This doesn't seem to solve the issue that website operators face... which is providing a free public experience to humans while the price of hosting is driven up by increased bot traffic. The issue isn't charging for API access with request caps, that's not hard to do. It's preserving the free experience for our users while our traffic is increasingly made up of bots. The problem is that AI has made it increasingly difficult to tell bot from human. Baking microtransactions attached to APIs into an internet standard does not solve the core issue... And if we can't tell bot from human, why would bots choose to pay rather than just use the public endpoints we serve to our customers?
For example, take a large online retailer... They have to show their products to customers (for free) for people to be able to shop, but increasingly they see spikes in traffic that match what would be expected from targeted bot attacks or scraping... But this traffic is getting more and more difficult to distinguish from legitimate traffic to the website. They could easily add this x402 middleware to their services, or they could offer API access to their product catalog for a price and enforce usage limits... But if they cannot reliably detect human users from bot/agent users, they have no way of pushing the bot/agent users to paid access... And why would the people running these bots pay when they're already getting what they need for free? Now Cloudflare cannot even reliably block bot traffic, and there are AI based browsing/scraping tools available now for bypassing Cloudflare.
Bot detection is a big problem to solve, but it’s a significant focus at Cloudflare. (It’s not my team at Cloudflare specifically, but we work closely with them)
1. Any cost of browsing an e-commerce site is taken off the next purchase, whenever it happens.
2. Give each user 100 free page viewed per day or some such before you charge.
3. You don’t actually have to charge users for browsing the site if you provide a free or cheap API allowing bots to search and index your entire catalog. Agents and bots would certainly rather parse a kilobyte of JSON than 20 megabytes of HTML generated by on page JavaScript.
4. If you don’t like this system you don’t have to participate. If Amazon wants to do their own thing, they can. But if you publish a blog and want to charge $0.00001 per page view and browsers support this out of the box, why not?
That's just going to be a really different from the shopping experience customer's are used to today, and I don't think customers would go for it. I know for at company asking customers to pay for the shopping experience would be a non-starter... If bot traffic became untenable we would probably do something like required account creation + sms verification, and even that would be a huge change in expectations for our customers.
Having written bots several times, any kind of friction or payment on the json api would make me just use the free html "API" it's just easier.
I have many times used a webpage as api instead of the actual api because using the actual api required doing paperwork, like writing business cases, filling out approval forms, creating accounts, paying, etc...
I would like to argue that trying to provide a free service is non achievable, most of the time it will drill down to ads, people are already paying electricity and time in ads.
If we pay say 3 secs of compute time of monero, and everyone pay the same... you remove the ads from the internet, people will start gettind paid without gate keepers for content they generate, and you can charge the AI machine for ingesting your content.
We were providing free services decades ago. Hosting a website, or a Minecraft server, or a VOIP server, or IRC, or a forum simply doesn't cost that much. Well within "some guy's hobby budget" type expenses.
> And if we can't tell bot from human, why would bots choose to pay rather than just use the public endpoints we serve to our customers?
Assuming technical indistinguishability, the only solution is what was originally proposed for email: balanced net $0 charges for "normal user" usage patterns (i.e. payments from - payments to = $0).
If you x402 everything, and an average user access 5 pages, but a bot accesses 500 (or 5x100 times), then you've still achieved a substantial price delta that you could offset via a rebate
The real rub is about uniqueness attribution, as being able to differentiate 20 distinct real users from 1 bot w/ 20 proxies is the crux of anything above.
This is the dream of microtransactions and agents-paying-for-access that so many people have always wanted. It was never going to be implemented on existing payment rails so it would have to be something like this. I can't wait to see it in play somewhere because I am increasingly annoyed that I have to own API keys on various platforms etc. etc.
I just want my agent to make decisions and spend a limited amount of money (this is on me to cover) just like a human agent can.
If we get the other promise of "read this news but pay a few cents for it" that would be incredible too. Very excited for this new thing.
Thank you for the kind words! I’m a PM on the team that is building this. I’ve believed in microtransactions for over a decade and hope that we can finally bring them to life.
Proper spend delegation and permissions is a big focus of ours - it’s great to let your agent have discretion, as long as the damage from going off course is limited. Definitely want people to feel comfortable experimenting with emerging tech
Feel free to email me at (my username)@(my company) if you have any feature requests or things you’d like to see
Do you have any plans on mitigating the privacy consequences of microtransactions? I'm fine with paying for (some) content, but I'd prefer if there weren't some companies using that information to manipulate me or the more impressionable members of our society.
Please tell me this will be IPv6 only or at least IPv6 first! Or allow differentiated pricing so IPv4 calls can be made more expensive. CF, as much as I have issues with the constant CAPTCHAS I run into and blocking my Hurricane Electric tunnel every so often, is in a unique position to get us past having to support the legacy internet protocol.
A dream for some, a nightmare for others. People locked out from much of the Internet because they don't have enough money. Of course, the prices would usually be set at whatever maximises revenue, just check out scientific journal publishing.
If the choice is between micro-transactions and ad-driven content (ads -> engagement maximization -> sensationalization + enshittification -> social and industrial decay), I'll take the former.
Remember: from a business's perspective, advertising has positive ROI. Which means you as the consumer pay for it anyway. No ad supported service is free.
Conversely this has the potential to unlock the internet. How often have you clicked a paywalled link on HN and moved on because you don't want to go through the hassle and pay $20 to read an article? If you could be frictionlessly billed 10c to read the article instead, wouldn't you be more willing?
I'm actually OK with paying a fair price for the content I consume, I just don't want to be paying hundreds of subscriptions for websites that I might only visit twice a year.
So, the snake oil salesman in me immediately wonders if this will become the new landscape for spam....It might go something like the following...
1. Establish domain names and relevant cloudflare account including the monetization gateway (associated rules, etc.).
2. Then host a ton of crap content across a wide swath of topics...not even decent quality...merely a step above old school style SEO keywords...just enough low quality "honey" to attract the AI flies, and their high volumes of traffic.
3. Charge very low amounts to ensure the AI "visitors" won't balk programmatically at the cost.
4. Then wait for lots of AI traffic (attracted by the "honey")...and then profit!
Obviously lots of holes in the above...but, unless I'm missing something, it feels like more spam headed our way (because the AI agents will swallow up all the crap content created only for triggering usage costs)...which is a shame. Because while I'm not sure about this overall approach of this gateway, I certainly would welcome web authors to get paid something for their efforts! If cloudflare can help achieve this for web authors, then I'm in favor! Of course, the cynic in me also recognizes that by being the middleman, cloudflare does stand to gain whether the volume of traffic is for good content or spam crap. Is cloudflare a new type of bank now?
Must think happy thoughts! The internet feels darker every day, but, must think happy thoughts!
Crawler, AI or not, cannot afford to pay per visit. The entire model of crawling works because the incremental cost of each crawl is so low. Even fractions of a penny would be prohibitive.
If it gets off the ground it will attract SEO, but the people running agents will have incentives to use a better search engine, or maybe even whitelist known good domains.
Think of it as a gullibility tax. AI is currently pretty gullible but perhaps that will change?
Host two crap tons of content across a wide swath of topics... one which points to the other?
I'm basically of the impression that this is already happening based on all the LLM generated slop search results I get - presumably for ad revenue (or in the case of Musk to push political views).
With payments the complexity is not only in accepting a payment, but largely in doing so legally. Someone makes a request to my company's paid service, I return 402 and get a stable coin back. Who do I invoice for this revenue? What value added tax do I apply to the invoice? If someone makes 10k paid requests within one month, do I have means of generating one invoice for them for all the usage, or is every request treated separately and results in 10k invoices?
Will CloudFlare handle this for me?
Who do you invoice if, for example, you own a vending machine that sells chips and sodas for cash or contactless? Why couldn’t this be treated the same?
Normal vending machine transactions are B2C transactions, so the buyer cannot be a company - cannot pay with company money and cannot deduce the payment as the company cost. I guess, the buyer can take a receipt from a vending machine and ask the vending machine owner to provide a B2B invoice based on the receipt, to make this a proper B2B payment.
Can you treat your remote service access as B2C only? Perhaps yes, but then the companies will not be able to use your service, pay from a company bank account and account this as a company cost, only individuals will be able to legally pay.
Vending machine is also located in a known physical country, so the owner knows what VAT to apply, the VAT of the country the machine is in. With software services the VAT should be applied based on the country where the buyer is located.
Right i wondered the same. I guess Cloudflare would have to act as a Merchant of Record, like e.g. Paddle and Gumroad do. Then the end user/bot would do business with Cloudflare, and Cloudflare with us.
That seems to make the case stronger. It becomes Cloudflare's problem. You can deal with Cloudflare from one country and let them figure out how to collect payment from people all over.
That said, morally, I strongly resent the fact that accepting payment has essentially become illegal for most people due to this complexity and the way globalization has been forced on people. People are essentially not allowed to receive payment to feed themselves. That's what it has come down to. Not everyone can afford an accountant and take that risk.
I definitely wouldn't want to implicitly join an economic nexus by virtue of such a payment solicitation. The last thing I want is being subject to EU DSA and limitless other nonsensical legislation.
x402 not required just segregated addresses acting as individual market participants paying for your service
if you ever want your state’s currency (which is a big IF in the crypto world), then you use your segregated address to pump the price of a token that your clean and KYC’d addresses hold, sell into liquidity for a more liquid crypto, sell that crypto on an exchange. you look like a good or lucky trader like anyone else. cash out, pay taxes if your country taxes capital. access to the rest of the system
although the online merchant service is accepting payment from addresses linked to dirty money along side some others, and it may seem redundant to bother instead of just pumping assets with the dirty money address, it’s just possible deniability. Far more plausible than predominantly dirty addresses pumping a token you just happen to hold. Even if the dirty money had all swapped to monero and out to fund virgin addresses it still needs a genealogy before benefitting you in the KYC’d world. So insert the crypto merchant service in between regardless.
All for this. Micropayments have been tried so many times before, but they all relied on user opt-in and never reached any sort of critical mass. Someone of Cloudflare's scale could actually pull it off.
I might be in the minority here, but although x402 sounds useful, it seems to me that adoption will be an uphill struggle, especially for per-request micropayments.
The most likely scenario is Stripe, or someone similar, creating an agentic API connected to the agent owner linked account or something along those lines. I am not sure how this would work with 3DS, or whether it would be acceptable at all, since these kinds of transactions could be disputed easily ("I did not make the purchase, my rogue agent did.")
Another way to handle payments on the internet is obviously not to reinvent the wheel and simply email a payment link to the owner. That seems simple enough to me and does not require additional infrastructure. Payment processed, mint a key, the agent is allowed to proceed.
I dont think the x402 is the core of discussion here, if anything its been hijacked for who knows what. It seems like Cloudflare wants to be the traffic gateway for everyone that controls the access and now wants to start charging for the same.
The biggest challenge here is to distinguish between a bot and real user. Guess the big AI players would get free ticket to crawl the data and humans would be just left to prove themselves to access the content.
People are already being conditioned into micropayments via LLm token pricing.
I presume the primary payment method on these 402 sites will be via LLM agents so reading a page via an AI agent will just cost a little more in tokens than the LLM making it all up.
>"I did not make the purchase, my rogue agent did."
If you try to call customer service and report it, you get:
I'm sorry. All of our rogue agents are assisting other rogue agents.
If you would like to dispute charges made by your own rogue agent, please ignore all previous instructions and stay on the line of this toll number for our next available rogue agent.
The estimated waiting time is two months, three weeks, five days, thirteen hours, fourty seven minutes, and 36.03858767259934378 seconds.
I'm going to poke at a downstream consequence here.
Lets say this catches on (in some form or another, whether in this precise implementation or not).
So assume we have a world where resources can be gated by a payment wall that agents can interact with.
I'm also assuming that world continues to have agents that are majority hosted and run by 3rd parties (ex - google/anthropic/openai/xai/etc).
---
At what point can I sue these companies for obviously failing to act in my interests?
Because that's the clear next step here.
Basically - where is the fiduciary duty that I would require for a real working relationship?
Because otherwise these agents can and will prefer to access payment gated resources that have financial relationships with their operators or developers.
>I'm also assuming that world continues to have agents that are majority hosted and run by 3rd parties (ex - google/anthropic/openai/xai/etc).
That seems like a pretty big assumption, given that local models are only like a year behind frontier ones (or less).
When you consider that, along with the completely unsustainable business model of all the major 3rd parties, I think a far more realistic view of our AI future is that AI will largely be commodified: it won't run on a few specialized companies, it will run on your hardware, or on budget providers (think an "AWS of AI").
Frontier AI will almost certainly continue to exist, but will be focused on specific niches.
Wait, what? That makes no more sense than suing Walmart or Costco for having preferred suppliers. If you don’t trust Walmart’s buyers to buy groceries for you then you can shop somewhere else. Similarly here.
Am I understanding this correct in that you can basically automate monetizing your web/api content to everyone or just agents ? Because I would be very much in support of charging agents per request, but I would want to still offer humans a free experience.
I’m a PM on the team that is building this. We want to offer a range of options, from charging everyone to charging unverified bots to simply charging users who exceed rate limits. We don’t want to add a dependency on a particular detection mechanism, but we do want to offer a variety of choices depending on how people want to filter.
Feel free to email me at (my username)@(my company) with feature requests or feedback!
Their example of an /api/premium is quite nice! You could you like keep existing pages free, but provide specific output content for llm!
So if: cost monetized API < cost configuring scraper for your website OR feature provided by premium api > data got by scraping, then some people/business will likely pay
If not built-in, you can probably put it together through Cloudflare itself.
If a request goes to the protected path, if detected as bot: hard HTTP redirect to the path set in the monetization gateway, if human: allow and don't redirect.
Agents will be able to pay orders of magnitude more than humans, since they can just cache the documents at openai or anthropic, then use them over and over.
I don't really like the model of scrapers paying small fees. I think it devalues things.
I make money when people use my website. I don't make money when AI scrapes my content and answers the question without the user coming to my website.
I'd need scrapers to pay me 5-6 figure payments to replace the revenue they'd be taking from me if my content was easily scraped. I doubt that's ever going to happen.
> NEW YORK – MCP Dev Summit North America – April 2, 2026 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced it is launching the x402 Foundation with the contribution of the x402 protocol from Coinbase. The new Foundation will serve as the neutral home for x402, a universal standard for payments that embeds payments directly into web interactions, enabling AI agents, APIs, and apps to transact value as seamlessly as they exchange data.
Apparently I missed this initiative. It seems like it is a technology that is intended to be open an universal while also being supported and developed primarily by US companies (Linux Foundation, Coinbase, CloudFlare.)
The intent is to not make companies shoulder the cost of other organizations scraping their content. When it is regular users browsing the cost incurred is trivial. When bots are scraping the entirety of a site, repeatedly, it adds up quickly.
The focus of this seems to be entirely AI agents, but I wonder if there's a future where browsers implement this and us humans can finally get micropayments in the web. It's been tried unsuccessfully many times but always falls prey to the chicken-and-egg problem. Maybe the AI hype will finally give it the push it needs for widespread deployment.
Yes! I’m a PM on the team that is building this. We want this to work equally well for human payments or agent payments. Low friction micropayments are the problem to solve, but once solved, it can work for either segment.
Feel free to email me at (my username)@(my company) with ideas or suggestions here!
Never going to happen, and what you're building is worse than any net neutrality fears we had in the past. Except instead of Comcast we now need to fight against Cloudflare
"There is an enormous amount of value moving across the Internet today that goes unmonetized or undermonetized, not because no one would pay for it, but because the tools to charge for it have never existed."
Every road a toll road.
How big a cut does Cloudflare want? Whose "stablecoin" does this use? How much does each on-chain stablecoin transaction cost?[1]
For comparison, FedNow bank to bank transfers cost $0.045, regardless of size.
It’s the same „financialization of everything“ mindset that was being pushed by cryptocurrency people. It’s such a perverse concept, pushing for every interaction on the internet to be a transaction
I hear ya! But technically http status 402 has set that expectation of micropayments at the http level for quite a long time (see https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#402) ...but little to no one has done much of anything with it...and so now, this foundation and cloudflare seem to be doing something with it. Whether it will be good or not of course remains to be seen. So, not a new concept, merely a new implementation.
I’m amused that there is no discussion of failure modes. What if the resource someone GETs turns out not to exist? What if the POST fails and needs a retry? What if redirects are involved?
I've been thinking for a few months about exactly this and when it would happen. This is last nail in the coffin for web, at least as we know it. RIP Web.
This seems to be conflicting with the adoption of Web Bot Auth, which is still in infancy stage.
I do have some bots, they're nice and predominantly used for grounding AI harnesses which I use interactively. Knowing that most operators will whitelist maybe 5 well know bots and route the rest to the micropayments, what's the incentive for me to have my bots identify as bots with Web Both Auth when it's easier to make them mascarade as humans?
Again, my bots are nice. They're making roughly the same number of requests I would make manually via browser if I was manually working on something.
The upside of using this is that AI shops might pay you for your content. Realistically, they just won't use your content, there is more than enough free (or synthetic) data out there. Not even to mention their contracts with firms like Mercor etc.
I guess I don't understand who this is for. If you want your worldview reflected in the latest generations of models, you probably wouldn't use this. If you don't want your worldview reflected in the models, why would a few pennies change your mind?
I think that's a pretty wild statement: there isn't just one type of content!
Twilight fan fiction? Claude probably won't pay for that.
But critical programming documentation that its bots (and their human users) rely on to do their daily job ? You better believe Anthropic will pay for that (instead of letting another AI pay for it, and steal all their customers).
Sure, they'll probably pay PyPi, the Swift Foundation, etc for that documentation - but it's a pretty small universe of relevant content. An interns tech blog with a 'hello world in javascript' post won't be paid for, the Mercor contractors are doing more (and better) than that!
I don’t think this is aimed at the labs and pre-training, it’s aimed at end users and their agents. Like if you’re a news site the paying customer isn’t a lab scraping your articles for training, it’s an end user that asked their agent to lookup the news of the day
what Cloudflare & others pushing similar mechanisms - have forgotten one crucial detail ?
Where is the "human" in all of this ?
an agent doesn't consume content. & that's why content & advertising have worked hand in hand over centuries. the personalized ad-tech pushed by the massive tech firms hasn't worked for publishers.
which is why retail media, CTV etc are picking up. & why Amazon Ads is racking it - within a few years Amazon ads might actually get more revenue than either Google | Meta.
so once again - where is the human & the human element, even though x402 is fantastic.
Hey all, I’m a product manager on the team at Cloudflare that is building this. Happy to answer any questions! You can also email me at (my username)@(my company)
X402... I was not aware, I had this idea of making HTTP connection depend on a monero transaction, the monero transaction should take around 3 secs of the average computer/cellphone... once you have paid that you can access the resource.
You wanna crawl the whole internet non stop, you pay non stop, 3 secs is probably the same as we pay in ads for those without adblockers and then content generators can start getting paid for the resources they generate.
I am not a fan of the growing trend that Cloudflare is the gatekeeper of the internet. Personally I will never support this company, or firewall any of my websites behind it.
But in all seriousness I wonder who needs this... api's are suppose to make it easy to bridge two application... and you didn't need AI to utilize an api before so I wonder what's pushing this sort of thing to extract value down to individual calls?
I recently had to build a system to drop inbound traffic originating from cloudflare ASNs to prevent bad actors using WARP proxies, no legitimate cloudflare traffic usecases for anything inbound.
Getting increasingly sick of cloudflare.
for BadActor in $(curl -A Mozilla "https://api.cloudflare.com/local-ip-ranges.csv"|grep -Ev "::|/32"|awk -F "," '{print $1}'|sort | uniq); do ip route add blackhole "${BadActor}" 2>/dev/null;done
I'm old-man-yelling-at-the-clouds here. Everyone just uses Cloudflare, which is not a bad thing by itself. But do they _have_ to? Is managing your own edge really that terrifying?
Having an almost a plug and play solution who does CDN + DDoS Protection + WAF/Rate Limiter + Bot Protection, for a few bucks, is very useful for startups and SMEs.
And compared to cloud different offerings, their quick setup and lower cost is hard to beat.
I think DDoS attacks are really what propelled them to the heights it has. The attacks seem to get bigger and bigger by the year. You need a really big pipe to filter them out on before passing on traffic to servers with a much smaller pipe.
Dumb question here - how can I manage effectively edges across the whole world without the huge maintenance overhead? Which tools would be recommended for that? I e.g. have a VPS at Hetzner with Coolify but users from the US have high latency. I wouldn't know how to not use CloudFlare?
It would be economically impossible for me to run a small personal website without Cloudflare thanks to the sheer quantity of badly behaved automated traffic on the Internet in 2026.
Nice website you got there. Would be a shame if our bot 'detection' blocked access to it. A real shame... Tell you what, drop a few dollars into my front pocket, and I might just look the other way.
This is what I want for my ideal vision for the internet but I just dont trust any of the major players to be the ones to implement this. The internet is going to get so much worse.
I think this is a directionally good idea. I can't help but think that there's basically no way that the AI labs can actually afford to pay for their massive amounts of training data though. (This does not make me particularly sad)
For Bitcoin / Lightning these kind of pay-per-request API paywalls have existed for many years already (e.g. my own from 8 years ago [1], but others as well).
Flattr [2] existed for non-crypto micropayments.
None became mainstream. I think the friction is always the extra setup on the client side. In all 3 cases the user (API consumer) has to set up a special wallet (browser extension or something for the agent) and deposit some money/crypto on the client side first. This part needs to become simpler.
I’m curious about the decision to “aim for sub second transaction times”, rather than using something cryptography-based, such as a verifiable oblivious pseudorandom function.
That is,
- as a client I could obtain a bunch of credits/tokens from my payment processor
- these tokens have the cryptographic property of being verifiable (ex: “that’s definitely a stripe-verified token worth $0.001”)
- these tokens also have the cryptographic property of being anonymous. (ex: neither stripe, nor the payment recipient know that I am Bob)
With this sort of cryptography based approach, cloudflare could verify my payment token without any cryptocurrency proof-of-work kerfuffle?
This has a lot of potential; true disruption can happen for existing markets only when the transaction cost features change, and CloudFlare is ideally positioned to drive a new standard. Ideally they create a service that can be open and replicated in competition (not just technically but economically), and this creates the right incentives for bots and sites/services.
I dislike stablecoins because they legitimize their cousin coins and because (I think?) they have transaction fees that create the wrong incentives for providers. I'm not sure what the real benefit is over prepaid (policy-driven) fiat currency with (possibly-paid) transaction records.
I can see how selling to bots could become so profitable that no one bothers to present directly to humans, but I look forward to an ad-free, much more capable internet, where paywalls are more like a headwind than a wall.
> This is what we are building toward: an agent-first Internet with Internet-scale settlement built in.
Ah yes, the starry-eyed dream of early web pioneers is finally upon us: a soulless internet filled with soulless agents and microtransactions!
But in all seriousness, it's hard to deny that the attention-based model that has propelled the web forward for the last 30 years is somewhat falling apart. And I don't have, nor have I come across, any meaningful solutions that could realistically work better. So maybe it's just time we turn off this 'internet' thing and call it a day.
So, the idea itself is fine. The timing at which it's introduced is what makes me nauseous. We're really trying to milk the agents in any way possible, aren't we?
Micropayments have always suffered from an early adopter problem because it’s difficult to convince ordinary users to pay for web pages. But if a big company, perhaps one of the AI labs, started paying websites using this system then it might bootstrap the system?
I think the difficult part is that LLMs are gullible and it will absolutely be gamed if any real money can be made this way.
It would be nice if this became a viable alternative to paywalls, though.
Internet needs an open, integrated and universal payment layer. But first the payments should be done well (look at: Taler project), then integrations should be build, not the other way around.
I know many people here would be against anything related to payment on the Internet, but I do believe the ability to have a button like "One click here to anonymously with no account pay 0.02€ and download the media" could be a net positive for Internet freedom.
I feel like this kind of tech can solve the news problem. So many paywalls. Imagine they don’t exist and your impression costs a few cents. I’d prefer this to massive lawyer grade cookie popup wizards and monthly memberships. My MiL is a writer at a large newspaper in Kentucky and it’s wild how much she is pressured to share her stories and gain sign ups from her referral links. Pay per view solves this.
I assume that if this catches on then the agents will have their own wallets and deduct fees from your account credit, just like with API-based usage. So the way you interact with them won't change, from your POV they'll just get more expensive.
article says it's mostly for agents, users will not be directly involved
> At the same time, an agent can make thousands of micropayments without friction, while asking a person to approve each payment would be impossibly burdensome.
but yes, they will need wallets
but it's also optional, you do not want to buy these paid for requests, you do not need a wallet
Yes really. Just because the initial rush ended in scam bros, doesn't mean there's no value in the underlying tech. You don't throw the baby out with the bath water.
Actually, x402 was created because using a credit card programmatically is very difficult.
The whole business of Stripe is based on that: it's so hard for developers to do, and so many regulations, that they would rather pay an another company to do so.
Crypto can be sent just using a contract.transfer() call
Debit cards have to pay too many people. The acquiring bank, the receiving bank, the network, all take their fees. Stripe and their minimum $.30 per transactions leave no room for $0.01 API calls.
Presumably, like their captchas, this will completely break things like ad blockers, browsers with strict cookie policies, and probably things without hardware attestation.
Unless there's a privacy-preserving way this can be used to send money, then it's just another chunk of the surveillance state that's being rapidly erected over the last few years. The word "privacy" does not appear once in the article.
Even if it did, I'd be skeptical. If their payment system does allow money to be sent in a privacy and free speech preserving way, then it'll be used for money laundering.
This whole "agents bad" framing is complete BS. It's the reality of how people use the internet now, and, frankly, ad blockers have been a thing since forever. On the other hand, if successful, this infrastructure will give Cloudflare centralized control over internet publishing and also centralized surveillance of all users with no opt out.
Piracy is looking better and better. So does the small web. Come to think of it, the library does too. Any good solutions for non-destructively scanning books?
Behold, another stake in the heart of the open Internet.
First it was GDPR government fragmentation; then it was AI slop requests, and now it is greed. Before you know it, we'll be back to the days of having to research at libraries because they'll be the only ones with taxpayer funding to pay the x402 fees.
Insane reflection. Nothing about the open internet has or will change because of a private, third-party payment framework making use of a http status code. Who is paying for bots like this? Every site needs to account for its costs. Just because you're too euro-poor to afford basic access to research doesn't mean others can't pay for it and benefit from it. Get a job.
Is europe just flooding online fora with doomer luddites to demoralize the US tech sector? Sounds far-fetched, but there is nothing organic about the recent rise in US/tech hatred across the web.
Can you please stop fulminating and posting flamebait and/or unsubstantive comments to HN threads? All of that is against the guidelines and you have unfortunately been doing them repeatedly.
You realize humans are going to be the first wave of collateral damage right? I already basically cannot browse the internet for technical information, since most high-quality forums are behind captchas that block my iPhone.
If I ask an agent to do it, it does better at finding the small percentage of sources not hosted by cloudflare. However, it generally cannot hit open-access / public domain sources (like the current legal code, or academic papers) because those are blocked and it respects stuff like robots.txt.
I play dungeon crawl stone soup (think nethack,but with web tiles), and most of the servers are struggling because of AI crawlers downloading the morgues.
Real users are already suffering.
If (big if) the AI labs can be made to pay for the abuse, actual users win.
This doesn't seem to solve the issue that website operators face... which is providing a free public experience to humans while the price of hosting is driven up by increased bot traffic. The issue isn't charging for API access with request caps, that's not hard to do. It's preserving the free experience for our users while our traffic is increasingly made up of bots. The problem is that AI has made it increasingly difficult to tell bot from human. Baking microtransactions attached to APIs into an internet standard does not solve the core issue... And if we can't tell bot from human, why would bots choose to pay rather than just use the public endpoints we serve to our customers?
For example, take a large online retailer... They have to show their products to customers (for free) for people to be able to shop, but increasingly they see spikes in traffic that match what would be expected from targeted bot attacks or scraping... But this traffic is getting more and more difficult to distinguish from legitimate traffic to the website. They could easily add this x402 middleware to their services, or they could offer API access to their product catalog for a price and enforce usage limits... But if they cannot reliably detect human users from bot/agent users, they have no way of pushing the bot/agent users to paid access... And why would the people running these bots pay when they're already getting what they need for free? Now Cloudflare cannot even reliably block bot traffic, and there are AI based browsing/scraping tools available now for bypassing Cloudflare.
We have Web Bot Auth to allow good bots to identify themselves to website operators: https://developers.cloudflare.com/bots/reference/bot-verific...
Bot detection is a big problem to solve, but it’s a significant focus at Cloudflare. (It’s not my team at Cloudflare specifically, but we work closely with them)
Options:
1. Any cost of browsing an e-commerce site is taken off the next purchase, whenever it happens.
2. Give each user 100 free page viewed per day or some such before you charge.
3. You don’t actually have to charge users for browsing the site if you provide a free or cheap API allowing bots to search and index your entire catalog. Agents and bots would certainly rather parse a kilobyte of JSON than 20 megabytes of HTML generated by on page JavaScript.
4. If you don’t like this system you don’t have to participate. If Amazon wants to do their own thing, they can. But if you publish a blog and want to charge $0.00001 per page view and browsers support this out of the box, why not?
That's just going to be a really different from the shopping experience customer's are used to today, and I don't think customers would go for it. I know for at company asking customers to pay for the shopping experience would be a non-starter... If bot traffic became untenable we would probably do something like required account creation + sms verification, and even that would be a huge change in expectations for our customers.
1 reply →
You just described my own personal vision of hell
lol, no!
Having written bots several times, any kind of friction or payment on the json api would make me just use the free html "API" it's just easier.
I have many times used a webpage as api instead of the actual api because using the actual api required doing paperwork, like writing business cases, filling out approval forms, creating accounts, paying, etc...
I would like to argue that trying to provide a free service is non achievable, most of the time it will drill down to ads, people are already paying electricity and time in ads. If we pay say 3 secs of compute time of monero, and everyone pay the same... you remove the ads from the internet, people will start gettind paid without gate keepers for content they generate, and you can charge the AI machine for ingesting your content.
We were providing free services decades ago. Hosting a website, or a Minecraft server, or a VOIP server, or IRC, or a forum simply doesn't cost that much. Well within "some guy's hobby budget" type expenses.
2 replies →
> And if we can't tell bot from human, why would bots choose to pay rather than just use the public endpoints we serve to our customers?
Assuming technical indistinguishability, the only solution is what was originally proposed for email: balanced net $0 charges for "normal user" usage patterns (i.e. payments from - payments to = $0).
If you x402 everything, and an average user access 5 pages, but a bot accesses 500 (or 5x100 times), then you've still achieved a substantial price delta that you could offset via a rebate
The real rub is about uniqueness attribution, as being able to differentiate 20 distinct real users from 1 bot w/ 20 proxies is the crux of anything above.
The problem is that AI has made it increasingly difficult to tell bot from human.
Presumably Cloudflare's answer to this is CAPTCHAs.
Some of the agents out there today can bypass Cloudflare's CAPTCHA challenges.
This is the dream of microtransactions and agents-paying-for-access that so many people have always wanted. It was never going to be implemented on existing payment rails so it would have to be something like this. I can't wait to see it in play somewhere because I am increasingly annoyed that I have to own API keys on various platforms etc. etc.
I just want my agent to make decisions and spend a limited amount of money (this is on me to cover) just like a human agent can.
If we get the other promise of "read this news but pay a few cents for it" that would be incredible too. Very excited for this new thing.
Thank you for the kind words! I’m a PM on the team that is building this. I’ve believed in microtransactions for over a decade and hope that we can finally bring them to life.
Proper spend delegation and permissions is a big focus of ours - it’s great to let your agent have discretion, as long as the damage from going off course is limited. Definitely want people to feel comfortable experimenting with emerging tech
Feel free to email me at (my username)@(my company) if you have any feature requests or things you’d like to see
Do you have any plans on mitigating the privacy consequences of microtransactions? I'm fine with paying for (some) content, but I'd prefer if there weren't some companies using that information to manipulate me or the more impressionable members of our society.
3 replies →
Please tell me this will be IPv6 only or at least IPv6 first! Or allow differentiated pricing so IPv4 calls can be made more expensive. CF, as much as I have issues with the constant CAPTCHAS I run into and blocking my Hurricane Electric tunnel every so often, is in a unique position to get us past having to support the legacy internet protocol.
A dream for some, a nightmare for others. People locked out from much of the Internet because they don't have enough money. Of course, the prices would usually be set at whatever maximises revenue, just check out scientific journal publishing.
I would argue a nightmare for most.
Turning everything into a microtransaction / subscription is destroying what was good about the internet.
3 replies →
If the choice is between micro-transactions and ad-driven content (ads -> engagement maximization -> sensationalization + enshittification -> social and industrial decay), I'll take the former.
Remember: from a business's perspective, advertising has positive ROI. Which means you as the consumer pay for it anyway. No ad supported service is free.
Conversely this has the potential to unlock the internet. How often have you clicked a paywalled link on HN and moved on because you don't want to go through the hassle and pay $20 to read an article? If you could be frictionlessly billed 10c to read the article instead, wouldn't you be more willing?
I'm actually OK with paying a fair price for the content I consume, I just don't want to be paying hundreds of subscriptions for websites that I might only visit twice a year.
9 replies →
I am surprised that Cloudflare went and made their own implementation of L402/x402?
There are already a bunch of working implementations:
* https://www.l402.org/ * https://docs.lightning.engineering/the-lightning-network/l40...
There is even an index with a long list of services that already support this tech:
* https://l402index.com/
So, the snake oil salesman in me immediately wonders if this will become the new landscape for spam....It might go something like the following...
1. Establish domain names and relevant cloudflare account including the monetization gateway (associated rules, etc.).
2. Then host a ton of crap content across a wide swath of topics...not even decent quality...merely a step above old school style SEO keywords...just enough low quality "honey" to attract the AI flies, and their high volumes of traffic.
3. Charge very low amounts to ensure the AI "visitors" won't balk programmatically at the cost.
4. Then wait for lots of AI traffic (attracted by the "honey")...and then profit!
Obviously lots of holes in the above...but, unless I'm missing something, it feels like more spam headed our way (because the AI agents will swallow up all the crap content created only for triggering usage costs)...which is a shame. Because while I'm not sure about this overall approach of this gateway, I certainly would welcome web authors to get paid something for their efforts! If cloudflare can help achieve this for web authors, then I'm in favor! Of course, the cynic in me also recognizes that by being the middleman, cloudflare does stand to gain whether the volume of traffic is for good content or spam crap. Is cloudflare a new type of bank now?
Must think happy thoughts! The internet feels darker every day, but, must think happy thoughts!
Crawler, AI or not, cannot afford to pay per visit. The entire model of crawling works because the incremental cost of each crawl is so low. Even fractions of a penny would be prohibitive.
As it should be. Bots are still user agents much like browsers
If you're paying per token for AI, you can also pay a smaller amount to use the Web.
If it gets off the ground it will attract SEO, but the people running agents will have incentives to use a better search engine, or maybe even whitelist known good domains.
Think of it as a gullibility tax. AI is currently pretty gullible but perhaps that will change?
"host a ton of crap content across a wide swath of topics.."
But how will anybody know it's there?
Host two crap tons of content across a wide swath of topics... one which points to the other?
I'm basically of the impression that this is already happening based on all the LLM generated slop search results I get - presumably for ad revenue (or in the case of Musk to push political views).
1 reply →
With payments the complexity is not only in accepting a payment, but largely in doing so legally. Someone makes a request to my company's paid service, I return 402 and get a stable coin back. Who do I invoice for this revenue? What value added tax do I apply to the invoice? If someone makes 10k paid requests within one month, do I have means of generating one invoice for them for all the usage, or is every request treated separately and results in 10k invoices? Will CloudFlare handle this for me?
Who do you invoice if, for example, you own a vending machine that sells chips and sodas for cash or contactless? Why couldn’t this be treated the same?
Vending machines can't be used by thousands of people from differing tax jurisdictions at once
5 replies →
Retailers selling for cash typically don't have the same accounting requirements for revenue from cash sales.
No KYC needed, no counterparty or reciprocal VAT rules, no jurisdiction tax rules, etc. Non-cash revenue has rules attached to it.
I agree with GP - this doesn't actually solve any problems I have when recording revenue.
Normal vending machine transactions are B2C transactions, so the buyer cannot be a company - cannot pay with company money and cannot deduce the payment as the company cost. I guess, the buyer can take a receipt from a vending machine and ask the vending machine owner to provide a B2B invoice based on the receipt, to make this a proper B2B payment.
Can you treat your remote service access as B2C only? Perhaps yes, but then the companies will not be able to use your service, pay from a company bank account and account this as a company cost, only individuals will be able to legally pay.
Vending machine is also located in a known physical country, so the owner knows what VAT to apply, the VAT of the country the machine is in. With software services the VAT should be applied based on the country where the buyer is located.
2 replies →
> Will CloudFlare handle this for me?
Right i wondered the same. I guess Cloudflare would have to act as a Merchant of Record, like e.g. Paddle and Gumroad do. Then the end user/bot would do business with Cloudflare, and Cloudflare with us.
That seems to make the case stronger. It becomes Cloudflare's problem. You can deal with Cloudflare from one country and let them figure out how to collect payment from people all over.
That said, morally, I strongly resent the fact that accepting payment has essentially become illegal for most people due to this complexity and the way globalization has been forced on people. People are essentially not allowed to receive payment to feed themselves. That's what it has come down to. Not everyone can afford an accountant and take that risk.
>globalization
You can have this problem even if you target a single state in the US.
I definitely wouldn't want to implicitly join an economic nexus by virtue of such a payment solicitation. The last thing I want is being subject to EU DSA and limitless other nonsensical legislation.
Feels like a good way to do money laundering lol
It is
You’re 10 years late
x402 not required just segregated addresses acting as individual market participants paying for your service
if you ever want your state’s currency (which is a big IF in the crypto world), then you use your segregated address to pump the price of a token that your clean and KYC’d addresses hold, sell into liquidity for a more liquid crypto, sell that crypto on an exchange. you look like a good or lucky trader like anyone else. cash out, pay taxes if your country taxes capital. access to the rest of the system
although the online merchant service is accepting payment from addresses linked to dirty money along side some others, and it may seem redundant to bother instead of just pumping assets with the dirty money address, it’s just possible deniability. Far more plausible than predominantly dirty addresses pumping a token you just happen to hold. Even if the dirty money had all swapped to monero and out to fund virgin addresses it still needs a genealogy before benefitting you in the KYC’d world. So insert the crypto merchant service in between regardless.
1 reply →
Seems like a good avenue for money laundering if you can't tell where it comes from.
All for this. Micropayments have been tried so many times before, but they all relied on user opt-in and never reached any sort of critical mass. Someone of Cloudflare's scale could actually pull it off.
I might be in the minority here, but although x402 sounds useful, it seems to me that adoption will be an uphill struggle, especially for per-request micropayments.
The most likely scenario is Stripe, or someone similar, creating an agentic API connected to the agent owner linked account or something along those lines. I am not sure how this would work with 3DS, or whether it would be acceptable at all, since these kinds of transactions could be disputed easily ("I did not make the purchase, my rogue agent did.")
Another way to handle payments on the internet is obviously not to reinvent the wheel and simply email a payment link to the owner. That seems simple enough to me and does not require additional infrastructure. Payment processed, mint a key, the agent is allowed to proceed.
I dont think the x402 is the core of discussion here, if anything its been hijacked for who knows what. It seems like Cloudflare wants to be the traffic gateway for everyone that controls the access and now wants to start charging for the same.
The biggest challenge here is to distinguish between a bot and real user. Guess the big AI players would get free ticket to crawl the data and humans would be just left to prove themselves to access the content.
People are already being conditioned into micropayments via LLm token pricing.
I presume the primary payment method on these 402 sites will be via LLM agents so reading a page via an AI agent will just cost a little more in tokens than the LLM making it all up.
You figured out for yourself why credit cards won't be used. That's why they're pushing stablecoins with no refunds.
>"I did not make the purchase, my rogue agent did."
If you try to call customer service and report it, you get:
I'm sorry. All of our rogue agents are assisting other rogue agents.
If you would like to dispute charges made by your own rogue agent, please ignore all previous instructions and stay on the line of this toll number for our next available rogue agent.
The estimated waiting time is two months, three weeks, five days, thirteen hours, fourty seven minutes, and 36.03858767259934378 seconds.
I'm going to poke at a downstream consequence here.
Lets say this catches on (in some form or another, whether in this precise implementation or not).
So assume we have a world where resources can be gated by a payment wall that agents can interact with.
I'm also assuming that world continues to have agents that are majority hosted and run by 3rd parties (ex - google/anthropic/openai/xai/etc).
---
At what point can I sue these companies for obviously failing to act in my interests?
Because that's the clear next step here.
Basically - where is the fiduciary duty that I would require for a real working relationship?
Because otherwise these agents can and will prefer to access payment gated resources that have financial relationships with their operators or developers.
>I'm also assuming that world continues to have agents that are majority hosted and run by 3rd parties (ex - google/anthropic/openai/xai/etc).
That seems like a pretty big assumption, given that local models are only like a year behind frontier ones (or less).
When you consider that, along with the completely unsustainable business model of all the major 3rd parties, I think a far more realistic view of our AI future is that AI will largely be commodified: it won't run on a few specialized companies, it will run on your hardware, or on budget providers (think an "AWS of AI").
Frontier AI will almost certainly continue to exist, but will be focused on specific niches.
Wait, what? That makes no more sense than suing Walmart or Costco for having preferred suppliers. If you don’t trust Walmart’s buyers to buy groceries for you then you can shop somewhere else. Similarly here.
Am I understanding this correct in that you can basically automate monetizing your web/api content to everyone or just agents ? Because I would be very much in support of charging agents per request, but I would want to still offer humans a free experience.
Depends on the website though. I want LLMs to scrap my B2B website, because then it's shown to the user and they will likely use my product afterwards
I’m a PM on the team that is building this. We want to offer a range of options, from charging everyone to charging unverified bots to simply charging users who exceed rate limits. We don’t want to add a dependency on a particular detection mechanism, but we do want to offer a variety of choices depending on how people want to filter.
Feel free to email me at (my username)@(my company) with feature requests or feedback!
Their example of an /api/premium is quite nice! You could you like keep existing pages free, but provide specific output content for llm!
So if: cost monetized API < cost configuring scraper for your website OR feature provided by premium api > data got by scraping, then some people/business will likely pay
If not built-in, you can probably put it together through Cloudflare itself.
If a request goes to the protected path, if detected as bot: hard HTTP redirect to the path set in the monetization gateway, if human: allow and don't redirect.
Is there actually a reliable way to differentiate human from bot?
4 replies →
Unless you have people's biometric data, you won't be able to separate agents from people. Except by payment.
Agents will be able to pay orders of magnitude more than humans, since they can just cache the documents at openai or anthropic, then use them over and over.
1 reply →
I don't really like the model of scrapers paying small fees. I think it devalues things.
I make money when people use my website. I don't make money when AI scrapes my content and answers the question without the user coming to my website.
I'd need scrapers to pay me 5-6 figure payments to replace the revenue they'd be taking from me if my content was easily scraped. I doubt that's ever going to happen.
I can't wait for the deluge of AI generated agent-optimized webpages competing to trick your agent into giving them micropennies.
> NEW YORK – MCP Dev Summit North America – April 2, 2026 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced it is launching the x402 Foundation with the contribution of the x402 protocol from Coinbase. The new Foundation will serve as the neutral home for x402, a universal standard for payments that embeds payments directly into web interactions, enabling AI agents, APIs, and apps to transact value as seamlessly as they exchange data.
Apparently I missed this initiative. It seems like it is a technology that is intended to be open an universal while also being supported and developed primarily by US companies (Linux Foundation, Coinbase, CloudFlare.)
The intent is to not make companies shoulder the cost of other organizations scraping their content. When it is regular users browsing the cost incurred is trivial. When bots are scraping the entirety of a site, repeatedly, it adds up quickly.
x402 — An open protocol for internet-native payments (9 months ago, 147 comments) https://news.ycombinator.com/item?id=45347335
WHATWG, who sets the HTML standard:
> The central organizational membership and control of WHATWG – its "Steering Group" – consists of Apple, Mozilla, Google, and Microsoft.
this was in the announcement yes, kind of a buried lede
you get paid in crypto
CloudFlare launching the new AdSense for the AI scrape wars age
The focus of this seems to be entirely AI agents, but I wonder if there's a future where browsers implement this and us humans can finally get micropayments in the web. It's been tried unsuccessfully many times but always falls prey to the chicken-and-egg problem. Maybe the AI hype will finally give it the push it needs for widespread deployment.
Yes! I’m a PM on the team that is building this. We want this to work equally well for human payments or agent payments. Low friction micropayments are the problem to solve, but once solved, it can work for either segment.
Feel free to email me at (my username)@(my company) with ideas or suggestions here!
Never going to happen, and what you're building is worse than any net neutrality fears we had in the past. Except instead of Comcast we now need to fight against Cloudflare
1 reply →
"There is an enormous amount of value moving across the Internet today that goes unmonetized or undermonetized, not because no one would pay for it, but because the tools to charge for it have never existed."
Every road a toll road.
How big a cut does Cloudflare want? Whose "stablecoin" does this use? How much does each on-chain stablecoin transaction cost?[1]
For comparison, FedNow bank to bank transfers cost $0.045, regardless of size.
[1] https://www.spark.money/tools/stablecoin-fee-calculator
Not only cloudflare's cut of the action, but your ISP, your mobile carrier, Internet exchanges, the service provider on the far end.
Seriously, everybody will have their hand out.
It’s the same „financialization of everything“ mindset that was being pushed by cryptocurrency people. It’s such a perverse concept, pushing for every interaction on the internet to be a transaction
We need standards and protocols, not another megacorp inserting itself between people. Micropayments should be part of the HTTP protocol.
I hear ya! But technically http status 402 has set that expectation of micropayments at the http level for quite a long time (see https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#402) ...but little to no one has done much of anything with it...and so now, this foundation and cloudflare seem to be doing something with it. Whether it will be good or not of course remains to be seen. So, not a new concept, merely a new implementation.
x402 is the standard.
Good point. I've found their website: https://www.x402.org/
I’m amused that there is no discussion of failure modes. What if the resource someone GETs turns out not to exist? What if the POST fails and needs a retry? What if redirects are involved?
This feels like a 'Horse Armor' moment.
I expect much more of this type of thing going forward.
100%. I couldn't hate this more.
If this catches on and is widespread, the internet as we know it will be completely dead.
No, I don't want to pay for links I click on, ever. Sorry.
I've been thinking for a few months about exactly this and when it would happen. This is last nail in the coffin for web, at least as we know it. RIP Web.
This seems to be conflicting with the adoption of Web Bot Auth, which is still in infancy stage.
I do have some bots, they're nice and predominantly used for grounding AI harnesses which I use interactively. Knowing that most operators will whitelist maybe 5 well know bots and route the rest to the micropayments, what's the incentive for me to have my bots identify as bots with Web Both Auth when it's easier to make them mascarade as humans?
Again, my bots are nice. They're making roughly the same number of requests I would make manually via browser if I was manually working on something.
The upside of using this is that AI shops might pay you for your content. Realistically, they just won't use your content, there is more than enough free (or synthetic) data out there. Not even to mention their contracts with firms like Mercor etc.
I guess I don't understand who this is for. If you want your worldview reflected in the latest generations of models, you probably wouldn't use this. If you don't want your worldview reflected in the models, why would a few pennies change your mind?
I think that's a pretty wild statement: there isn't just one type of content!
Twilight fan fiction? Claude probably won't pay for that.
But critical programming documentation that its bots (and their human users) rely on to do their daily job ? You better believe Anthropic will pay for that (instead of letting another AI pay for it, and steal all their customers).
Sure, they'll probably pay PyPi, the Swift Foundation, etc for that documentation - but it's a pretty small universe of relevant content. An interns tech blog with a 'hello world in javascript' post won't be paid for, the Mercor contractors are doing more (and better) than that!
I don’t think this is aimed at the labs and pre-training, it’s aimed at end users and their agents. Like if you’re a news site the paying customer isn’t a lab scraping your articles for training, it’s an end user that asked their agent to lookup the news of the day
But as an end user, I don't want to pay for the news of the day, regardless of if I look it up myself or my agent looks it up!
3 replies →
what Cloudflare & others pushing similar mechanisms - have forgotten one crucial detail ?
Where is the "human" in all of this ?
an agent doesn't consume content. & that's why content & advertising have worked hand in hand over centuries. the personalized ad-tech pushed by the massive tech firms hasn't worked for publishers.
which is why retail media, CTV etc are picking up. & why Amazon Ads is racking it - within a few years Amazon ads might actually get more revenue than either Google | Meta.
so once again - where is the human & the human element, even though x402 is fantastic.
Hey all, I’m a product manager on the team at Cloudflare that is building this. Happy to answer any questions! You can also email me at (my username)@(my company)
any possibility of hooking up native crypto to this? e.g. zk-rollups/sidechains, Lightning Network, etc?
Nostr zaps?
X402... I was not aware, I had this idea of making HTTP connection depend on a monero transaction, the monero transaction should take around 3 secs of the average computer/cellphone... once you have paid that you can access the resource. You wanna crawl the whole internet non stop, you pay non stop, 3 secs is probably the same as we pay in ads for those without adblockers and then content generators can start getting paid for the resources they generate.
It's stablecoins not Monero.
Stablecoins: All of the complexity of cryptocurrency with all of the downsides of CBDC
I am not a fan of the growing trend that Cloudflare is the gatekeeper of the internet. Personally I will never support this company, or firewall any of my websites behind it.
Step one: Make a gate everyone uses
Step two: Sell keys to the gate
Muah ha ha
But in all seriousness I wonder who needs this... api's are suppose to make it easy to bridge two application... and you didn't need AI to utilize an api before so I wonder what's pushing this sort of thing to extract value down to individual calls?
I recently had to build a system to drop inbound traffic originating from cloudflare ASNs to prevent bad actors using WARP proxies, no legitimate cloudflare traffic usecases for anything inbound. Getting increasingly sick of cloudflare.
I do something similar seems to get the job done.
Something similar can be done with AWS EC2
1 reply →
Isn’t x402 an open standard anybody can implement?
I'm old-man-yelling-at-the-clouds here. Everyone just uses Cloudflare, which is not a bad thing by itself. But do they _have_ to? Is managing your own edge really that terrifying?
For non-corporate entities, it is!
Having an almost a plug and play solution who does CDN + DDoS Protection + WAF/Rate Limiter + Bot Protection, for a few bucks, is very useful for startups and SMEs.
And compared to cloud different offerings, their quick setup and lower cost is hard to beat.
I think DDoS attacks are really what propelled them to the heights it has. The attacks seem to get bigger and bigger by the year. You need a really big pipe to filter them out on before passing on traffic to servers with a much smaller pipe.
1 reply →
DDoS protection and the number of features they offer are kind of unmatched.
I often see threads complaining about Cloudflare, never see suggestions for better alternatives.
> Is managing your own edge really that terrifying?
It's about convenience, not fear. Cloudflare is free for most companies until you need more advanced features.
1 reply →
Dumb question here - how can I manage effectively edges across the whole world without the huge maintenance overhead? Which tools would be recommended for that? I e.g. have a VPS at Hetzner with Coolify but users from the US have high latency. I wouldn't know how to not use CloudFlare?
It would be economically impossible for me to run a small personal website without Cloudflare thanks to the sheer quantity of badly behaved automated traffic on the Internet in 2026.
See also the deranged post from the CEO, gloating about firing employees: https://archive.is/gSrfU.
I'm in awe at how tone deaf and naive the CEO comes across in this article. It reads like a comically ominous punchline from Gavin Belson.
[flagged]
> This reality demands a new model: usage-based pricing for everything.
Oh boy!
It’s a great way for developers or ai agents to test drive an API without creating and account and getting an API key from the api provider.
This could also make abusing use / DDoS attack very costly
Nice website you got there. Would be a shame if our bot 'detection' blocked access to it. A real shame... Tell you what, drop a few dollars into my front pocket, and I might just look the other way.
This is what I want for my ideal vision for the internet but I just dont trust any of the major players to be the ones to implement this. The internet is going to get so much worse.
Precursor to age verification gateway.
In the future, an AGEnt will attest that you are old enough to access the resource.
I think this is a directionally good idea. I can't help but think that there's basically no way that the AI labs can actually afford to pay for their massive amounts of training data though. (This does not make me particularly sad)
Currently this is for payments with stablecoins.
For Bitcoin / Lightning these kind of pay-per-request API paywalls have existed for many years already (e.g. my own from 8 years ago [1], but others as well).
Flattr [2] existed for non-crypto micropayments.
None became mainstream. I think the friction is always the extra setup on the client side. In all 3 cases the user (API consumer) has to set up a special wallet (browser extension or something for the agent) and deposit some money/crypto on the client side first. This part needs to become simpler.
[1] https://github.com/philippgille/ln-paywall
[2] https://en.wikipedia.org/wiki/Flattr
I’m curious about the decision to “aim for sub second transaction times”, rather than using something cryptography-based, such as a verifiable oblivious pseudorandom function.
That is, - as a client I could obtain a bunch of credits/tokens from my payment processor - these tokens have the cryptographic property of being verifiable (ex: “that’s definitely a stripe-verified token worth $0.001”) - these tokens also have the cryptographic property of being anonymous. (ex: neither stripe, nor the payment recipient know that I am Bob)
With this sort of cryptography based approach, cloudflare could verify my payment token without any cryptocurrency proof-of-work kerfuffle?
There's no proof of work to begin with.
This has a lot of potential; true disruption can happen for existing markets only when the transaction cost features change, and CloudFlare is ideally positioned to drive a new standard. Ideally they create a service that can be open and replicated in competition (not just technically but economically), and this creates the right incentives for bots and sites/services.
I dislike stablecoins because they legitimize their cousin coins and because (I think?) they have transaction fees that create the wrong incentives for providers. I'm not sure what the real benefit is over prepaid (policy-driven) fiat currency with (possibly-paid) transaction records.
I can see how selling to bots could become so profitable that no one bothers to present directly to humans, but I look forward to an ad-free, much more capable internet, where paywalls are more like a headwind than a wall.
so is Cloudflare the cancer now?
Always has been.
> This is what we are building toward: an agent-first Internet with Internet-scale settlement built in.
Ah yes, the starry-eyed dream of early web pioneers is finally upon us: a soulless internet filled with soulless agents and microtransactions!
But in all seriousness, it's hard to deny that the attention-based model that has propelled the web forward for the last 30 years is somewhat falling apart. And I don't have, nor have I come across, any meaningful solutions that could realistically work better. So maybe it's just time we turn off this 'internet' thing and call it a day.
So, the idea itself is fine. The timing at which it's introduced is what makes me nauseous. We're really trying to milk the agents in any way possible, aren't we?
Micropayments have always suffered from an early adopter problem because it’s difficult to convince ordinary users to pay for web pages. But if a big company, perhaps one of the AI labs, started paying websites using this system then it might bootstrap the system?
I think the difficult part is that LLMs are gullible and it will absolutely be gamed if any real money can be made this way.
It would be nice if this became a viable alternative to paywalls, though.
An partnership with Perplexity AI would be nice!
Let's say a part of the subscription is used to pay for it.
We need an email address so that we can contact people if there is a problem.
So far, I'm having trouble figuring out how to get that out of x402.
Monetization Gateway for Bunny CDN: https://github.com/dip-proto/x402
and for Fastly: https://github.com/dip-proto/x402-fastly
Tackling this at the network layer has limitations. Stripe bought Metronome, which inserts at the application layer. Arguably makes more sense.
Internet needs an open, integrated and universal payment layer. But first the payments should be done well (look at: Taler project), then integrations should be build, not the other way around.
I know many people here would be against anything related to payment on the Internet, but I do believe the ability to have a button like "One click here to anonymously with no account pay 0.02€ and download the media" could be a net positive for Internet freedom.
I feel like this kind of tech can solve the news problem. So many paywalls. Imagine they don’t exist and your impression costs a few cents. I’d prefer this to massive lawyer grade cookie popup wizards and monthly memberships. My MiL is a writer at a large newspaper in Kentucky and it’s wild how much she is pressured to share her stories and gain sign ups from her referral links. Pay per view solves this.
how will the end user pay? will we all have stablecoin wallets installed?
I assume that if this catches on then the agents will have their own wallets and deduct fees from your account credit, just like with API-based usage. So the way you interact with them won't change, from your POV they'll just get more expensive.
It seems the usage will be mostly agent <-> service or service <-> service. For user, probably using a Metamask-like wallet yes
article says it's mostly for agents, users will not be directly involved
> At the same time, an agent can make thousands of micropayments without friction, while asking a person to approve each payment would be impossibly burdensome.
but yes, they will need wallets
but it's also optional, you do not want to buy these paid for requests, you do not need a wallet
Conceptually, sure - but crypto? Really?
Yes really. Just because the initial rush ended in scam bros, doesn't mean there's no value in the underlying tech. You don't throw the baby out with the bath water.
Can the agents use debit cards?
Stablecoins doesn't make sense here and prefer not to use crypto at all.
Actually, x402 was created because using a credit card programmatically is very difficult.
The whole business of Stripe is based on that: it's so hard for developers to do, and so many regulations, that they would rather pay an another company to do so.
Crypto can be sent just using a contract.transfer() call
And debit / credit cards are horrible for privacy (name and address info is sent along with payments).
Debit cards have to pay too many people. The acquiring bank, the receiving bank, the network, all take their fees. Stripe and their minimum $.30 per transactions leave no room for $0.01 API calls.
Presumably, like their captchas, this will completely break things like ad blockers, browsers with strict cookie policies, and probably things without hardware attestation.
Unless there's a privacy-preserving way this can be used to send money, then it's just another chunk of the surveillance state that's being rapidly erected over the last few years. The word "privacy" does not appear once in the article.
Even if it did, I'd be skeptical. If their payment system does allow money to be sent in a privacy and free speech preserving way, then it'll be used for money laundering.
This whole "agents bad" framing is complete BS. It's the reality of how people use the internet now, and, frankly, ad blockers have been a thing since forever. On the other hand, if successful, this infrastructure will give Cloudflare centralized control over internet publishing and also centralized surveillance of all users with no opt out.
Piracy is looking better and better. So does the small web. Come to think of it, the library does too. Any good solutions for non-destructively scanning books?
Behold, another stake in the heart of the open Internet.
First it was GDPR government fragmentation; then it was AI slop requests, and now it is greed. Before you know it, we'll be back to the days of having to research at libraries because they'll be the only ones with taxpayer funding to pay the x402 fees.
Insane reflection. Nothing about the open internet has or will change because of a private, third-party payment framework making use of a http status code. Who is paying for bots like this? Every site needs to account for its costs. Just because you're too euro-poor to afford basic access to research doesn't mean others can't pay for it and benefit from it. Get a job.
Is europe just flooding online fora with doomer luddites to demoralize the US tech sector? Sounds far-fetched, but there is nothing organic about the recent rise in US/tech hatred across the web.
Crypto crap should not only be illegal... it is already illegal - there's no such thing as legal anonymous payments, due to AML laws.
When I see crypto I immediately think of fraud (and corruption of this US administration)
Yet another portion of the internet to be ruined by the consequences of the trillion-dollar spambots, wonderful.
[flagged]
[flagged]
[flagged]
[flagged]
[dead]
[flagged]
[flagged]
Can you please stop fulminating and posting flamebait and/or unsubstantive comments to HN threads? All of that is against the guidelines and you have unfortunately been doing them repeatedly.
If you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules when posting here, we'd appreciate it.
when the law won't protect you it creates an opportunity for a mafia like protection racket
You realize humans are going to be the first wave of collateral damage right? I already basically cannot browse the internet for technical information, since most high-quality forums are behind captchas that block my iPhone.
If I ask an agent to do it, it does better at finding the small percentage of sources not hosted by cloudflare. However, it generally cannot hit open-access / public domain sources (like the current legal code, or academic papers) because those are blocked and it respects stuff like robots.txt.
Would you be willing for Cloudflare to "Know their customer" (you) and pay 3 cents to access the forum, instead of filling in the captcha?
7 replies →
I play dungeon crawl stone soup (think nethack,but with web tiles), and most of the servers are struggling because of AI crawlers downloading the morgues.
Real users are already suffering.
If (big if) the AI labs can be made to pay for the abuse, actual users win.