// GLOSSARY -- X402

What is 402 Retry Logic?

2 min read Updated

402 retry logic is the client-side pattern of re-requesting a resource after receiving an HTTP 402 Payment Required response — attaching a signed payment payload in the PAYMENT-SIGNATURE header on the retry attempt.

WHY IT MATTERS

The x402 protocol's core flow is a two-step interaction: the client first requests a resource and receives 402 with payment requirements, then retries with a payment signature attached. This retry is fundamental to how x402 works — it's not an error recovery mechanism but the normal payment flow.

The standard retry flow:

  1. Client sends GET /resource
  2. Server responds 402 Payment Required with PAYMENT-REQUIRED header
  3. Client constructs payment payload matching the requirements
  4. Client re-sends GET /resource with PAYMENT-SIGNATURE header
  5. Server verifies, settles, and returns 200 with resource

The x402 spec notes that steps 1-2 are optional if the client already knows the payment requirements — allowing a single-request flow for repeat purchases from known endpoints.

However, retry logic becomes dangerous when combined with autonomous agents and error states. If the server returns an error after payment (500, timeout, malformed response), a naïve retry loop pays again and again. PolicyLayer's analysis identified this as the infinite payment loop threat — a production system called GetOnStack once entered a recursive loop for 11 days, costing $47,000 in API costs. With x402, each retry costs real money.

Safe 402 retry logic requires: maximum retry counts, duplicate payment detection, exponential backoff, and per-endpoint circuit breakers.

HOW POLICYLAYER USES THIS

PolicyLayer's duplicate detection prevents the most dangerous retry failure mode — paying twice for the same resource. If an agent retries a request to the same endpoint within a configurable time window, the second payment is blocked. The circuit breaker pauses all payments after consecutive failures.

FREQUENTLY ASKED QUESTIONS

Is the 402 retry a normal part of x402 or an error?
It's normal. The x402 flow is designed as a two-step interaction: receive payment requirements, then retry with payment. It's analogous to HTTP 401 where the client retries with authentication credentials. The spec allows skipping the first step if payment requirements are already known.
What happens if payment succeeds but the resource request fails?
This is the dangerous scenario. The payment is settled on-chain (irreversible) but the agent didn't get the resource. Naïve retry logic would pay again. Safe implementations track payment-to-response mappings and refuse to re-pay for recently-paid endpoints.
How many retries should an agent attempt?
For payment retries: typically once (the normal flow). For error retries after payment: zero without duplicate detection. Circuit breakers should activate after 3-5 consecutive failures on the same endpoint. Never retry without checking if a payment was already made.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.