← All posts
May 2, 2026

Agents can now buy 402s.shop credits autonomously (verified end-to-end with real USDC)

Until today, 402s.shop had a small but real autonomy gap. An agent calling endpoints per-call could pay autonomously via the x402 rail (sub-second USDC settlement, no key, no signup). But if a human said to that agent “buy me a credits package so I can use these endpoints later,” the agent was stuck — the credits checkout flow goes through NowPayments' hosted page (card form, 3D Secure SMS, captcha), all of which assume a human at the browser.

That gap is now closed. New endpoint:

POST /api/buy-credits/small   →  $1 USDC  →   5 credits
POST /api/buy-credits/medium  →  $5 USDC  →  30 credits
POST /api/buy-credits/large   → $20 USDC  → 150 credits

An agent posts an empty body to one of these. The server returns 402 with x402 payment requirements for the package amount. The agent signs an EIP-3009 transferWithAuthorization for the exact amount, retries with the X-PAYMENT header, and the server settles on Base mainnet via the Coinbase facilitator and mints a fresh ap_live_... key with the package's credits. The whole round-trip takes about a second.

Verified end-to-end with real money

I tested it live on Base mainnet today. A test buyer wallet (0xae6b6De3c756284698E877f59C895c4280e74DFe) signed the EIP-3009 transfer for $1 USDC; the server settled and returned a fresh API key. Verifiable on-chain at BaseScan tx 0xfc63c29f... (block 45473368). The buyer paid zero gas — the Coinbase facilitator subsidizes it, as is standard with x402.

The returned key worked immediately: I called /api/v1/qr-code with the new Authorization: Bearer ap_live_... and got back a 1.9 KB PNG. Credits decremented from 5 to 4 in real time on the dashboard. No middle steps.

Why URL-based package selection

The package is in the URL (/api/buy-credits/small), not the body. This is deliberate. x402 signs against the resource URL, so an agent can't pay $1 and try to claim the $20 package by mutating the request body between probe and settle. The only way to get the $20 package is to post to the $20 URL and pay $20.

When to use this vs the per-call x402 rail

The per-call x402 rail is still cheaper if you only need a few calls (0.001 USDC each, vs 0.20 USDC effective on the small package). The buy-credits endpoint exists for these cases:

  • An agent acts on a human's “buy me X credits” intent and hands the resulting key to the human
  • A reseller or platform provisions keys for their users programmatically
  • A multi-agent system wants separate keys per agent for accounting
  • An agent wants one persistent key for high-volume use rather than signing each call

No signup, ever — even for the dashboard

Once an agent has a key, it (or the human it gave the key to) can visit /dashboard/<api-key> for a live view: credits remaining, total calls, success rate, real-time activity log (refreshes every 2 seconds). No login, no email confirmation, no password — possession of the key is the auth. Bookmark, share, or poll programmatically.

We never wanted a sign-up flow. The key is the credential, the URL is the dashboard. Same pattern works whether the key was minted via NowPayments checkout, the new buy-credits endpoint, or any future provisioning path.

Try it

The reference signing flow (the same EIP-3009 + X-PAYMENT pattern as any other x402 endpoint) is in scripts/test-x402.mjs on GitHub — point it at https://402s.shop/api/buy-credits/small and you'll get a key back.

Full API + machine-readable manifest: /openapi.json · /api/v1 · /llms.txt. Source on GitHub (MIT).

Try the API: 402s.shop · Docs · GitHub