If someone wants to convince you that agent payments are actually happening, the best evidence isn’t a protocol whitepaper, a demo video, or a Twitter screenshot. It’s a shell command that actually ran.
npx awal@latest x402 pay https://x402.tavily.com/search \
-X POST -h '{"Content-Type":"application/json"}' \
-d '{"query":"Who is Lionel Messi?","search_depth":"advanced","max_results":5}' \
--max-amount 10000--max-amount 10000. In USDC’s smallest unit, 10000
equals $0.01. The entire chain runs on the Base blockchain: an agent
signed an on-chain transaction with its own wallet, paid one cent, and
received search results. Real money moved to Tavily’s account. Not a
simulator, not a testnet, not “coming soon.”
This happened on May 27, 2026. Tavily connected its search API to a
new protocol called x402. x402 finally put the
402 Payment Required HTTP status code — dormant in the
standard for 30 years — to actual use. An agent requests a resource,
receives a 402 response, pays automatically, and gets the result.
Coinbase led the effort. Cloudflare, Google, Stripe, Visa, and
Mastercard all followed.
Compare this with the “agentic commerce” buzz of 2024-2025. The biggest difference isn’t that protocols are more standardized. It’s that the amount dropped. Stripe charges range from ten to hundreds of dollars per credit card transaction, designed for human spending habits. One cent per search is designed for agent spending habits.
Tavily’s one cent is the smallest unit that’s actually engineering-viable. An agent spent real money and bought a real service. Following this case reveals which agent scenarios genuinely need machine payments and which are just rebranding old problems. It also clarifies whether to add this layer to your own agent product.
The announcement blog from May 27 states: Tavily Search is now available to agents via the x402 protocol. No API key needed, no account required, no prepayment.
From the Tavily x402 docs:
POST https://x402.tavily.com/search$0.01 USDC per call0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913PAYMENT-REQUIRED tells the client how much to pay,
PAYMENT-SIGNATURE carries the client’s signed payment,
PAYMENT-RESPONSE confirms settlement with an on-chain
receiptamount: "10000" is USDC’s six-decimal unit, equal to
$0.01. --max-amount 10000 is a hard cap the user sets for
the agent. Tavily shipped agent self-payment as a product, not a slide
deck.
Two differences matter most.
First, it’s for production agents, not demos. Tavily’s docs confirm
all standard search parameters (query,
max_results, time_range, etc.) work as usual,
running advanced search. For a real research agent or
coding agent, this paid call is a priced, auditable event.
Second, it doesn’t bypass the existing agent tooling stack. Coinbase’s Agentic Wallet MCP already works inside Claude Code, Cursor, and Codex. The agent auto-pays when it receives a 402 response. Cloudflare’s Agents SDK offers native support. Tavily connecting to this chain means an agent can decide “I need to look up X right now,” pay, get results, and continue reasoning, all within the same runtime. The task flow continues uninterrupted.
You can try it.
The HTTP protocol reserved status code 402 in 1996 with the note “reserved for future payment systems.” It sat unused for 30 years because the payment infrastructure couldn’t support it. Credit card per-swipe fees made no sense at this granularity, and PayPal couldn’t process machine-initiated payments. In May 2025, Coinbase picked this up and built x402. The logic runs in four steps:
402 Payment Required, with the
response header specifying the price, accepted asset, network, and
payment address. In Tavily’s response, accepts[0].amount is
"10000", network is "eip155:8453"
(Base mainnet), and asset is "0x8335...",
USDC.PAYMENT-SIGNATURE header, and retries the request.PAYMENT-RESPONSE header as a receipt.EIP-3009 is the key piece. It’s an off-chain signing
standard supported by the USDC contract: the agent signs locally and
broadcasts the transaction with no private key exposure to any
intermediary. This is why x402 can complete the full cycle (agent
initiates, on-chain settlement, results returned) in seconds.
There’s an additional role in the chain called the
facilitator, which verifies signatures and broadcasts
transactions on behalf of the server. Coinbase runs a public facilitator. Other chains and
wallet providers run their own. Tavily’s docs recommend Coinbase’s. The
facilitator holds no funds. It’s a pure technical intermediary, which
means servers don’t need to interact with the blockchain directly,
lowering the integration barrier.
Mapping these to familiar concepts:
$0.01 + near-zero on-chain overhead + settlement in seconds.
This combination supports per-use pricing at agent scale. Stripe’s
per-transaction fee model simply cannot reach this granularity.
Using search as the x402 proving ground wasn’t arbitrary. Tavily
already had two product lines: the API key path, traditional SaaS where
a human registers, gets a key, embeds it in the agent, and pays monthly;
and the Keyless path, where you send an
X-Tavily-Access-Mode: keyless header and call directly,
free, mainly for local developer testing.
x402 is the third line. The docs state:
“Pay per request for Advanced Search in USDC on Base — no API key, no account, no human in the loop.”
Search works particularly well for agent self-payment because it’s the most frequently invoked tool. A long-running research agent doesn’t know in advance whether it will need to query a specific API, database, or vertical data source next. It only knows “I need X information now.” If every potential search and data service requires a human to pre-register, insert a key, and bind a card, the agent cannot operate independently.
Tavily’s move carries strategic weight far beyond that
$0.01/search line. First, it positions itself at the entry
point of the agent tool marketplace. Tavily is already listed on agentic.market (an agent app store)
and x402scan (an x402 resource explorer). An agent that starts up and
needs a search service can search “web search” and find Tavily, paying
per call. Second, once the agent self-payment line is operational,
Tavily’s higher-value capabilities like /crawl,
/map, and /research can commercialize down the
same path without depending on human subscriptions. Third, it moved
first in the search API industry. Parallel, Exa, and Brave largely
remain on API key models. A few have started integrating x402, but
Tavily is the first to make agent self-payment an explicit product line,
listed in the bazaar, with complete documentation.
Search offers a less obvious advantage: the cost of mistakes is low. Wrong result, one cent wasted. Agent tricked into paying, one cent times a few thousand is still only a few hundred dollars. That’s at least an order of magnitude lower than letting an agent swipe Stripe for SaaS subscriptions, KYC, and contract agreements.
x402 isn’t Tavily’s solo effort. It belongs to a rapidly forming stack. Zooming out avoids the question of “am I being led by Tavily’s PR?”
At least three players are active at the payment settlement layer.
x402, led by Coinbase with deep support from Cloudflare, does per-use settlement via stablecoins on HTTP 402. Solana alone has processed over 35M transactions, and the total annualized stablecoin settlement volume is roughly $1 billion. Cloudflare data shows their edge network processes approximately 1 billion 402 responses daily. Most are legacy error responses, but the status code is now genuinely in use.
Opposite x402 is MPP from Stripe and Tempo. MPP is compatible with
x402’s exact charge flow but adds several things:
multi-payment-method support (cards, wallets, stablecoins, Lightning),
IETF standardization (Internet-Draft submitted), and a streaming session
mechanism where an agent deposits funds upfront and subsequent calls use
off-chain vouchers without hitting the chain each time. Stripe joined
the x402 Foundation while also pushing MPP. The stance is clear: x402 is
an open protocol, no harm joining; MPP is Stripe-led and represents the
future they’re betting on.
Above both sits Google’s AP2. AP2 doesn’t solve “how to pay.” It solves “who authorized the agent to pay.” Using mandates (cryptographically signed authorization contracts), it answers three questions: did the user authorize this agent to perform this action, does the agent’s request genuinely reflect the user’s intent, and who bears responsibility when something goes wrong. x402 has been integrated into AP2 as a crypto payment extension. Google donated AP2 to the FIDO Alliance in April 2026, acknowledging this layer as public infrastructure.
Beyond these three layers, the full chain clarifies where x402 actually sits. A previous analysis of the agent payments trust chain mapped the full lifecycle: user intent to authorization boundaries, credential issuance, merchant acceptance, network risk controls, audit and disputes, and finally the question “an agent might be authorized and auditable but still buy the wrong thing.” x402 fills the payment credential and settlement link in that chain, the segment between AP2’s authorization and merchant acceptance. Tavily’s one cent isn’t valuable because it filled the entire chain. It’s valuable because it shows one link running in a real environment.
In the short term, x402 is seizing first-mover advantage. CryptoSlate industry data shows x402 adjusted monthly volume dropped 77% from its November 2025 peak of $5.15M to $1.19M by May 2026. Over the same period, raw transaction counts rebounded to 2.89M. First mover doesn’t mean final winner.
In the medium term, the next 6 to 18 months, whoever solves
high-frequency, low-value transactions wins. MPP’s streaming sessions
use a prepay-plus-off-chain-voucher approach. x402’s upto
scheme settles based on actual consumption. These details determine
which protocol can sustain thousands of agent calls per second.
In the long term, 18 months out, the key factor is no longer the payment layer but authorization and risk controls. AP2 plus a policy engine plus an identity layer together determine whether this stack reaches production grade. x402 is necessary, but far from sufficient.
If you think “the agent has USDC in its wallet, so it can pay” is good enough, Tavily’s implementation will be misused. Reading the Tavily docs alongside Halborn’s x402 security analysis reveals six risks that are either already occurring or highly likely.
First, prompt injection tricking the agent into paying. This is the most realistic one. An agent reads a webpage that contains a hidden instruction to call an API for weather data. The agent executes, and the payment address has already been swapped to the attacker’s wallet. Halborn’s analysis states directly: “A malicious 402 page could be used to trick an autonomous agent into paying more than intended for a particular resource.”
Second, payment replay. The same signature gets copied and reused. Tavily uses EIP-3009 nonces to block some of this, but it requires the server to maintain a nonce database. If the implementation cuts corners, an attacker can use one payment for unlimited calls.
Third, man-in-the-middle tampering with 402 responses. An attacker
swaps the payTo address for their own. The agent signs and
pays as usual, unaware. HTTPS/TLS plus payload signing within the header
are both required.
Fourth, wallet theft. The machine running the agent gets compromised, and the wallet’s USDC gets drained in one shot. This isn’t a protocol vulnerability. It’s an engineering problem: the agent needs a separate small wallet with a balance small enough that theft remains manageable.
Fifth, on-chain privacy leakage. All 402 payments are publicly visible on Base. Who paid how much to which service provider for what query can be correlated to build a behavioral profile of the agent’s activity. Halborn recommends single-use addresses or similar tools to break this linkability.
Sixth, facilitator centralization. If a facilitator goes down or faces censorship, the entire x402 flow may fail. Production systems need multiple facilitator support or direct on-chain verification by the server itself.
For your own product, here’s what needs to happen. Give the agent a
separate wallet. The main wallet should never touch the agent’s call
flow. The agent’s wallet should hold only enough USDC for one or two
sessions (Tavily’s docs directly mention this). Enforce hard caps.
--max-amount 10000 isn’t optional, it’s required. Whitelist
recipient addresses. Validate accepts.payTo fields through
a policy engine. New addresses require human-in-the-loop approval.
Tiered approvals: small amounts auto-approve, medium amounts require
confirmation, large amounts use a separate approval flow. AWS’s
sample architecture provides an engineering template: the agent
proposes payment, the Spend Governor checks policy before releasing it.
Finally, every 402 challenge, every payment, every failure goes into
logs. On-chain transactions should be retroactively verifiable.
These shouldn’t be called recommendations. They should be called “don’t go to production without this.”
Whether an agent product builder should integrate a payment layer like x402 depends on what the agent looks like.
In the short term, within 6 months, you probably don’t need it.
Tavily’s agent self-payment search offers demo-level value to your
users, not production value. Production agents with API keys are still
cheaper, more controllable, and more auditable. $0.01/call
sounds cheap, but an agent might make dozens of calls per task. Add
chain overhead and prompt injection risk, and the total cost and
management burden exceed the convenience of skipping key management.
But x402 has a non-technical, independently valuable use case in the short term: explaining to non-technical people what the agent era looks like. A PM or CEO watching Claude Code use its own wallet to call Tavily is more effective than any pitch deck.
This is worth comparing with the trust chain analysis. That piece concluded the two most realistic near-term paths are human-present checkout going mainstream first and enterprise automated spending landing second. Tavily’s x402 represents a third emerging path beyond those two: not consumer-side purchase delegation, not enterprise virtual card procurement, but machine-to-machine API-level micropayments. This path currently has the smallest volume, but its fit with agent builders may be the strongest. You build agents. Your agents make dozens of API calls daily, and some of those APIs aren’t ones you manage yourself. x402 addresses exactly this.
In the medium term, 6 to 18 months, three scenarios will force you to adopt x402 or similar solutions. First, multi-agent collaboration systems where a primary agent needs to temporarily call a tool it hasn’t seen before, like a vertical data source, a fine-tuned model API, or a specific scraper. Paying per call is an order of magnitude cleaner than pre-registering fifty API keys. Second, once agent marketplaces launch, directories like x402scan and agentic.market become the real app stores for agents. If your tool isn’t there, you’re absent from a distribution channel. Third, enterprise agent deployments replacing internal API gateway plus key management with lightweight procurement via x402, with per-use settlement naturally aligning with P&L.
In the long term, 18 months out, don’t fixate on the payment layer. Fixate on authorization and risk controls. AP2 plus a policy engine plus an identity layer together determine whether this stack reaches production grade. Your agent wallet strategy, budget caps, and allowlist mechanisms matter at least an order of magnitude more than “which payment protocol to support.”
How to distinguish real progress from PR in agent payment news: look at three things.
First, did it actually spend real money? A demo video and “$0.01 actually settled on-chain” are different things. Tavily shipped a real product, a real endpoint, a real transaction on real Base mainnet.
Second, does it solve a problem unique to the agent era, rather than rebranding an existing problem? “Cross-border stablecoin transfers” don’t count. PayPal has been doing that. “An agent autonomously discovers an unknown API at runtime and pays to call it” counts.
Third, does the amount and frequency match the shape of a real agent
workflow? A $50 monthly subscription isn’t designed for agent
consumption patterns. An agent burns through that in thirty minutes.
$0.01/call is. A single research task might involve 50 to
200 searches, one cent each, totaling one to two dollars. The agent’s
own budget can cover it.
All three present: worth a serious look. Only one present: probably PR.
Tavily’s one cent is the smallest engineering-viable unit. It clarifies one thing: in the agent era, spending is tiny, fast, human-free, and auditable. This combination had never genuinely appeared in production before. It has now.