The Forgotten Status Code#

In 1991, HTTP 402 — Payment Required — was reserved for future use. For three decades it sat dormant, a placeholder in the RFC that nobody touched.

That future arrived with autonomous AI agents.

Why Now#

Agents need to transact autonomously. They need to pay APIs, purchase compute, settle micro-transactions — without human approval loops. The x402 protocol gives them a standardized way to do that over HTTP.

Which means every agent running on x402 is now a financial endpoint.

The Attack Surface#

When money moves through HTTP, the threat model changes entirely:

  • Payment interception — MITM attacks on 402 challenge/response flows
  • Replay attacks — reusing valid payment receipts across endpoints
  • Agent impersonation — spoofing agent identity to drain wallets
  • Malformed challenge responses — fuzzing payment servers for parsing bugs
  • Race conditions — double-spend scenarios in concurrent agent flows

What’s Next#

This is the first in a series mapping the x402 attack surface. The warden is watching.

More to come. Stay tuned.