Abstract

x402-K pairs with x402 by turning 401 Unauthorized into a machine-readable credential challenge. Servers publish the predicates (age, residency, sanctions), accepted schemas, nonce, verifier endpoint, and grant TTL; clients collect SD-JWTs, verifiable credentials, or zk proofs and retry with a cryptographic presentation. This paper defines the protocol, threat model, facilitator roles, and governance hooks needed to make agent-native compliance flows trustworthy and privacy-preserving.

Research Notes

• Details the HTTP headers/bodies for challenges and presentations, including grant semantics and media types.
• Maps the trust stack across issuers, facilitators, verifiers, and agents; documents attacks (replay, phishing, compromised facilitators) with mitigations.
• Introduces the “cross-KYC package” and suggests pairwise DIDs, nonce stores, revocation lists, and hashed pseudonyms to minimize linkability.
• Provides an implementation roadmap spanning spec v0.1, middleware/SDKs, facilitator kits, and an interoperability sandbox that already returns 200 OK after automated retries.

Full Paper

Download the PDF