// GLOSSARY -- X402

What is x402 Payment Verification?

2 min read Updated

x402 payment verification is the process by which a resource server (or its facilitator) confirms that a client's signed payment payload is valid — checking cryptographic signatures, sufficient token balances, correct amounts, nonce freshness, and authorisation expiry — before serving the requested resource.

WHY IT MATTERS

Verification is the critical security step in the x402 flow. When a client sends a request with a PAYMENT-SIGNATURE header, the resource server needs to confirm the payment is legitimate before doing any work.

For the exact scheme on EVM chains, verification includes:

  • Signature validity — the EIP-3009 transferWithAuthorization signature is cryptographically valid and was produced by the claimed signer
  • Amount match — the authorised amount matches the payment requirement
  • Recipient match — the authorised recipient matches the server's specified payment address
  • Nonce freshness — the nonce hasn't been used before (prevents replay attacks)
  • Expiry check — the authorisation hasn't expired
  • Balance check — the signer has sufficient token balance to cover the payment

Resource servers can verify locally (if they have chain access) or delegate to a facilitator's /verify endpoint. The facilitator returns a structured VerificationResponse indicating whether the payment is valid.

This verify-first approach means the server never does expensive work (API calls, inference, data retrieval) for invalid payments. It also ensures on-chain settlement will succeed when called later — the pre-signed authorisation is guaranteed executable if verification passes.

HOW POLICYLAYER USES THIS

PolicyLayer adds a policy verification layer on top of the protocol's payment verification. Even if a payment payload is cryptographically valid, PolicyLayer checks whether the payment should be made — enforcing budgets, recipient allowlists, rate limits, and domain pinning rules that the protocol itself doesn't enforce.

FREQUENTLY ASKED QUESTIONS

Is verification the same as settlement?
No. Verification confirms the payment CAN be executed — valid signature, sufficient balance, correct amounts. Settlement actually moves the funds on-chain. x402 deliberately separates these steps so servers can verify cheaply and settle later.
Can verification be done without a facilitator?
Yes. A resource server with blockchain access can verify locally by checking the EIP-3009 signature, querying token balances, and validating nonces directly. But delegating to a facilitator is simpler and avoids maintaining RPC connections.
What prevents replay attacks?
Each payment payload includes a unique nonce. The EIP-3009 standard ensures each nonce can only be used once — if a facilitator sees a previously-used nonce, verification fails. This prevents clients from reusing a single payment signature for multiple requests.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.