server-express

Overview

The x402 Payment Protocol Server is an SOC2-compliant Express.js server that implements the x402 HTTP payment protocol for AI agents and applications to request payments in exchange for resources or services. Built specifically for the Owl Smart Wallet ecosystem, it enables autonomous agents to:

• Request payments for API access, data, or services via standard HTTP 402 responses

• Accept USDC payments on multiple EVM chains (Sepolia, Base, Arbitrum testnets and mainnets)

• Issue USDL tokens as settlement currency for cross-chain transactions

• Verify payments on-chain before granting access to protected resources

This server serves as a reference implementation for building x402-compatible payment endpoints that AI agents can interact with autonomously using the Owl Smart Wallet.

Architecture Role

The x402 server fits into the Owl Smart Wallet ecosystem as follows:

AI Agent (OpenClaw) 
  ↓
MCP Server (owl-wallet)
  ↓
Owl Smart Wallet (ERC-4337)
  ↓
x402 Client (payment request)
  ↓
x402 Server (this component)
  ↓
Facilitator (payment verification)
  ↓
On-chain Settlement (USDC → USDL)

Key Integration Points:

• AI Agent Layer: Agents use MCP tools to automatically detect 402 responses and initiate payments

• Smart Wallet Layer: The Owl Smart Wallet signs and submits payment transactions via session keys

• Protocol Layer: x402 client/server negotiate payment terms and verify settlement on-chain

• Settlement Layer: USDC payments are converted to USDL tokens for the resource provider

Key Features

SOC2 Compliance

Enterprise-grade security and auditing for production deployments:

• Rate Limiting: 100 requests/minute per IP to prevent DDoS attacks

• Structured Audit Logging: JSON logs with correlation IDs for compliance tracking

• Request Validation: Input sanitization and 100KB size limits

• Security Headers: Helmet.js with HSTS, CSP, and X-Frame-Options

• Graceful Shutdown: Clean resource cleanup on process termination

• Health Monitoring: Memory and uptime checks with structured responses

Multi-Chain Support

Accepts payments on six EVM networks:

Clients automatically select the optimal network based on available funds.

Payment Flow

1. Client requests resource → Server responds with HTTP 402 Payment Required

2. Client reviews payment terms → Selects network and asset to pay with

3. Client submits payment → Smart wallet transfers USDC on-chain

4. Server verifies payment → Facilitator confirms transaction settlement

5. Server grants access → Returns requested resource with HTTP 200

Setup

Prerequisites

• Node.js v20+ (install via nvm)

• pnpm v10 (install via pnpm.io/installation)

• Facilitator URL (deployed x402 facilitator service)

• EVM Address to receive USDL payments

• USDC Tokens on supported networks for testing

Installation

1. Install dependencies:

1. Copy environment template:

1. Configure environment variables in .env:

Running the Server

Development Mode (hot reload):

Production Mode:

On startup, the server performs a health check on the facilitator service and logs the connection status.

API Reference

GET /buy

Purchase USDL tokens by paying USDC on any supported chain.

Query Parameters:

Example Request:

Response: 402 Payment Required (no prior payment):

Response Fields:

• x402Version: Protocol version (always 2)

• resource: Details about the protected resource

• accepts: Array of payment options (one per enabled chain)

  • scheme: Payment scheme (exact = exact amount required)

  • network: CAIP-2 chain identifier (eip155:<chainId>)

  • amount: Payment amount in token's smallest unit (e.g., USDC has 6 decimals)

  • asset: ERC-20 token contract address

  • payTo: Recipient address for payment

  • maxTimeoutSeconds: Payment validity window

Response: 200 OK (payment verified):

AI Agent Integration:

The OpenClaw agent automatically:

1. Detects the 402 response via MCP tools

2. Selects a payment option matching available wallet funds

3. Uses owl_executeUserOperation to transfer USDC

4. Retries the original request with payment proof headers

GET /health

Health check endpoint for monitoring and load balancer probes.

Example Request:

Response: 200 OK

Response Fields:

• status: Overall health (healthy | unhealthy)

• timestamp: ISO 8601 timestamp of check

• version: Server version string

• checks.memory: Memory usage health indicator

• uptime: Server uptime in seconds

• environment: Deployment environment

Configuration

Environment Variables

Enabling Mainnet Networks

By default, only testnets are enabled (11155111,84532,421614). To accept mainnet payments:

1. Update ENABLED_CHAINS to include mainnet chain IDs:

1. Ensure your facilitator deployment supports the requested mainnets

2. Verify USDC contract addresses in src/config.ts for each mainnet

3. Test with small amounts before production deployment

Security Architecture

Rate Limiting

Protects against abuse and DDoS attacks:

• Default: 100 requests per minute per IP address

• Algorithm: Token bucket with configurable window

• Response: HTTP 429 Too Many Requests when exceeded

Input Validation

All inputs are sanitized before processing:

• Amount validation: Regex pattern matching for numeric strings

• Request size limits: 100KB maximum body size

• Header validation: Strict x402 header parsing

• Type checking: Runtime validation of query parameters

Audit Logging

Every request is logged with structured JSON:

Correlation IDs allow tracing a request across services for compliance audits.

Security Headers

Helmet.js provides production-grade HTTP headers:

• HSTS: Force HTTPS connections

• CSP: Content Security Policy to prevent XSS

• X-Frame-Options: Prevent clickjacking

• X-Content-Type-Options: Prevent MIME sniffing

• Referrer-Policy: Control referrer information leakage

Testing with AI Agents

Using the OpenClaw Agent

The OpenClaw agent has built-in x402 support via MCP tools:

Manual Testing with x402 Client

Testing Payment Flow

1. Deploy the server:

1. Request a resource (triggers 402):

1. Review payment options in the 402 response JSON

2. Submit payment using your Smart Wallet (via MCP or directly):

1. Retry request with payment proof headers (automatically added by client)

2. Receive 200 response with USDL token confirmation

Production Deployment

Pre-Deployment Checklist

• Configure production FACILITATOR_URL

• Set secure EVM_ADDRESS with cold wallet backup

• Enable only required chains in ENABLED_CHAINS

• Set NODE_ENV=production

• Configure reverse proxy (nginx/Caddy) with HTTPS

• Set up monitoring for /health endpoint

• Configure log aggregation (CloudWatch, Datadog, etc.)

• Test rate limiting under load

• Verify USDC contract addresses for each mainnet

Recommended Architecture

Monitoring

Key metrics to track:

• Request rate: Requests per second by endpoint

• Payment success rate: Percentage of 402 → 200 conversions

• Response latency: p50, p95, p99 latencies

• Error rate: 4xx and 5xx responses

• Memory usage: Heap size and garbage collection

• Facilitator health: Upstream availability

Next Steps

• Deploy a facilitator for payment verification (see Facilitator Documentation)

• Integrate with AI agents using the MCP x402 tools

• Add custom endpoints with payment requirements for your services

• Configure mainnet chains for production token sales

• Set up monitoring and alerting for payment success rates

• Implement webhook notifications for payment events

Additional Resources

• x402 Protocol Specification

• Owl Smart Wallet Documentation

• MCP Server Integration Guide

• OpenClaw Agent Documentation