HTTP 402 + Grantex

Grantex × x402

Agent Spend Authorization for HTTP 402 Payment Flows

The x402 protocol enables AI agents to pay for APIs with USDC on Base L2. Grantex adds the missing layer: proving the agent was authorized to spend. No compromised agents draining wallets. No unauthorized payments.

Try the Playground View on GitHub
npm install @grantex/x402

The Gap in x402

x402 solves payments. Grantex solves authorization.

! Without Grantex

x402 proves a payment was made, but not that the paying agent was authorized. A compromised agent can drain a wallet by invoking x402-gated APIs with no scope, no limit, no audit trail, and no kill switch.

With Grantex

Every x402 payment carries a Grantex Delegation Token (GDT) — a W3C Verifiable Credential that encodes who authorized the spend, what scope it covers, the maximum spend limit, the expiry, and the full delegation chain.

How It Works

Four steps from delegation to data.

Issue GDT

Principal issues a scoped delegation token: weather:read, $10/day, 24h expiry.

Attach to Request

Agent sends the request with X-Grantex-GDT header containing the signed JWT.

Pay + Verify

API returns 402, agent pays with USDC, API verifies both payment and GDT.

Audit Trail

Every authorization event is logged: who, what, when, how much.

Developer Experience

Three APIs cover the entire flow.

Issue a GDT
Agent Fetch
Protect API
import { generateKeyPair, issueGDT } from '@grantex/x402'; const principal = generateKeyPair(); const agent = generateKeyPair(); const gdt = await issueGDT({ agentDID: agent.did, scope: ['weather:read'], spendLimit: { amount: 10, currency: 'USDC', period: '24h' }, expiry: '24h', signingKey: principal.privateKey, });
import { createX402Agent } from '@grantex/x402'; const x402 = createX402Agent({ gdt: gdtToken, paymentHandler: async (details) => { // Sign USDC transfer on Base L2 return await payOnBase(details); }, }); // Automatic: 402 -> pay -> retry with GDT const res = await x402.fetch('https://api.weather.xyz/forecast');
import express from 'express'; import { x402Middleware } from '@grantex/x402'; const app = express(); app.use('/api/weather', x402Middleware({ requiredScopes: ['weather:read'], currency: 'USDC', })); app.get('/api/weather/forecast', (req, res) => { res.json({ forecast: 'sunny', authorizedBy: req.gdt.principalDID, }); });

GDT Token Structure

W3C Verifiable Credential 2.0 encoded as a JWT, signed with Ed25519.

{ "iss": "did:key:z6Mk...principal...", "sub": "did:key:z6Mk...agent...", "vc": { "@context": ["https://www.w3.org/ns/credentials/v2"], "type": ["VerifiableCredential", "GrantexDelegationToken"], "credentialSubject": { "scope": ["weather:read"], "spendLimit": { "amount": 10, "currency": "USDC", "period": "24h" }, "paymentChain": "base", "delegationChain": ["did:key:...principal..."] } }, "exp": 1711123200, "jti": "550e8400-e29b-..." }
scope

What APIs the agent can access: weather:read, news:*, etc.

spendLimit

Maximum spend per period: $10 USDC per 24 hours.

delegationChain

Full chain from organization to principal to agent.

paymentChain

Target blockchain for payments: Base L2.

Features

W3C VC 2.0

Standards-compliant Verifiable Credentials for interoperability.

Ed25519 Signatures

Fast, secure EdDSA cryptographic signatures. Offline verification.

Spend Limits

Per-period caps prevent wallet drain. $10/day, $100/week, etc.

Instant Revocation

Revoke a compromised agent's token immediately. Sub-second enforcement.

Full Audit Trail

Every issuance, verification, and rejection is logged. Exportable for compliance.

Base L2 Native

Built for USDC on Base L2. Pluggable payment handlers for any chain.

Architecture

Principal ──── issueGDT() ───── GDT (W3C VC 2.0 JWT) (Human) | v Agent ──── x402Agent.fetch() ──── x402 API | | 402 Payment GDT Verify | | Base L2 Pay Audit Log (USDC) (append-only) | Revocation Registry