Skip to content

x402-server-guard

Server-side hardening for x402 payment endpoints.

Wrap your x402 payment endpoint to close the settlement race, replay, cross-resource substitution, grant-before-finality, and cache-leakage holes. Vulnerable code first, fixed code second, on every page.

Read the guideGitHub

This is the teaching companion to the library. It explains, without assuming you know crypto, what each attack is, how it lets someone cheat a paid endpoint, and how the guard stops it. The authoritative, code-exact facts live in the repository: coverage map ties each attack to the test that proves it, and hardening explains the mechanisms in depth. These guides are the friendly narrative; when in doubt, the repo is the source of truth.

New to x402? Start with Understanding x402, a short attack-relevant primer (the 402 flow, the signed payment, the nonce, and the verify vs settle gap). Everything else assumes it.

The attacks come from two papers. Each page cites the specific attack or invariant it addresses.

This library is not audited and is not a security guarantee. It mitigates these specific attack classes. It cannot make an insecure endpoint safe on its own.