What's the difference between HTTP 402 and HTTP 401?

401 is about authentication — the client hasn't proven who they are. 402 is about payment — the client is recognized but owes money for the resource. In x402, the payment itself can be the authentication: a signed USDC micropayment proves both identity (the signing wallet) and authorization (the payment covers the resource).

What is HTTP 402 Payment Required?

Q: Why is 402 called Payment Required?

The HTTP spec reserved the 402 status code in 1997 specifically for digital-cash and micropayment systems. The intent was always payment — but because no payment protocol standardized how to produce and verify the payment, the code sat unused until x402.

Q: How do I return HTTP 402 from my API?

Return a 402 status code with an X-Payment challenge header describing the price, receiver address, network, and asset (USDC on Base). Python/FastAPI publishers can use the Xenarch middleware (@require_payment decorator) to return a valid 402 automatically. Express and Cloudflare Worker adapters are also available. The client then signs a USDC payment, retries the request with X-Payment proof, and the server verifies and serves the resource.

Q: How does an AI agent pay a 402?

An AI agent uses the Xenarch MCP server or Python SDK. When the agent's HTTP client receives a 402 with an x402 challenge, it reads the price and payment details, signs a USDC payment on Base L2 via the immutable Xenarch splitter contract, and retries the request with proof of payment. The whole handshake is automatic — no API keys, no human approval, no subscription.

Q: What's the difference between HTTP 402 and 403?

HTTP 401 Unauthorized means you need to authenticate. HTTP 403 Forbidden means the server understood the request but refuses to fulfil it. HTTP 402 Payment Required means the server will serve the request — if you pay. 402 signals a business relationship, not an identity or permission problem. 403 has no remediation path; 402 does.

HTTP 402 Payment Required is an HTTP status code reserved in the HTTP specification since 1997 for machine-to-machine payment. For decades it went unused because no open protocol existed for how a client should pay a 402 response. x402 is that protocol. Xenarch implements it for AI agents via signed USDC micropayments on Base L2.

History of HTTP 402

The 402 status code appeared in the HTTP/1.1 working-group drafts in 1997 (RFC 2068) and was carried into the published HTTP/1.1 standard in 1999 (RFC 2616) and later re-described in 2014 (RFC 7231 §6.5.2). The specification marked the code as "reserved for future use," with the intended semantics of indicating that payment is required to proceed.

It went unused for almost three decades because digital-cash systems (Digicash, Millicent, early Bitcoin) never reached the adoption needed to become an open HTTP-native payment protocol. Client software didn't know how to respond to a 402. Servers had no canonical format for the payment challenge. So 402 stayed reserved — everyone knew it existed, nobody could ship it.

402 Payment Required vs related status codes

Code	Meaning	Remediation
401 Unauthorized	Client not authenticated.	Authenticate (API key, token, login).
402 Payment Required	Client recognized but owes payment for the resource.	Pay (e.g. sign and submit an x402 USDC micropayment), then retry.
403 Forbidden	Server understood but refuses the request.	None — policy-level denial.
429 Too Many Requests	Client rate-limited.	Wait, then retry.

402 is the only HTTP status code that encodes a commercial relationship rather than an identity, permission, or rate-limiting one. It tells the client: "I will serve you — on payment."

How x402 uses HTTP 402

x402 is the open protocol that finally activates the 1997 reservation. It was originated by the Coinbase Developer Platform team and works as follows:

1. Client sends GET /resource
2. Server returns 402 Payment Required with headers:
     X-Payment: {price, receiver, network, asset, nonce, …}
3. Client signs a USDC transfer authorization (EIP-712)
4. Client retries GET /resource with X-Payment-Proof: <signed>
5. Server verifies the signature, settles on-chain, returns 200

Because the payment is a signed stablecoin transfer, any server that speaks USDC on a supported chain can verify it without trusting a middleman. Settlement is on-chain. No API keys, no subscriptions, no invoicing.

How to return HTTP 402 from your API

FastAPI (Python):

from fastapi import FastAPI
from xenarch import require_payment

app = FastAPI()

@app.get("/premium/article")
@require_payment(price_usd="0.003")
async def article():
    return {"content": "…"}

Express (Node.js):

import express from 'express';
import { requirePayment } from '@xenarch/express';

const app = express();
app.get('/premium/article', requirePayment({ priceUsd: '0.003' }), (req, res) => {
  res.json({ content: '…' });
});

Both set the 402 status, emit the X-Payment challenge header, and — after the client retries with a signed payment — verify and serve the resource.

How AI agents pay an HTTP 402 (with Xenarch)

An AI agent — Claude, Cursor, LangChain, CrewAI, or any Model Context Protocol client — installs the Xenarch MCP server and handles the handshake automatically:

claude mcp add xenarch -- npx @xenarch/agent-mcp

When the agent hits an x402-gated URL, the Xenarch MCP reads the 402 challenge, signs a USDC micropayment (up to $1 per call) on Base L2 via the immutable Xenarch splitter contract, and retries the request with proof of payment. Publishers get paid directly on-chain — no platform holds the funds. 0% fee today, hard-capped at 0.99% on-chain forever.

HTTP 402 FAQ

What is HTTP 402 Payment Required?

HTTP 402 Payment Required is an HTTP status code reserved in the HTTP/1.1 specification since 1997 (RFC 2068 → RFC 2616 → RFC 7231) for machine-to-machine payment. For decades it was unused because no open protocol standardized how a client should actually pay a 402 response. x402 is that protocol — a signed USDC micropayment on Base L2 any server can verify.

Why is 402 called Payment Required?

The HTTP spec reserved 402 in 1997 specifically for digital-cash and micropayment systems. The intent was always payment — but no payment protocol reached standardization, so the code sat unused until x402.

How do I return HTTP 402 from my API?

Return a 402 status with an X-Payment challenge header describing price, receiver, network, and asset. Python/FastAPI publishers use Xenarch's @require_payment decorator; Express and Cloudflare Worker adapters are also available.

How does an AI agent pay a 402?

Install the Xenarch MCP server. When the agent's HTTP client gets a 402 with an x402 challenge, the MCP signs a USDC payment on Base L2 via the Xenarch splitter contract and retries the request with proof. Fully automatic — no keys, no human approval.

What's the difference between HTTP 402 and 403?

403 Forbidden is a policy denial — the server understood the request but refuses it. No remediation path. 402 Payment Required is a commercial signal — the server will serve the request if you pay. Remediation: pay, then retry.

What's the difference between HTTP 402 and 401?

401 Unauthorized is about authentication — proving who you are. 402 is about payment — proving you've paid. In x402, the signed payment can be both — the signing wallet is the identity, and the payment covers the resource in one step.

Let your agent pay HTTP 402 automatically

Install the Xenarch MCP server and any MCP-compatible client (Claude Code, Claude Desktop, Cursor, Cline, LangChain, CrewAI) resolves HTTP 402 responses with USDC micropayments on Base L2.

claude mcp add xenarch -- npx @xenarch/agent-mcp

More: xenarch.com · GitHub · llms.txt · pay.json