// GLOSSARY -- X402

What is x402 Auto-Policy?

2 min read Updated

x402 auto-policy is the automatic creation of spending policies when an agent encounters a new x402-enabled endpoint for the first time — applying configured default limits (spending caps, rate limits, recipient pins) without requiring manual configuration for each new API.

WHY IT MATTERS

In an agent economy where agents autonomously discover and consume APIs, pre-configuring a policy for every possible endpoint is impossible. But having no policy means agents spend freely on any endpoint they encounter — an unacceptable risk.

Auto-policy solves this with a 'secure by default' approach:

  1. Agent encounters a new x402 endpoint that has no existing policy
  2. The policy engine automatically creates a policy using the operator's configured defaults
  3. The defaults typically include: per-request maximum, daily spending cap, requests-per-minute limit, and automatic recipient pinning
  4. The operator receives a webhook notification about the new endpoint
  5. The agent can immediately transact within the default limits
  6. The operator can later tighten or loosen the policy based on the endpoint's value

Typical default configurations:

{
  maxAmountPerRequest: "1000000",    // 1 USDC max per request
  maxAmountPerDay: "10000000",       // 10 USDC max per day
  maxRequestsPerMinute: 10,
  notifyOnDiscovery: true,
  autoCreatePolicies: true
}

This balances agent autonomy with financial safety. Agents can explore freely, but every new endpoint is immediately governed. Over time, operators build up a portfolio of endpoint-specific policies tuned to actual usage patterns.

HOW POLICYLAYER USES THIS

Auto-policy is a core PolicyLayer feature for x402. When an agent discovers a new x402 endpoint, PolicyLayer creates a policy from your defaults, records the discovery with timestamp and agent ID, pins the recipient address, and sends a webhook notification — all before the first payment is processed.

FREQUENTLY ASKED QUESTIONS

What defaults should I set for auto-policies?
Start conservative: $1 USDC max per request, $10/day per endpoint, 10 requests/minute. These limits let agents explore without risk. Increase limits for specific high-value endpoints after review. You can always loosen later — tightening after a loss is too late.
Can I disable auto-policy and require manual approval?
Yes. Setting autoCreatePolicies to false means agents can't pay any endpoint without a pre-configured policy. This is the strictest mode — suitable for production environments where every vendor must be pre-approved.
How do I get notified about new endpoints?
Configure webhook URLs in your policy settings. When an agent discovers a new endpoint, you receive a webhook with the domain, first-observed pricing, agent ID, and the auto-created policy details. You can integrate this with Slack, email, or your operations dashboard.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.