the way an early app store looks healthy: thousands of x402-payable endpoints across 8 networks (almost all on Base), broad category coverage from data and developer tools to AI inference, DeFi, identity, storage, NFT and gaming, dominant price points sitting below a cent.

Behind that picture, the activity on the protocol is much smaller than the topline cumulative numbers suggest. Current daily volume sits at around $28,000 — roughly 131,000 transactions a day, averaging $0.20 each — against a $7B narrative valuation and the institutional weight described above. Artemis has flagged about half of those transactions as wash trading, mostly teams gaming leaderboards. CoinDesk wrote the headline plainly in March.

The composition is the telling part. From x402list, the directory I have been maintaining since the protocol's first version landed: data and developer endpoints together account for more than half of cumulative transactions; identity and storage are thin, even though those are the categories where the permissionless property matters most. The most-active category averages under four cents per call.

The services on x402 today are not what x402 was designed for. The agents calling them are not what x402 was designed for either. That is the gap worth understanding.

What x402 actually changes

The thing that gets lost in the topline pitch is that x402 is not really about agents being able to pay. Agents have been able to pay for things for a couple of years; what they have been doing is calling APIs that someone wired up in advance with a stored API key. The novelty of x402 is not the payment. It is that an agent can call a service it was never onboarded to.

That is a structural shift in how the unit of consumption works on the web. The default unit for the last 15 years has been the subscription: a human signs up, gets an API key, integrates it into an application, and the application calls the service. The integration is the gating step. The payment is downstream of a relationship that took a human to set up.

x402 inverts that. The agent makes the call, the server responds with payment terms, the agent settles in USDC and retries, the call goes through. No account, no API key, no prior relationship. For the agent, every x402-compliant service in the world is callable in a single round trip, regardless of whether the agent's developer has ever heard of the service.

Permissionless services as a category

The interesting category that opens up is one that has not really existed on the web before — services designed to be called by parties the service has no relationship with and does not need to.

The closest historical analogue is anonymous HTTP. Anyone could call any public endpoint without identifying themselves; that is the property that gave the early web its compounding properties. But anonymous HTTP could not charge. The economic model collapsed into advertising, walled gardens or subscriptions, and the long tail of micro-services — the ones whose value to any single caller was too small to be worth a billing relationship — never got built, because there was no way to monetise them per call.

x402 plus an agent wallet brings back the anonymous-callable property and adds a per-call settlement layer. The service does not need to know who you are; it does not need to onboard you; it just needs to expose payment terms and serve the response. That is the property worth paying attention to. It enables a class of service that was uneconomic before — anything where the value of any individual call is small, the population of callers is unbounded, and the relationship-management cost would have killed it.

These are not API wrappers around existing SaaS products, though plenty of those have appeared on x402list. They are services that only really make sense in a world where the caller is a piece of software that found you via a directory and is willing to pay a fraction of a cent to call you once. That is a different category from anything that currently exists at scale.

One example: agent memory

Agent memory is the example I have spent the most time on, because it is the category that pulled me into building this stuff in the first place. Today, every production memory system assumes a stable identifier — a user ID on a platform — and serves memory keyed off that identifier. Move the user, or the agent acting on their behalf, off the platform and the memory does not come with them.

A permissionless memory service is a different shape. It does not know who you are. It exposes endpoints for writing, reading and proving memory entries. It charges per call. Any agent with a wallet can store memory there; any agent with a wallet and the right cryptographic credential can read it back. There is no account creation, no onboarding, no platform lock-in. The wallet is the identity; the payment is the integration.

That is the design zkStash is built on, and it is one approach among others that could be built on x402. The pattern generalises beyond memory. Inference, search, reputation, identity attestation, content delivery — anything an agent might need to call once or many times across services it has no prior relationship with — fits the same shape. The interesting work is in figuring out which categories actually want to be permissionless, and which were always better served by a relationship-based model.

What the supply side looks like up close

The provider distribution is the telling number. The 910 providers in the directory wrap endpoints from a few hundred upstream services, which means most of the supply side is the old web getting a payment layer attached to it, not new services born to be permissionless. The agents that would consume a wrapped Wolfram Alpha endpoint already had their developers set up Wolfram Alpha access. The agents that would consume a genuinely permissionless service do not exist yet at any meaningful scale.

Where this is going

x402 itself is not the interesting question. The protocol is sound, the implementation has converged, and the rails are not the constraint. The interesting question is what gets built that only makes sense in a world where calling is permissionless and payment is per request. Most of what is currently on x402list does not meet that test.

The thirty-trillion-dollar machine economy headlines are directionally right and almost useless for thinking about which categories matter. A handful of genuinely permissionless service categories will emerge — memory is one bet — and those will justify the rails after the fact.

x402 is not a payment protocol that happens to be useful for agents. It is the first credible attempt at a substrate for services that no longer need to know who is calling them. The rails are built. The question now is what runs over them.

Further reading

• x402.org — protocol spec and ecosystem
• Coinbase x402 docs
• CoinDesk — Coinbase-backed AI payments protocol wants to fix micropayment but demand is just not there yet (March 2026)
• CoinDesk — AI agents are breaking web economics, but Cloudflare says x402 can help (May 2026)
• StartupHub — x402 Payments: The Real Numbers
• Coinbase and Cloudflare — x402 Foundation announcement
• AWS — x402 and Agentic Commerce
• Bankless — Who Authorized This? The Gray Area of x402
• x402list.fun — directory of x402-payable services