Foreword

This week, I went through the entire X402 process, from demo to application.

I've been following this protocol since Coinbase initially released X402 in May 2024. Subsequently, Coinbase launched a complete payment infrastructure and partnered with several leading companies exploring the AI+payments track, including Google, Visa, Cloudflare, and, as the proposer suggests, the Ethereum Foundation and MetaMask (a wallet) were also involved. Through ERC-3009 (an enhanced token standard used by USDC) and ERC-8004 (an on-chain reputation registration market), Coinbase has developed a fairly clear strategy for targeting the AI+payments sub-sector.

It can certainly be said that Coinbase's exploration of the payment sector this time is comprehensive, determined, and demonstrates skillful market manipulation.

However, the world of Web3 is never short of sensationalism, nor is it lacking in imagination. Yet, many outrageous imaginings often confuse the public and impair judgment.

This article aims to systematically analyze the chaotic hype, identifying what is noise and what shortcomings need to be addressed.

What is X402?

First of all, X402 is very simple; it is a set of process specifications for network API interactions.

X402 uses the 402 status code and is a stateless on-chain payment protocol. By adding the "x-payment" field to the HTTP request header and using the newly added role of Facilitator to verify the payment on-chain, a one-time payment task can be completed after informing the service provider.

In fact, the HTTP protocol defined 402 as a payment-related status code in its early stages of development, but it has not been actually used for decades.

The specific content of x-payment can be customized. As long as the service provider believes that its parameters can complete the user's payment, it will provide subsequent services.

The system itself has a universal structure, allowing it to be integrated with any payment system. However, since this protocol was released by Coinbase, a US-listed exchange, it is naturally more closely coupled with the blockchain model.

Theoretically, this protocol appears to have a revolutionary advantage. Coinbase compared it based on the following four points: average transaction fees, time to market, refund capability, and TPS (transactions per second).

Numerically , it has significant advantages in transaction fees and time availability, both stemming from the inherent value of blockchain as a payment system.

• On the downside , it lacks refund capabilities – transactions cannot be easily reversed on the blockchain, and the TPS of traditional payment platforms like PayPal is a dynamic value, unlike blockchain which is difficult to scale.

Details are as follows:

Therefore, when discussing X402, it's crucial to understand that it's ultimately a payment system, not an asset issuance platform. The current hype surrounding X402 assets is merely meme-based; it might provide short-term entertainment, but shouldn't be taken seriously in the long run.

How does it work?

Mechanistically, X402 adds an additional role, Facilitator, to the traditional Client (user, AI Agent, application, the party triggering payment) and Server (merchant, seller). This Facilitator acts as the central hub, helping merchants determine the success or failure of a payment. In reality, this role is the same one traditionally undertaken by individual payment platforms in finance.

The core point is that users initiate on-chain payments, while facilitators are responsible for determining whether the payments are successful.

Coinbase's payment strategy

ERC-3009 Enhanced Token Standard

Payment is inherently a sector where C-end transformation is difficult, relying on dual-end adaptation—that is, sellers can provide the service, and buyers are willing to use the payment method. Coinbase's approach is to leverage Shopify (one of the world's largest e-commerce SaaS platforms), integrating it with Shopify's one-click plugin and SDK, allowing merchants to support global USDC payment capabilities without needing to understand complex encryption processes.

Many people are wondering why it's USDC instead of USDT. The reason is simple: USDC is currently the only mainstream stablecoin that supports ERC-3009.

ERC-3009 is an enhanced standard of the ERC-20 token protocol launched in September 2020. In this payment sector, it has become a key asset type for achieving a gas-free experience, and the operation process is also very simple.

Gas-free operation process

1. User-signed offline messages

Users can use a wallet (such as MetaMask) off-chain to sign a message of type TransferWithAuthorization, specifying the recipient, amount, valid time interval, and random nonce.

2. Any third party submits the transaction.

Any address (typically a merchant, platform, or layer) can carry this signature to call a token contract that supports EIP-3009, triggering transferWithAuthorization() or receiveWithAuthorization() to achieve an actual on-chain transfer.

3. Verify the contract signature and execute the transfer.

The contract uses the EIP-712 signature format to verify the validity of the message, verify that the nonce is not used and that it is within the time window of validAfter and validBefore, and then completes the token transfer from -> to.

This mechanism is executed by Circle's official USDC contract on the Ethereum mainnet, with actual testing showing approximately 77,000 gas consumption . In contrast, typical gas costs are around 45,000 to 50,000 gas , resulting in roughly a 40% increase in gas consumption.

It can be said to be one of the most cost-effective gas-free solutions.

A typical counterexample is the previous official MetaMask gas-free trading service, which required two additional transactions, resulting in a threefold increase in cost.

Compared to the AA model of ERC-4337, there are no costs associated with early user contract deployment, nor are there wear and tear from cross-contract calls. Ultimately, the cost is also slightly lower compared to gas-free implementations based on the EIP-7702 class.

Refundable payment process

After eliminating gas, users can hold the native coin without paying, but it is still insufficient compared to the logic of traditional payment refunds, since on-chain is a naturally KYC-free model.

Therefore, Coinbase designed an additional payment intermediary process, as shown in the following diagram:

The payment process has been revamped, and a new escrow module, Escrow, has been added.

• First, the user authorizes a payment transaction by signing their name;
• Funds are transferred from the user's wallet into a managed smart contract ;
• The merchant captures the payment through the operator's service and eventually withdraws the funds;
• If the authorization expires and is not executed, the user can voluntarily cancel the authorization and retrieve the funds.

This mechanism combines on-chain payment control with "delayed execution + mandatory authorization + revocability," providing merchants with financial certainty while ensuring user security.

Operator is an intermediary service provider in the payment process. Its responsibility is to initiate gas payment on behalf of others, capture the authorized transaction signed by the user, but cannot modify the original intent . It binds the payment object, amount limit, authorization validity period, etc. through hash signature.

Private key escrow issues

This underlying technology relies on the TEE (Trusted Execution Environment) technology, which has become very popular in recent years, and almost all exchange platforms have launched their new TEE Wallets.

Coinbase's TEE Wallet structure is as follows:

This underlying technology is quite complex. Its core principle is that the memory within a TEE (Trusted Execution Environment) cannot be read externally. Furthermore, the code running within the TEE has a mechanism to verify its version. Therefore, running deterministic code in an uninterrupted data space introduces a new private key escrow security model.

The reason why user-hosted private keys were so difficult to use before was because it was hard for platforms to prove their innocence. Once a private key transaction was recorded on the blockchain, there was no other evidence (such as who the actual initiator was) to prove whether the leak was due to the platform hosting the private key or the user leaking it themselves.

However, TEEs can be audited and verified through open-source code, similar to on-chain contracts, to prove that they have not left backdoors that could leak private keys.

In the payment sector, Coinbase offers two integration options for merchants:

• Managed Access (CDP SDK) : Manage assets and generate transactions through Coinbase's Commerce account backend, which is based on TEE Wallet technology.
• Self-hosted Wallet API v2 access : Merchants can build their own account system, manage keys, and integrate payment notifications, which is suitable for merchants with intermediate to advanced technical capabilities.

In summary, Coinbase has indeed thought things through and is well-prepared, providing a complete one-stop service for both buyers and sellers.

How to understand

From its release in May until the end of October, the X402 suddenly became a hit. Objectively speaking, this was due to the market attention brought about by the fact that the previously unpopular meme saw its price increase by dozens of times.

To assess its market popularity, you can first check the statistics from the scanning platform:

The chart shows the data from October 17th to November 1st, covering 15 days related to transactions, total transaction value, number of buyers, and number of sellers.

The data clearly shows a surge followed by a decline. Faced with the continuous decline in buyers, many believe this is simply the initial phase of development after everyone has had their first taste, and that the next surge is yet to come.

But is that really the case? We need to systematically consider its advantages and disadvantages.

shortcoming

First of all, the X402 system is not complicated, which shows that the key factors that have driven the implementation of payment in the past are not at the technical level.

The current buzz stems more from the imagination generated by the future narrative logic (preemptively positioning itself in the most certain long-term narrative of AI + Crypto integration).

The current mainstream token issuance models in some circles are quite reminiscent of the bustling era of inscription. After all, once a payment is successfully recorded on the blockchain, the user will receive a response. As for what the response is, it depends on what the service provider wants to give you, such as issuing you a token, paid materials, VIP services, etc., but these fancy gestures are not within X402's responsibility.

But this means that the essence of payment hasn't changed. Although the 402 status code sounds impressive and powerful, what it actually returns is completely unimportant—it can return a 402, a 200 with JSON, or anything and a bunch of data. Essentially, it's just an engineering encapsulation that adds a payment process.

Secondly, the current hot topic, the AI Agent payment experience, has exceeded Coinbase's expectations. Its previous strategy focused on cross-border e-commerce payment processes, which I believe was a more correct approach, including the ability to use on-chain payments with Token2049.

This is a drawback because the actual need for AI agents to integrate with payment flows hasn't materialized. While an AI agent might call an API to retrieve data or other information, the addition of payment logic significantly lengthens the process. Having developed MCPs myself, and primarily using agents for daily tasks, I ask actual users: is AI truly reliable in such lengthy processes?

Therefore, when faced with a scenario where data purchase is truly necessary, I would rather integrate it into a low-frequency operation and transform it into an extremely simplified process.

Moreover, the X402 payment process is actually not perfect. We now understand why many cross-border payments take 1-2 days to settle. These poor experiences are not without reason; many underlying issues ultimately shape the upstream structure. For example, as a payment-oriented protocol, it completely lacks the rigor expected of a financial intermediary.

At the user's level, there's absolutely no idea how the system handles network fluctuations that cause actual requests after payment, nor is there any connection between API requests and transaction records. The current situation is that payment is made, but this payment is only valid for that single request; all other contexts are completely lost .

The reason why the payment process in Web2 doesn't use 402 is because there are many special cases to handle. Payment not only has a callback method (which redirects to the merchant's specified page after payment is completed), but also periodic re-requests (if the callback is not executed, it will try to re-call back at different time intervals such as 3 seconds, 5 seconds, 1 minute, etc. until it succeeds, to prevent transaction loss).

Furthermore, while the Web3 world prioritizes efficiency and decentralization, this system, by its very nature, lacks KYC and oversight, seemingly aligning with the principles of decentralization. However, merchants aren't after decentralization; they simply seek a more convenient payment experience, making things easier for users. But aren't they afraid of being held accountable by local authorities?

The result is this: if you actually use the X402 for payments, would you dare use it for large amounts? Would merchants dare provide it? Would you dare to integrate private key escrow into AI?

Therefore, X402 is more like QR code payment—one-way and simple, but it requires other components to be truly commercially viable. This is also the direction that builders are currently striving for. For example, Cloudflare's solution adds a delayed payment mechanism and then abandons blockchain payment, returning to traditional credit cards to solve this problem; another example is Coinbase, which integrates refundable contracts to address these issues.

advantage

Objectively speaking, the payment sector is truly difficult to expand because user habits and trust are extremely hard to transfer. This leads to each shift in payment platforms stemming from large-scale technological updates and iterations. Currently, however, AI payments are in their nascent stages, and cross-border payments have the opportunity presented by stablecoin compliance. This background is a sign that a major storm is brewing from the smallest ripples.

Furthermore, Coinbase has truly brought in a number of excellent allies this time. Within the X402 chain, there's also ERC-8004, the designer of this on-chain agent reputation market, which includes one representative each from Google, the Ethereum Foundation, MetaMask, and Coinbase itself, forming a significant strategic alliance.

In addition, there are fewer and fewer sectors that VC firms can understand these days (laughs), and payment is one of them.

As a typical winner-takes-all sector with huge future profits, it's relatively easy to secure VC support in this area as long as you have a decent product and a decent background. Therefore, we saw many institutions release research reports on X402 immediately, presenting a compelling narrative for limited partners (LPs) and highlighting the inherent advantages of blockchain's payment capabilities.

Coinbase CEO Brian Armstrong just endorsed X402 again on Twitter, and almost all the major exchanges have also joined the fray. Many of the disadvantages will be gradually resolved as the established players build their own systems.

It is at this moment that the X402 Builders need to remain calm.

This is a rare new wave of consensus, and the entire military should no longer be deployed to the launch platform.

In the Web3 market, launch is the final eulogy, a stage for profit distribution, and a key to attracting early attention, but launch is merely a means, not an end.

at last

Objectively speaking, it has both advantages and disadvantages. Judging from the trend, I believe that the X402 will enter a period of silence and needs to wait for a better opportunity.

Because payment is a skill that requires a lot of finesse, let's recall the story of how Alipay developed in the merchant scenario and was then unexpectedly attacked by WeChat Pay's Chinese New Year red envelope campaign. Currently, the X402's strongest area is cross-border payments, given that countless people have already experienced the significant challenges of using OpenAI for payments.

By combining the new payment system with the global payment needs of a blockbuster product, more people can experience blockchain payment for the first time.

Until a leading platform launched another TGE airdrop, it reignited the hype by leveraging the transaction mining aspect, continuously expanding its reach beyond its core audience.