The 402 challenge flow

The 402 challenge flow is the heart of x402. A client makes a normal GET; if the resource is gated, the server replies with 402 Payment Required and a structured body describing how to pay. The client pays, replays with proof, and gets the resource.

Request 1 — discovery

1curl -i "https://aly.store/api/x402/product/acme/prod_pattern?quantity=1&email=buyer@example.com"

Response 1 — 402 challenge

1HTTP/1.1 402 Payment Required2Content-Type: application/json3X402-Version: 14 5{6  "x402Version": 1,7  "accepts": [8    {9      "scheme": "exact",10      "network": "base",11      "asset": "USDC",12      "assetAddress": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",13      "maxAmountRequired": "5000000",14      "payTo": "0xabc...123",15      "resource": "/api/x402/product/acme/prod_pattern?quantity=1&email=buyer@example.com",16      "description": "Knitting Pattern PDF",17      "mimeType": "application/pdf",18      "outputSchema": { "$ref": "https://aly.store/x402/schemas/order.json" },19      "maxTimeoutSeconds": 600,20      "extra": { "nonce": "0x9af2...", "validBefore": 1748112600 }21    },22    {23      "scheme": "exact",24      "network": "polygon",25      "asset": "USDC",26      "...": "..."27    }28  ],29  "error": "X-PAYMENT_required"30}

The client picks one of the accepts entries — usually the operator's preferred chain if the wallet supports it.

Constructing the payment

Use an x402-aware client (e.g. @x402/evm). The client builds an EIP-712 TransferAuthorizationfor the chosen asset, signs it with the buyer's key, and base64-encodes the bundle into the Payment header.

1import { payX402 } from "@x402/evm";2 3const challenge = await fetch(url).then((r) => r.json());4const accept = challenge.accepts.find((a) => a.network === "base");5 6const payment = await payX402({7  accept,8  wallet,                  // a signer for the chosen chain9});10 11const res = await fetch(url, {12  headers: { Payment: payment.header, "Payment-Signature": payment.signature },13});

Request 2 — replay with proof

1GET /api/x402/product/acme/prod_pattern?quantity=1&email=buyer@example.com HTTP/1.12Host: aly.store3Payment: eyJ4NDAyVmVyc2lvbiI6MSwic2NoZW1lIjoiZXhhY3QiLCJuZXR3b3JrIjoiYmFzZSIsInBheWxvYWQiOnsiZ...4Payment-Signature: 0x4f1c...

Response 2 — 200 with the goods

1HTTP/1.1 200 OK2Content-Type: application/json3PAYMENT-RESPONSE: {"txHash":"0xfa3c...","network":"base","blockNumber":12345678}4 5{6  "order": {7    "id": "ord_72...4b",8    "site_slug": "acme",9    "product_id": "prod_pattern",10    "quantity": 1,11    "total": { "amount": 5000000, "currency": "USDC" },12    "payment": { "network": "base", "txHash": "0xfa3c..." },13    "download_url": "https://cdn.aly.store/orders/ord_72...4b/pattern.pdf",14    "expires_at": "2026-05-19T16:35:00.000Z"15  }16}

Order is created before settlement

The handler runs before the on-chain transfer settles. The x402 framework verifies that the signed authorization is valid (signature, nonce, expiry, sufficient balance), then attempts settlement after the response. If settlement fails, Aly voids the order and emits order.refunded.

Idempotency

The order id is derived from a hash of the payment payload. Re-trying the same request returns the same order (and skips re-creating it). This protects against replay and accidental double-charges from retried HTTP.

Errors

Status	Cause
402	No payment provided; `accepts` in body.
400	Bad payment payload (decoding, schema).
402 (re-issued)	Payment signature invalid or expired.
404	Product not eligible for x402 (physical, no file, missing wallet, over limit).
409	Payment nonce already used.
429	Per-IP checkout rate limit.

Was this page helpful?