x402 Security Self-Scan

Twenty-five checks across six areas, scored live in your browser. Self-review your x402 integration before you ship to mainnet or book a paid audit.

01 · The Self-Scan

Score Your Integration In Minutes

This is the same control set we run against agent-payment rails in a paid audit, opened up so you can grade yourself first. Tap the controls you already have in place and a live security score builds as you go. Nothing is sent anywhere, it runs entirely in your browser.

25
Controls spanning challenge-and-verify, settlement, contract surface, keys, tenancy, and resilience.
6
Areas where an agent-payment integration most often leaks money or exposes a wallet.
0–100
Instant score with a letter grade and a plain reading of where your real exposure sits.
02 · The Twenty-Five Checks

Tap Through Your Controls

Work down the six sections and mark every control your integration already has in place. Your live score appears in the corner. Want the full checklist with implementation pointers and reference code in your inbox? Use the panel on the left.

Get the Full PDF

The full checklist with implementation pointers and reference code arrives in your inbox in under a minute. We will not spam you, and we will email you only when we publish new x402 security content.

By submitting, you agree to our Privacy Policy. We will not share your email. Unsubscribe anytime.

Sent. Check your inbox in the next minute. If you do not see it, check spam.

Challenge and Verify Flow

Section 1 of 6 · 5 checks

  • Nonce replay protection. Every payment header carries a unique nonce that is rejected if seen within the payment window. Backed by a TTL-bounded store, not in-memory only.
  • Idempotency keys honored. Repeat requests with the same Idempotency-Key return the cached response instead of re-charging the agent.
  • Payment-window enforcement. Payments older than the configured window are rejected before adapter verification runs.
  • Schema validation hard-fails. Malformed payment headers return a 4xx, never reach adapter verification, and never log secrets.
  • Accepts array correctness. The 402 challenge lists every supported network, asset, amount, and payTo with the correct CAIP-2 identifiers.

On-Chain Settlement Verification

Section 2 of 6 · 5 checks

  • Confirmation depth tuned per chain. Base, XRPL, Solana, and Stellar each have different finality assumptions. Each adapter enforces its own minimum.
  • PayTo address validation. The on-chain transaction settles to your configured payTo, not an attacker-controlled address.
  • Amount in canonical base units. USDC at 6 decimals, XRP at 6 drops, every chain handled in its own unit. No floating-point math anywhere in the verify path.
  • Network mismatch detection. A payment claiming Base but settling on Polygon is rejected. CAIP-2 parsed before any RPC call.
  • RPC failure does not silently pass. A timeout or 5xx from the chain RPC fails closed, never open.

Smart Contract Surface

Section 3 of 6 · 5 checks

  • Reentrancy guard on every external call path. CEI pattern or ReentrancyGuard. No exceptions.
  • Access control reviewed. Every privileged function requires a verified role. No tx.origin checks anywhere.
  • Signature replay defenses. EIP-712 domain binding, chain-id binding, expiry, and seen-signatures store.
  • Oracle manipulation tested. If the contract reads a price feed, the audit covers single-block manipulation and TWAP defenses.
  • First-depositor share inflation. Vault contracts mint a minimum-liquidity dust amount on first deposit so share-price manipulation is not free.

Wallet and Key Management

Section 4 of 6 · 4 checks

  • Hot wallet exposure bounded. The agent wallet holds only the minimum runway, with a documented top-up policy and an alarm on balance drops.
  • Keys in KMS or Secrets Manager. No environment-variable-baked private keys, no plaintext in CI.
  • Multi-sig required for high-value routes. Routes priced above a configurable threshold require multi-sig approval before settlement counts as final.
  • Key rotation runbook documented. A written procedure exists, has been tested, and the engineering team has rehearsed it.

Tenant Isolation and Abuse

Section 5 of 6 · 3 checks

  • Per-tenant rate limiting tiered by plan. A free-tier tenant cannot exhaust the same Lambda concurrency a paid-tier tenant relies on.
  • Fraud event tracking on agent identity. Velocity rules across tenant + agent + IP, with a configurable suspension policy.
  • Route configuration injection blocked. Tenant-supplied route metadata cannot escape its sandbox into other tenants' settings.

Operational Resilience

Section 6 of 6 · 3 checks

  • Webhook delivery uses a DLQ. Failed webhooks land in a dead-letter queue with exponential backoff and a sweeper, not retried in the request hot-path.
  • Facilitator failover documented. If your facilitator (CDP or other) goes down, you have a documented degraded-mode path.
  • Incident response readiness. A written runbook for "wallet compromised", "facilitator down", and "RPC misconfigured" exists. The team has rehearsed at least one.

If your integration cannot tick all twenty-five boxes, an HSS x402 audit closes the gaps for a flat fee, with Quick Scan, Full Audit, and Hardened tiers starting at three thousand dollars.

View Audit Tiers

Turn Your Score Into A Hardened Integration

The self-scan tells you where the gaps are. An HSS x402 audit closes them. We review your agent-payment surface against the same control set you just graded yourself on, backed by BitBooth, our multi-chain payment gateway running in production on Base mainnet settling real USDC, with the source public and MIT licensed. Bring us your score and we will tell you straight which tier fits.

View Audit Tiers Talk To An Engineer
Flat-Fee Tiers
Production Proven
Multi-Chain Settlement