Who authorized this? The gray area of x402

Article Author: David Christopher

Article Compiled by: Block unicorn

The success of x402 relies on native integrators. Unauthorized wrappers can turn potential partners into competitors.

Last week, Coinbase launched agentic.market, a platform showcasing x402 endpoints, aimed at making the x402 ecosystem easier to discover.

Browsing agentic.market, you will find real-time, on-demand access to various services, ranging from on-chain tools to mainstream APIs. Some endpoints are provided directly by the original providers. Many endpoints come from third parties: some companies wrap existing APIs into x402 (and/or MPP) and package them into toolkits for agents, allowing users to access them through a single connection for a small fee.

The second method complicates matters. Among the third-party endpoints showcased on Agentic Market are services from Wolfram Alpha, Google Flights, and Amadeus (a widely used travel data platform). I focus on these three platforms because they have not announced x402 integration themselves, and their terms of service indicate that they are unlikely to authorize third parties to build integrations on their behalf.

Each endpoint indexed on Agentic Market may be first-party (the original provider directly offers its API), third-party authorized (distributors with explicit permission, usually through formal certification or partnership programs), or unauthorized third-party (companies reselling API access obtained without permission).

Throughout the market and the entire x402 ecosystem, we cannot immediately distinguish which are first-party and which are third-party; many endpoints seem to fall into the latter category.

Contract Terms

As mentioned earlier, the terms of these three providers make unauthorized third-party arrangements seem very likely, and in some cases, completely exclude other options.

Wolfram Alpha explicitly prohibits "distributors and aggregators," forbids any form of data scraping or mining, and prohibits the unauthorized sale or transfer of services. These terms seem to leave no room for authorized third-party pathways. Moreover, after reviewing the quick start guide for this endpoint, it is clear that this is not a first-party integration.

(API prohibition content in Wolfram Alpha's terms of service)

Amadeus's main subscription service agreement only allows customers to access it for internal business purposes and prohibits any "leasing, renting, distributing, selling, reselling, transferring, or otherwise transferring" their access rights. Any third-party connection requires Amadeus's certification and must be documented in a formal service order. This means this is the only way to obtain third-party authorization, and whether any existing endpoints meet this requirement cannot be viewed externally.

(Restrictions in the Amadeus main subscription service agreement)

Google's situation is the most typical. Google Flights does not have a public API, and Google takes strict measures to protect its data.

However, third-party wrappers are packaging access to Google Flights data, sourced from SerpApi—a company that Google is actively suing, accusing it of scraping search results and reselling access. Google's lawsuit claims that SerpApi developed tools to bypass access controls, sending "hundreds of millions" of false requests daily for scraping and reselling copyrighted content embedded in search results.

Thus, Google is suing SerpApi for reselling copyrighted content and bypassing its access controls. Meanwhile, SerpApi's services are being wrapped by a toolkit provider that offers them to agents for a fee. This is thought-provoking.

(Details on accessing SerpApi through the StableTravel endpoint)

How Compliance is Reflected

It is clear, even without legal expertise, that these dynamics are "intricate." The good news is that a clearer pattern already exists.

MPP is the agent payment protocol launched by Tempo when its mainnet went live, offering over 100 compatible services on the first day. Vendors directly integrating MPP—such as Parallel, Stripe Climate, Browser Base, etc.—are marked with a green circle on their cards, indicating they are first-party providers.

(Service directory viewed through mpp.dev)

About two weeks ago, the popular AI research tool Exa announced native support for the x402 protocol in its search and content endpoints—becoming a first-party provider and partnering with Coinbase. Exa stated that the choice of x402 over proprietary protocols was due to its oversight by the Linux Foundation.

Inevitable Consequences

Currently, it is impossible to know whether an endpoint is first-party, third-party authorized, or unauthorized from the outside. This is a solvable issue, and the MPP service directory—which clearly displays the source of each integration—is a step in that direction.

Unauthorized scraping has already put measurable pressure on service providers: server load, bandwidth costs, and traffic they never agreed to provide. Third parties wrapping scraped data in the x402 protocol and charging fees only adds insult to injury. Service providers bear all the costs without receiving a dime.

Therefore, it is necessary to clarify the root of the problem. x402 is an open protocol—just as any developer can develop based on HTTP, any developer can develop based on x402. The payment mechanism cannot track whether upstream data is obtained with authorization. The responsibility lies with those developers who package these endpoints for user access.

Without an accountability mechanism, there could be negative impacts on the overall development of x402—potential native integrators may become opponents rather than participants. These revenues should belong to the service providers. Native integration is their way of claiming these revenues and is also the way x402 gains the legitimacy needed for development.

Note: As of April 25, Google Flights is no longer indexed on Agentic Market.