CodcompassCodcompass
← Back to Blog
AI/ML2026-05-14·79 min read

I built a pay-per-use web scraping API using x402 — here's how it works

By artespraticas

Stateless API Commerce: Implementing x402 Pay-Per-Use Endpoints for AI Agents

Current Situation Analysis

Traditional API monetization relies on a rigid architecture: API keys, subscription tiers, and centralized billing portals. This model was designed for human developers and enterprise SaaS contracts, not for the bursty, machine-driven workloads that dominate modern AI infrastructure. When AI agents or automated pipelines require data, they generate intermittent, high-frequency requests that don't align with monthly billing cycles. Paying for idle capacity or managing dozens of API keys across autonomous agents creates operational friction and capital inefficiency.

The industry has largely overlooked a dormant HTTP specification: status code 402 (Payment Required). Originally defined in RFC 7231 but never widely adopted due to the lack of a standardized, low-latency payment rail, 402 has been resurrected by the x402 protocol. x402 v2 transforms the HTTP layer into a settlement network, enabling pay-per-use commerce without accounts, subscriptions, or third-party payment processors. By leveraging USDC on Base, developers can execute micro-transactions with sub-cent fees and ~2-second finality, making machine-to-machine commerce economically viable for the first time.

This approach is frequently misunderstood as a niche crypto experiment. In reality, it addresses a fundamental architectural gap: how do you monetize compute or data access when the consumer is an autonomous agent that cannot fill out a checkout form, manage a credit card, or wait for invoice reconciliation? x402 removes the billing layer entirely, embedding payment directly into the HTTP request lifecycle. The result is a stateless, frictionless commerce model that aligns cost precisely with utility.

WOW Moment: Key Findings

The shift from subscription-based API gateways to x402 micro-payments fundamentally changes how infrastructure costs are modeled for AI workloads. The following comparison highlights the operational and economic divergence between traditional monetization and the x402 protocol:

Approach Authentication Overhead Cost Model for Bursty Workloads Agent Compatibility Settlement Finality
Traditional API Gateway High (Keys, OAuth, Billing Portals) Fixed monthly/annual, wastes capital on idle capacity Low (Requires human setup or complex key rotation) N/A (Billing is delayed, reconciliation is manual)
x402 Micro-Payment Flow Zero (No accounts, no keys) Pay-per-request ($0.01 USDC), scales linearly with usage High (Native HTTP 402 challenge-response) ~2 seconds (Base mainnet USDC transfer)

This finding matters because it decouples API access from identity management. AI agents can request data, receive a cryptographic payment challenge, settle it on-chain, and retry with proof—all within a single automated loop. The economic implication is profound: infrastructure providers can monetize low-volume, high-value endpoints without building billing infrastructure, while consumers only pay for successful data retrieval. This enables a true machine economy where data, compute, and model inference can be traded atomically.

Core Solution

Implementing an x402-enabled endpoint requires rethinking the request lifecycle. Instead of authenticating a bearer token, the server validates a cryptographic payment proof. The architecture leverages Vercel Edge Functions for low-latency execution, Zod for strict request validation, and a zero-dependency extraction pipeline to keep the runtime footprint minimal.

Step 1: Define the Request Schema

Strict validation prevents malformed requests from consuming compute resources. Zod enforces type safety and provides clear error boundaries.

import { z } from 'zod';

export const HarvestRequestSchema = z.object({
  targetUrl: z.string().url(),
  extractionMode: z.enum(['text', 'links', 'html']).default('text'),
  idempotencyKey: z.string().uuid().optional(),
});

export type HarvestRequest = z.infer<typeof HarvestRequestSchema>;

Step 2: Implement the Edge Handler

The handler follows a strict state machine: validate input → check for payment proof → generate 402 challenge if missing → verify proof → execute extraction → return payload.

import { NextRequest, NextResponse } from 'next/server';
import { HarvestRequestSchema } from './schema';
import { PaymentVerifier } from './verifier';
import { ContentExtractor } from './extractor';

export const runtime = 'edge';

export async function POST(req: NextRequest) {
  const body = await req.json();
  const validation = HarvestRequestSchema.safeParse(body);

  if (!validation.success) {
    return NextResponse.json(
      { error: 'Invalid payload', details: validation.error.flatten() },
      { status: 400 }
    );
  }

  const { targetUrl, extractionMode, idempotencyKey } = validation.data;

  // Check for existing payment proof in headers
  const paymentProof = req.headers.get('x-payment-proof');
  const requestId = req.headers.get('x-request-id');

  if (!paymentProof || !requestId) {
    return generatePaymentChallenge(targetUrl, extractionMode);
  }

  // Verify payment before executing expensive logic
  const isValid = await PaymentVerifier.validate(paymentProof, requestId);
  if (!isValid) {
    return NextResponse.json({ error: 'Invalid or expired payment proof' }, { status: 402 });
  }

  // Execute extraction
  const result = await ContentExtractor.run(targetUrl, extractionMode);
  
  return NextResponse.json({
    protocol: 'x402',
    version: 2,
    priceUSD: '0.01',
    url: targetUrl,
    status: 'ok',
    ...result,
  });
}

Step 3: Generate the 402 Payment Challenge

When no proof is present, the server returns a structured 402 response containing payment instructions. The client must pay exactly $0.01 USDC on Base to the designated address.

function generatePaymentChallenge(url: string, mode: string) {
  const challengeId = crypto.randomUUID();
  const paymentAddress = '0xYourMerchantWalletAddress';
  const amountUSDC = '10000'; // 0.01 USDC (6 decimals)

  return NextResponse.json(
    {
      protocol: 'x402',
      version: 2,
      priceUSD: '0.01',
      paymentInstructions: {
        network: 'base',
        token: 'USDC',
        recipient: paymentAddress,
        amount: amountUSDC,
        challengeId,
        metadata: { targetUrl: url, extractionMode: mode },
      },
    },
    { status: 402 }
  );
}

Step 4: Verify Payment Proof

The client retries with a signed transaction hash or proof. The verifier checks the transaction on Base, confirms the amount, recipient, and challenge ID, and marks the request as settled.

export class PaymentVerifier {
  static async validate(proof: string, requestId: string): Promise<boolean> {
    // In production, decode proof, query Base RPC, verify:
    // 1. Transaction succeeded
    // 2. Amount matches 0.01 USDC
    // 3. Recipient matches merchant wallet
    // 4. Challenge ID matches requestId
    // 5. Proof hasn't been replayed (check short-lived cache)
    const isVerified = await this.queryBaseChain(proof);
    return isVerified && !this.isReplayed(requestId);
  }

  private static async queryBaseChain(proof: string): Promise<boolean> {
    // RPC call to Base mainnet
    return true; // Placeholder for actual chain verification
  }

  private static isReplayed(requestId: string): boolean {
    // Check against in-memory or edge KV store
    return false;
  }
}

Step 5: Zero-Dependency Extraction

Heavy DOM parsers bloat Edge bundles. A lightweight approach uses native fetch and regex/text processing to extract content without external dependencies.

export class ContentExtractor {
  static async run(url: string, mode: 'text' | 'links' | 'html') {
    const response = await fetch(url, { 
      headers: { 'User-Agent': 'MicroHarvestAgent/1.0' } 
    });
    const html = await response.text();
    const startTime = performance.now();

    let content = '';
    let wordCount = 0;

    if (mode === 'text') {
      content = html.replace(/<[^>]*>/g, ' ').replace(/\s+/g, ' ').trim();
      wordCount = content.split(/\s+/).length;
    } else if (mode === 'links') {
      const linkRegex = /href="([^"]+)"/g;
      const matches = [...html.matchAll(linkRegex)].map(m => m[1]);
      content = JSON.stringify(matches);
      wordCount = matches.length;
    } else {
      content = html;
      wordCount = content.length;
    }

    const elapsed = Math.round(performance.now() - startTime);

    return {
      title: this.extractTitle(html),
      content,
      wordCount,
      elapsed,
    };
  }

  private static extractTitle(html: string): string {
    const match = html.match(/<title[^>]*>(.*?)<\/title>/i);
    return match ? match[1].trim() : 'Untitled';
  }
}

Architecture Rationale

  • Vercel Edge Functions: Cold starts are minimized, and global distribution reduces latency for international agents. The Edge runtime enforces strict bundle size limits, which aligns with the zero-dependency extraction strategy.
  • x402 v2 Protocol: Embeds commerce into HTTP semantics. The 402 challenge-response pattern is stateless, meaning no session storage or user accounts are required.
  • USDC on Base: Stablecoin eliminates volatility risk. Base provides fast finality and negligible gas fees, making $0.01 transactions economically viable.
  • Zod Validation: Fails fast on malformed payloads, protecting compute resources from abuse.
  • Idempotency & Replay Protection: Critical for production. Each challenge ID is cached briefly to prevent double-spending or retry attacks.

Pitfall Guide

1. Replay Attack Vulnerability

Explanation: Payment proofs can be captured and reused by malicious clients to access endpoints without paying. Fix: Bind each payment proof to a unique challengeId or requestId. Store settled IDs in a short-lived Edge KV cache with TTL matching your retry window. Reject any proof that references an already-settled ID.

2. Chain Reorg & Finality Assumptions

Explanation: Assuming instant finality on Base can lead to processing payments that later revert during chain reorganizations. Fix: Query the RPC with finalized block tags or wait for 1-2 block confirmations before marking a payment as valid. Use a reliable RPC provider that supports finality guarantees.

3. Header Misconfiguration in 402 Responses

Explanation: Returning a bare 402 status without structured payment instructions breaks client compatibility. Fix: Strictly adhere to the x402 v2 specification. Include protocol, version, priceUSD, and a paymentInstructions object with network, token, recipient, amount, and challenge metadata. Clients like agentcash expect this exact shape.

4. Compute Waste on Invalid Proofs

Explanation: Running extraction logic before verifying payment proof wastes Edge compute cycles and increases costs. Fix: Always verify the payment proof first. Fail fast with a 402 response if verification fails. Only proceed to fetch and parse the target URL after cryptographic settlement is confirmed.

5. Over-Engineering the Extraction Pipeline

Explanation: Importing heavy DOM parsers (like Cheerio or JSDOM) exceeds Edge runtime limits and increases cold start times. Fix: Use native fetch with regex or lightweight string manipulation for simple extraction. If complex parsing is required, offload to a dedicated worker pool or containerized service, and keep the Edge function strictly as a payment gateway and router.

6. Ignoring Idempotency on Retries

Explanation: Network instability causes clients to retry requests. Without idempotency, the same payment might be processed multiple times, or the same extraction might run repeatedly. Fix: Require an idempotencyKey in the request schema. Cache successful responses keyed by this ID. Return the cached result on duplicate requests instead of re-executing the pipeline.

7. Hardcoding Pricing Without Gas/Slippage Considerations

Explanation: While USDC is stable, bridge costs or network congestion can affect the effective cost of micro-transactions. Fix: Implement dynamic pricing logic that adjusts based on network conditions, or maintain a buffer in your merchant wallet to cover occasional gas spikes. Monitor Base network fees and adjust your $0.01 baseline if necessary.

Production Bundle

Action Checklist

  • Define strict Zod schemas for all incoming payloads to prevent compute waste
  • Implement a short-lived Edge KV cache for challenge ID tracking and replay protection
  • Configure Base RPC endpoints with finalized block tags for payment verification
  • Structure 402 responses exactly per x402 v2 spec to ensure client compatibility
  • Add idempotency keys to prevent duplicate processing on network retries
  • Keep extraction logic dependency-free to stay within Edge runtime limits
  • Set up monitoring for payment verification latency and failed challenge responses
  • Test with agentcash or a custom x402 client to validate the full challenge-response loop

Decision Matrix

Scenario Recommended Approach Why Cost Impact
AI Agent Data Retrieval x402 Pay-Per-Use Agents cannot manage API keys or subscriptions; atomic payments align with bursty usage Low (pay only for successful requests)
Internal Enterprise Tools Traditional API Keys + OAuth Requires audit trails, role-based access, and centralized billing Medium (subscription overhead)
High-Volume SaaS Backend Stripe/Billing Portal Predictable revenue, invoicing, and compliance requirements High (payment processor fees + billing infra)
Experimental Micro-Endpoints x402 Micro-Payment Zero setup friction, instant monetization, no user onboarding Minimal (Base gas fees only)

Configuration Template

// x402-edge-config.ts
import { z } from 'zod';

export const X402_CONFIG = {
  protocol: 'x402',
  version: 2,
  network: 'base',
  token: 'USDC',
  priceUSD: '0.01',
  amountUSDC: '10000', // 6 decimals
  merchantWallet: process.env.MERCHANT_WALLET_ADDRESS!,
  rpcEndpoint: process.env.BASE_RPC_URL!,
  challengeTTL: 300, // 5 minutes
  idempotencyTTL: 86400, // 24 hours
};

export const RequestSchema = z.object({
  targetUrl: z.string().url(),
  extractionMode: z.enum(['text', 'links', 'html']).default('text'),
  idempotencyKey: z.string().uuid().optional(),
});

export type HarvestPayload = z.infer<typeof RequestSchema>;

Quick Start Guide

  1. Initialize Project: Create a Next.js app with Edge runtime support. Install zod and configure environment variables for your Base RPC and merchant wallet.
  2. Deploy Payment Gateway: Implement the 402 challenge generator and proof verifier using the configuration template. Ensure your merchant wallet holds sufficient USDC for testing.
  3. Add Extraction Logic: Build a lightweight content extractor using native fetch and regex. Keep dependencies minimal to comply with Edge runtime constraints.
  4. Test with Client: Use agentcash or a custom script to send a POST request. Verify that the server returns a 402 challenge, process the payment, retry with proof, and receive the extracted payload.
  5. Monitor & Iterate: Track payment verification latency, replay attempts, and extraction success rates. Adjust challenge TTL and idempotency windows based on real-world agent behavior.