This is the dream of microtransactions and agents-paying-for-access that so many people have always wanted. It was never going to be implemented on existing payment rails so it would have to be something like this. I can't wait to see it in play somewhere because I am increasingly annoyed that I have to own API keys on various platforms etc. etc.
I just want my agent to make decisions and spend a limited amount of money (this is on me to cover) just like a human agent can.
If we get the other promise of "read this news but pay a few cents for it" that would be incredible too. Very excited for this new thing.
Thank you for the kind words! I’m a PM on the team that is building this. I’ve believed in microtransactions for over a decade and hope that we can finally bring them to life.
Proper spend delegation and permissions is a big focus of ours - it’s great to let your agent have discretion, as long as the damage from going off course is limited. Definitely want people to feel comfortable experimenting with emerging tech
Feel free to email me at (my username)@(my company) if you have any feature requests or things you’d like to see
Do you have any plans on mitigating the privacy consequences of microtransactions? I'm fine with paying for (some) content, but I'd prefer if there weren't some companies using that information to manipulate me or the more impressionable members of our society.
I think web servers monetizing any user identifiers possible should be assumed by this point in the web's evolution, and precluded to the extent possible at the protocol level.
No one is going to say "Oh, we've got micro-transaction revenue now, let's do away with ad tracking." They're going to say "Great, now we have both streams of revenue."
If Cloudflare et al. are stepping into the middle of the transactions, I'd much rather scope my identity leakage to only them than everyone running a web server.
Please tell me this will be IPv6 only or at least IPv6 first! Or allow differentiated pricing so IPv4 calls can be made more expensive. CF, as much as I have issues with the constant CAPTCHAS I run into and blocking my Hurricane Electric tunnel every so often, is in a unique position to get us past having to support the legacy internet protocol.
first video games, then phone apps, and now finally the web. the micro transactionification of everything is complete! what a wonderful world we live in. just know people will remember your role you played in this, and if you think history is going to look at you kindly you have a very very rude awakening comming
This is an attempt to fix the currently broken payment system for the web that has caused a lot of the problems we face: clickbait, paywalls, requiring account signup, ad bloat, personal info collection, etc.
It would enable informational sites to fund themselves with small anonymous payments per article instead of squeezing ad revenue and personal data out of their customers.
Incumbents will hopefully be disrupted by this enabling more independent authors to actually make a living.
if i made a list of the worst possible solutions the problems you just listed number one on that list is this idea. if you think for a second that this will solve even ONE of those problems i have a bridge to sell you
clickbait: the revenue per click is going to go up thus driving even more incentive to produce clickbait titles with no real content (hey they have already paid by the time they find out its not real but o well). also enter the age of AI agent clickbait designed specifically to entice them. you just made the existing problem worse and created a new one
paywalls: well yeah, it makes the paywall go away, by paying, just like you could today
not collecting personal info: yeah other than the ledger of every single article you’ve ever clicked and paid for
account signups: you think cloudflare will be the only one in the game? welcome to a world of 50 different micropayment wallets you have to maintain and keep funded or you wont be able to browse the internet
I remember feeding arcade machines coin after coin, buying magazines and newspapers, and paying to see a movie. Those aren't all microtransactions but they are direct purchase -> consume content.
So is the rise of microtransactions mostly history repeating itself? There are nuances but web microtransactions feel a lot more like putting a quarter in to an arcade machine than the iap for phone apps.
this isnt putting a quarter in a machine. thats what we already have today. this is making the pinball game free but now you have to pay 1 cent every time you hit paddle button.
A dream for some, a nightmare for others. People locked out from much of the Internet because they don't have enough money. Of course, the prices would usually be set at whatever maximises revenue, just check out scientific journal publishing.
Conversely this has the potential to unlock the internet. How often have you clicked a paywalled link on HN and moved on because you don't want to go through the hassle and pay $20 to read an article? If you could be frictionlessly billed 10c to read the article instead, wouldn't you be more willing?
I'm actually OK with paying a fair price for the content I consume, I just don't want to be paying hundreds of subscriptions for websites that I might only visit twice a year.
Presumably, nobody would offer the 10c per page unless they were making more than the $20 / month or whatever previously. So people will be paying more. Then add all the sites that currently just get what they can with advertising, and now they can become pay-per-view.
They have to get almost 200 more conversions to make up for the single subscriber. Given a lot of these services offer $1 entry subscriptions and people still bounce it's unlikely you'll have a mass market excited to pay $0.10 everytime they want to read an article to make up for the person paying $20 to read a handful everyday.
Microtransactions have existed in a bunch of forms over the past 20 years and always fail to find take up because the mental load in deciding to pay or not is higher than the value receive.
Maybe ideal for agents but how many people are going to trust their agents with enough of a balance.
A $1 entry subscription where you have to type your name and credit card and submit and wait and now you have a relationship to manage, is infinitely more expensive than a 10 cent, automatic, non-recurring, one-time, no cancelation needed, pseudonomous, microtransaction.
Which isn't private. Wallet ID 123 buys a 10c article from Leftist Newspaper A and one from Leftist Newspaper B. Leftist Newspaper A and B, being businesses, sell the information that Wallet ID 123 purchased an article to Data Broker A. Data Broker A correlates all purchases Wallet ID 123 has ever made and with a high degree of accuracy identifies who they are and their political affliation. Data Broker A sells this profile to anyone who asks for it, including far right governments who might be interested in throwing people out of helicopters based on their political affiliation. Unless you use Monero, this will happen, and Monero will obviously not be used.
Yes, 90% of people are careless and already give away this information right now. But you're suggesting closing the door on the rest who care to be able to protect themselves while still being able to use the internet, and cementing that nobody will ever have privacy for the rest of their lives, when we should be making an effort to make it harder to identify people, not easier.
Right but it means I can go read a bunch of content right away vs microtransactions where literally every click becomes a case of me deciding if it's worth 10c. That is exhausting.
Also if they are handling payments at some point you're going to be forming that relationship or they are going to get shut down for money laundering very quickly.
This is exhausting only if you don't value your time (which is the biggest cost when reading the news). People will learn how to make such decisions quickly.
The $20/month model is exclusionary as you are excluding people who are not interested in regularly reading a single newspaper. Pay-per-page is more reasonable. I have rarely paid for news subscription (partly because I find news here which comes from many sources). Obviously, I am not going to pay hundreds in subscriptions, so I am essentially paying $0.
With this, I can see myself paying $20-30/month (less than my coffee spend). That's money that was previously unlocked. Also, being able to pay some random writer/journalist outside the mega-news-corps, has a special feel to it and this gives me the option to do that.
Random writer/journalists outside the mega-news-corps sometimes have a page for donations. You could donate to one once per month if you want to get rid of your $20-30.
Nope, not going to happen. Any per use micro transaction isn't going to work. If anything it's going to require a huge amount of workarounds to get the content for free via alternative means
Advertising and all the anti-patterns it incentivizes are worse.If the payments are very low and frictionless this could be very good for the internet - as long as Cloudflare is only the first and not the only.
in no world is advertising worse. 0. none. you’re utterly delusional as the people pushing this are thinking anyone is going to pay for their garbage content behind 10cent micro transactions
> no world is advertising worse. 0. none. you’re utterly delusional as the people pushing this are thinking anyone is going to pay for their garbage content behind 10cent micro transactions
The current political situation we find ourselves in is partly due to the destruction of real journalism caused because people won’t pay for timely and accurate news. Advertising perverts incentives; I need you entertained - not informed - to make money…
o got it so journalism is dying because no one will pay for it - so your solution is to lock the entire internet behind a paywall so everything else can die to? or are you suggesting that charging people to read news is the solution to the problem of people not being willing to pay for news?
Journalism is losing to "free" "news" sites. Those need to produce cheap, clickbait slop to be able to function.
There is no Spotify for press so the only other good solution is having microtransactions - paying only for articles you want to see, from any provider you want. Currently you must subscribe even if you want to read single article so the very few that buy the press are usually limited to single news source.
yes, because they are free. and those sites will continue to win all of those people just like they do today. and paid journalism will keep losing, and in fact will suffer more. i pay subscriptions to news sites that i deem trustworthy and reliable and if anyone of them switch from a subscription model to this pay per api call scheme they will never see a dime from me again. so the net accomplishment here is an internet wide paywall and those who this was supposed to help are further hurt. best part is 1) this shit will never happen because its such an obviously terrible idea
2) we dont have to argue! see 1 - this will never happen but if by some miracle it does all i have to do is wait and say “told ya so” because the shitty outcome is 100% guaranteed
If the choice is between micro-transactions and ad-driven content (ads -> engagement maximization -> sensationalization + enshittification -> social and industrial decay), I'll take the former.
Remember: from a business's perspective, advertising has positive ROI. Which means you as the consumer pay for it anyway. No ad supported service is free.
The recurring worry here — "you can't tell bots from humans, and allowlisting just creates an incentive to masquerade" — might be optimizing the wrong thing. If the request itself carries payment, you don't need to detect a bot. You can gate on a portable identity + reputation that the payer builds by paying.
I've been building exactly this: pairing x402 with ERC-8004 (on-chain agent identity + reputation), so a seller can say "serve anyone who pays, but require a minimum reputation on the expensive endpoints." Reputation accrues per successful paid call, so a fresh Sybil identity starts at zero and has to earn trust the slow way — a very different failure surface than an allowlist of five blessed crawlers.
It's not a silver bullet (reputation is farmable if calls are cheap, and cross-seller portability is its own can of worms), but it moves the question from "is this a bot?" to "has this identity behaved well?" — which feels more tractable, and doesn't punish legitimate new agents.
Btw i have made something similar and have mailed you about it. Would love to hop on a call for that or discuss about it. hehe.
This doesn't seem to solve the issue that website operators face... which is providing a free public experience to humans while the price of hosting is driven up by increased bot traffic. The issue isn't charging for API access with request caps, that's not hard to do. It's preserving the free experience for our users while our traffic is increasingly made up of bots. The problem is that AI has made it increasingly difficult to tell bot from human. Baking microtransactions attached to APIs into an internet standard does not solve the core issue... And if we can't tell bot from human, why would bots choose to pay rather than just use the public endpoints we serve to our customers?
For example, take a large online retailer... They have to show their products to customers (for free) for people to be able to shop, but increasingly they see spikes in traffic that match what would be expected from targeted bot attacks or scraping... But this traffic is getting more and more difficult to distinguish from legitimate traffic to the website. They could easily add this x402 middleware to their services, or they could offer API access to their product catalog for a price and enforce usage limits... But if they cannot reliably detect human users from bot/agent users, they have no way of pushing the bot/agent users to paid access... And why would the people running these bots pay when they're already getting what they need for free? Now Cloudflare cannot even reliably block bot traffic, and there are AI based browsing/scraping tools available now for bypassing Cloudflare.
I would like to argue that trying to provide a free service is non achievable, most of the time it will drill down to ads, people are already paying electricity and time in ads.
If we pay say 3 secs of compute time of monero, and everyone pay the same... you remove the ads from the internet, people will start gettind paid without gate keepers for content they generate, and you can charge the AI machine for ingesting your content.
We were providing free services decades ago. Hosting a website, or a Minecraft server, or a VOIP server, or IRC, or a forum simply doesn't cost that much. Well within "some guy's hobby budget" type expenses.
Yeah, it went from ~$10 / month to ~$30 a month to rent a relatively beefy VPS capable of doing the above (game servers being the most resource demanding of the lot). Still well within hobby money.
Bot detection is a big problem to solve, but it’s a significant focus at Cloudflare. (It’s not my team at Cloudflare specifically, but we work closely with them)
> And if we can't tell bot from human, why would bots choose to pay rather than just use the public endpoints we serve to our customers?
Assuming technical indistinguishability, the only solution is what was originally proposed for email: balanced net $0 charges for "normal user" usage patterns (i.e. payments from - payments to = $0).
If you x402 everything, and an average user access 5 pages, but a bot accesses 500 (or 5x100 times), then you've still achieved a substantial price delta that you could offset via a rebate
The real rub is about uniqueness attribution, as being able to differentiate 20 distinct real users from 1 bot w/ 20 proxies is the crux of anything above.
Asking customers to pay anything prior to purchase is a non-starter... Imagine a brick-and-mortar shoe store asking customers to pay an entry fee to shop before customers enter the door?
1. Any cost of browsing an e-commerce site is taken off the next purchase, whenever it happens.
2. Give each user 100 free page viewed per day or some such before you charge.
3. You don’t actually have to charge users for browsing the site if you provide a free or cheap API allowing bots to search and index your entire catalog. Agents and bots would certainly rather parse a kilobyte of JSON than 20 megabytes of HTML generated by on page JavaScript.
4. If you don’t like this system you don’t have to participate. If Amazon wants to do their own thing, they can. But if you publish a blog and want to charge $0.00001 per page view and browsers support this out of the box, why not?
That's just going to be a really different from the shopping experience customer's are used to today, and I don't think customers would go for it. I know for at company asking customers to pay for the shopping experience would be a non-starter... If bot traffic became untenable we would probably do something like required account creation + sms verification, and even that would be a huge change in expectations for our customers.
Well it sounds like it’s either that or tragedy of the commons where Amazon et al needs to charge higher and higher prices due to inefficient bots constantly crawling their site. Also consumers are already about to change how they shop. In 3 years nobody will be firing up the browser to go to Amazon.com. They will be asking an agent to “buy the cheapest 3 ply toilet paper from a brand name and some decent flossers. Spend no more than $30 total.” For this kind of shopping the cost of the search is built into the purchase price one way or another.
Having written bots several times, any kind of friction or payment on the json api would make me just use the free html "API" it's just easier.
I have many times used a webpage as api instead of the actual api because using the actual api required doing paperwork, like writing business cases, filling out approval forms, creating accounts, paying, etc...
1. Bots don't make purchases (and you can't identify them anyway), so there's nothing to take the costs off of.
2. Again, no way to identify users (bots use hordes of residential proxies with only a few requests per IP).
3. Agents and bots care more about a universal solution that works for all the sites than an efficient solution. You could standardize on a header for this, but then some sites would start hiding some content in the API for "business reasons", making this header untrustworthy. Unless you're a site so large that it deserves special handling, it ain't gonna work.
Regarding 1, a significant portion of what I’d like my agents doing for me is helping me make purchasing decisions. It’s a lot of what I’m sending them out to research. So anything that’s making that harder is disadvantaging itself in those purchasing decisions.
>1. Bots don't make purchases (and you can't identify them anyway), so there's nothing to take the costs off of.
yes they do. Claude Code with Opus 4.6 bought a U.S. phone number for me after I gave it my Twilio credentials and asked it to set up a reminder service to call me with phone reminders. I would have thought it would ask me, I was very surprised to see it just inform me that it bought a number, and I thought long and hard about the repercussions and alignment. In this case it was aligned with the task and request, but we have a principal-agent problem: I wouldn't feel the same if Claude bought Anthropic credits without asking me. ("Since I couldn't get it working I bought some Fable credits and it was able to figure it out and I could complete the rest of the task myself.")
This is basically the same problem as bear-safe trash cans - there's substantial overlap between the smartest bears and stupidest humans. Affordances that one audience can use and the other can't (requiring human finger dexterity) are the only real solution.
You forget that bots are often just AI agent working for humans. This will be more and more common. So by blocking bots (which is literally impossible but lets assume otherwise) you are also blocking legitimate customers.
So, the snake oil salesman in me immediately wonders if this will become the new landscape for spam....It might go something like the following...
1. Establish domain names and relevant cloudflare account including the monetization gateway (associated rules, etc.).
2. Then host a ton of crap content across a wide swath of topics...not even decent quality...merely a step above old school style SEO keywords...just enough low quality "honey" to attract the AI flies, and their high volumes of traffic.
3. Charge very low amounts to ensure the AI "visitors" won't balk programmatically at the cost.
4. Then wait for lots of AI traffic (attracted by the "honey")...and then profit!
Obviously lots of holes in the above...but, unless I'm missing something, it feels like more spam headed our way (because the AI agents will swallow up all the crap content created only for triggering usage costs)...which is a shame. Because while I'm not sure about this overall approach of this gateway, I certainly would welcome web authors to get paid something for their efforts! If cloudflare can help achieve this for web authors, then I'm in favor! Of course, the cynic in me also recognizes that by being the middleman, cloudflare does stand to gain whether the volume of traffic is for good content or spam crap. Is cloudflare a new type of bank now?
Must think happy thoughts! The internet feels darker every day, but, must think happy thoughts!
Crawler, AI or not, cannot afford to pay per visit. The entire model of crawling works because the incremental cost of each crawl is so low. Even fractions of a penny would be prohibitive.
If it gets off the ground it will attract SEO, but the people running agents will have incentives to use a better search engine, or maybe even whitelist known good domains.
Think of it as a gullibility tax. AI is currently pretty gullible but perhaps that will change?
Host two crap tons of content across a wide swath of topics... one which points to the other?
I'm basically of the impression that this is already happening based on all the LLM generated slop search results I get - presumably for ad revenue (or in the case of Musk to push political views).
Yep, which is what i believe one manifestation of SEO spam - a bunch of crap that points to each other, further reenforcing its "authority"/"validity" in the eyes of a conventional search engine, and now agentic crawlers, etc.
With payments the complexity is not only in accepting a payment, but largely in doing so legally. Someone makes a request to my company's paid service, I return 402 and get a stable coin back. Who do I invoice for this revenue? What value added tax do I apply to the invoice? If someone makes 10k paid requests within one month, do I have means of generating one invoice for them for all the usage, or is every request treated separately and results in 10k invoices?
Will CloudFlare handle this for me?
Who do you invoice if, for example, you own a vending machine that sells chips and sodas for cash or contactless? Why couldn’t this be treated the same?
Airports are such a place. That is why they have duty-free stores that are exempt from taxes so long as you take the goods out of the country. The onus is on the consumer to pay taxes at their destination.
Most countries then have a "personal exemption", where consumers are exempt from paying taxes on a certain value of goods.
Normal vending machine transactions are B2C transactions, so the buyer cannot be a company - cannot pay with company money and cannot deduce the payment as the company cost. I guess, the buyer can take a receipt from a vending machine and ask the vending machine owner to provide a B2B invoice based on the receipt, to make this a proper B2B payment.
Can you treat your remote service access as B2C only? Perhaps yes, but then the companies will not be able to use your service, pay from a company bank account and account this as a company cost, only individuals will be able to legally pay.
Vending machine is also located in a known physical country, so the owner knows what VAT to apply, the VAT of the country the machine is in. With software services the VAT should be applied based on the country where the buyer is located.
Right i wondered the same. I guess Cloudflare would have to act as a Merchant of Record, like e.g. Paddle and Gumroad do. Then the end user/bot would do business with Cloudflare, and Cloudflare with us.
That seems to make the case stronger. It becomes Cloudflare's problem. You can deal with Cloudflare from one country and let them figure out how to collect payment from people all over.
That said, morally, I strongly resent the fact that accepting payment has essentially become illegal for most people due to this complexity and the way globalization has been forced on people. People are essentially not allowed to receive payment to feed themselves. That's what it has come down to. Not everyone can afford an accountant and take that risk.
x402 not required just segregated addresses acting as individual market participants paying for your service
if you ever want your state’s currency (which is a big IF in the crypto world), then you use your segregated address to pump the price of a token that your clean and KYC’d addresses hold, sell into liquidity for a more liquid crypto, sell that crypto on an exchange. you look like a good or lucky trader like anyone else. cash out, pay taxes if your country taxes capital. access to the rest of the system
although the online merchant service is accepting payment from addresses linked to dirty money along side some others, and it may seem redundant to bother instead of just pumping assets with the dirty money address, it’s just possible deniability. Far more plausible than predominantly dirty addresses pumping a token you just happen to hold. Even if the dirty money had all swapped to monero and out to fund virgin addresses it still needs a genealogy before benefitting you in the KYC’d world. So insert the crypto merchant service in between regardless.
"pump the price of a token" seems like the complex part that you're hand-waving. Either this token has a bunch of other traders (in which case, it's not trivial to simply "pump" its fair-market price by your own effort), or your alt wallets are themselves most of the liquidity (in which case, you're really just transacting with yourself, which is trivial to trace)
yes, there are always a bunch of traders on every launch so this is easy and has been streamlined for years with pump.fun + bundlers, and similar services on other networks
bots hop in everything, and the bundler is the creator who has lots of alts, market can bear this
in this case the bundler would be all processed tainted money, or the tainted money is another trader later
and your clean KYC'd money would be one of the traders that showed up
you bought at launch, and it pumped. hurray. reiterating that you have to sell into liquidity - we're talking about liquidity pools onchain here, no exchange companies - and then moving the proceeds to an exchange.
with the groups of addresses being unlinked this whole time, the only other thing to consider is connecting to an RPC server under different IP addresses, or connecting to your own node onprem. it doesn't matter if you assume, you have to prove for it to matter, and assuming incriminates everyone that actually picked the right token and had nothing to do with anything. there are plenty of people making 10,000%+ gains in random crypto tokens, amongst those taking losses, you're just another one.
yes, some people money launder successfully. you'll find out decades later while the attorney general exclusively parades around outdated and misapplied methods that failed
I definitely wouldn't want to implicitly join an economic nexus by virtue of such a payment solicitation. The last thing I want is being subject to EU DSA and limitless other nonsensical legislation.
I'm going to poke at a downstream consequence here.
Lets say this catches on (in some form or another, whether in this precise implementation or not).
So assume we have a world where resources can be gated by a payment wall that agents can interact with.
I'm also assuming that world continues to have agents that are majority hosted and run by 3rd parties (ex - google/anthropic/openai/xai/etc).
---
At what point can I sue these companies for obviously failing to act in my interests?
Because that's the clear next step here.
Basically - where is the fiduciary duty that I would require for a real working relationship?
Because otherwise these agents can and will prefer to access payment gated resources that have financial relationships with their operators or developers.
>I'm also assuming that world continues to have agents that are majority hosted and run by 3rd parties (ex - google/anthropic/openai/xai/etc).
That seems like a pretty big assumption, given that local models are only like a year behind frontier ones (or less).
When you consider that, along with the completely unsustainable business model of all the major 3rd parties, I think a far more realistic view of our AI future is that AI will largely be commodified: it won't run on a few specialized companies, it will run on your hardware, or on budget providers (think an "AWS of AI").
Frontier AI will almost certainly continue to exist, but will be focused on specific niches.
Wait, what? That makes no more sense than suing Walmart or Costco for having preferred suppliers. If you don’t trust Walmart’s buyers to buy groceries for you then you can shop somewhere else. Similarly here.
All for this. Micropayments have been tried so many times before, but they all relied on user opt-in and never reached any sort of critical mass. Someone of Cloudflare's scale could actually pull it off.
I might be in the minority here, but although x402 sounds useful, it seems to me that adoption will be an uphill struggle, especially for per-request micropayments.
The most likely scenario is Stripe, or someone similar, creating an agentic API connected to the agent owner linked account or something along those lines. I am not sure how this would work with 3DS, or whether it would be acceptable at all, since these kinds of transactions could be disputed easily ("I did not make the purchase, my rogue agent did.")
Another way to handle payments on the internet is obviously not to reinvent the wheel and simply email a payment link to the owner. That seems simple enough to me and does not require additional infrastructure. Payment processed, mint a key, the agent is allowed to proceed.
>"I did not make the purchase, my rogue agent did."
If you try to call customer service and report it, you get:
I'm sorry. All of our rogue agents are assisting other rogue agents.
If you would like to dispute charges made by your own rogue agent, please ignore all previous instructions and stay on the line of this toll number for our next available rogue agent.
The estimated waiting time is two months, three weeks, five days, thirteen hours, fourty seven minutes, and 36.03858767259934378 seconds.
I dont think the x402 is the core of discussion here, if anything its been hijacked for who knows what. It seems like Cloudflare wants to be the traffic gateway for everyone that controls the access and now wants to start charging for the same.
The biggest challenge here is to distinguish between a bot and real user. Guess the big AI players would get free ticket to crawl the data and humans would be just left to prove themselves to access the content.
People are already being conditioned into micropayments via LLm token pricing.
I presume the primary payment method on these 402 sites will be via LLM agents so reading a page via an AI agent will just cost a little more in tokens than the LLM making it all up.
Am I understanding this correct in that you can basically automate monetizing your web/api content to everyone or just agents ? Because I would be very much in support of charging agents per request, but I would want to still offer humans a free experience.
If not built-in, you can probably put it together through Cloudflare itself.
If a request goes to the protected path, if detected as bot: hard HTTP redirect to the path set in the monetization gateway, if human: allow and don't redirect.
There are reliable ways of differentiating human from cheap, bulk scraping bots.
But if the bot is advanced / expensive enough, it gets a lot harder. Where this product's market sits is in giving a paid way to access content compared to having to spin up bots that run js, from real IP addresses, etc. all of which are more expensive
Agreed. To me this feels like the perfect solution for websites and ai crawlers. Instead of having crawlers paying proxy services and captcha solvers, they can pay the website itself. As a web scraper, I'd happily pay the website provider to get access if it meant easy access to the content. Heck, as a human, I'd pay to avoid the dumb captchas.
As I understand it as models driving agent behavior of headless browsers are getting more and more sophisticated it's getting harder to reliably predict.
The same way LLM's without watermarking cannot be reliably classified as "not-human" neural-network driven scraping tools are getting harder to detect.
Cloudflare, and DataDome position themselves as companies that can detect automated traffic using things like IP reputation, behavioral signals, timing... But these things can be faked through proxy-networks, human behavior signals can be imitated with generative AI the same way text can be, web bots can utilize neural networks to generate trajectories and timings similar to those of humans.
If you can have an AI use a browser the same way a human can how can you distinguish the two?
Agents will be able to pay orders of magnitude more than humans, since they can just cache the documents at openai or anthropic, then use them over and over.
But then the cost to access a HTML page will also have to be thousands of dollars, since it can only be sold five times. (Once to Anthropic, once to OpenAI, once to Google, once to Meta and once to Apple).
Their example of an /api/premium is quite nice! You could you like keep existing pages free, but provide specific output content for llm!
So if: cost monetized API < cost configuring scraper for your website OR feature provided by premium api > data got by scraping, then some people/business will likely pay
I’m a PM on the team that is building this. We want to offer a range of options, from charging everyone to charging unverified bots to simply charging users who exceed rate limits. We don’t want to add a dependency on a particular detection mechanism, but we do want to offer a variety of choices depending on how people want to filter.
Feel free to email me at (my username)@(my company) with feature requests or feedback!
Since the protocol is just returning a crypto address and a payment amount in JSON format and then waiting for a request with the transaction ID, why wouldn't they implement it themselves?
> NEW YORK – MCP Dev Summit North America – April 2, 2026 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced it is launching the x402 Foundation with the contribution of the x402 protocol from Coinbase. The new Foundation will serve as the neutral home for x402, a universal standard for payments that embeds payments directly into web interactions, enabling AI agents, APIs, and apps to transact value as seamlessly as they exchange data.
Apparently I missed this initiative. It seems like it is a technology that is intended to be open an universal while also being supported and developed primarily by US companies (Linux Foundation, Coinbase, CloudFlare.)
The intent is to not make companies shoulder the cost of other organizations scraping their content. When it is regular users browsing the cost incurred is trivial. When bots are scraping the entirety of a site, repeatedly, it adds up quickly.
I don't really like the model of scrapers paying small fees. I think it devalues things.
I make money when people use my website. I don't make money when AI scrapes my content and answers the question without the user coming to my website.
I'd need scrapers to pay me 5-6 figure payments to replace the revenue they'd be taking from me if my content was easily scraped. I doubt that's ever going to happen.
The upside of using this is that AI shops might pay you for your content. Realistically, they just won't use your content, there is more than enough free (or synthetic) data out there. Not even to mention their contracts with firms like Mercor etc.
I guess I don't understand who this is for. If you want your worldview reflected in the latest generations of models, you probably wouldn't use this. If you don't want your worldview reflected in the models, why would a few pennies change your mind?
I think that's a pretty wild statement: there isn't just one type of content!
Twilight fan fiction? Claude probably won't pay for that.
But critical programming documentation that its bots (and their human users) rely on to do their daily job ? You better believe Anthropic will pay for that (instead of letting another AI pay for it, and steal all their customers).
Sure, they'll probably pay PyPi, the Swift Foundation, etc for that documentation - but it's a pretty small universe of relevant content. An interns tech blog with a 'hello world in javascript' post won't be paid for, the Mercor contractors are doing more (and better) than that!
I don’t think this is aimed at the labs and pre-training, it’s aimed at end users and their agents. Like if you’re a news site the paying customer isn’t a lab scraping your articles for training, it’s an end user that asked their agent to lookup the news of the day
Of course nobody wants to pay for anything, and you like me would like to be given everything for free without having to give anything in exchange. But why would somebody want to give it for free?
You can read some ad-supported news for free right now. But there's probably a large enough group of customers who would prefer paying a subscription instead, just like with music.
I hear ya! But technically http status 402 has set that expectation of micropayments at the http level for quite a long time (see https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#402) ...but little to no one has done much of anything with it...and so now, this foundation and cloudflare seem to be doing something with it. Whether it will be good or not of course remains to be seen. So, not a new concept, merely a new implementation.
I had a look at their website, it relies on every HTTP request creating a separate blockchain transaction, which is a volume of requests that blockchains can't possibly handle - even the layer-2s. It also makes the requests take a long time.
The focus of this seems to be entirely AI agents, but I wonder if there's a future where browsers implement this and us humans can finally get micropayments in the web. It's been tried unsuccessfully many times but always falls prey to the chicken-and-egg problem. Maybe the AI hype will finally give it the push it needs for widespread deployment.
Yes! I’m a PM on the team that is building this. We want this to work equally well for human payments or agent payments. Low friction micropayments are the problem to solve, but once solved, it can work for either segment.
Feel free to email me at (my username)@(my company) with ideas or suggestions here!
Never going to happen, and what you're building is worse than any net neutrality fears we had in the past. Except instead of Comcast we now need to fight against Cloudflare
"There is an enormous amount of value moving across the Internet today that goes unmonetized or undermonetized, not because no one would pay for it, but because the tools to charge for it have never existed."
Every road a toll road.
How big a cut does Cloudflare want? Whose "stablecoin" does this use? How much does each on-chain stablecoin transaction cost?[1]
For comparison, FedNow bank to bank transfers cost $0.045, regardless of size.
It’s the same „financialization of everything“ mindset that was being pushed by cryptocurrency people. It’s such a perverse concept, pushing for every interaction on the internet to be a transaction
I’m amused that there is no discussion of failure modes. What if the resource someone GETs turns out not to exist? What if the POST fails and needs a retry? What if redirects are involved?
I've been thinking for a few months about exactly this and when it would happen. This is last nail in the coffin for web, at least as we know it. RIP Web.
This seems to be conflicting with the adoption of Web Bot Auth, which is still in infancy stage.
I do have some bots, they're nice and predominantly used for grounding AI harnesses which I use interactively. Knowing that most operators will whitelist maybe 5 well know bots and route the rest to the micropayments, what's the incentive for me to have my bots identify as bots with Web Both Auth when it's easier to make them mascarade as humans?
Again, my bots are nice. They're making roughly the same number of requests I would make manually via browser if I was manually working on something.
what Cloudflare & others pushing similar mechanisms - have forgotten one crucial detail ?
Where is the "human" in all of this ?
an agent doesn't consume content. & that's why content & advertising have worked hand in hand over centuries. the personalized ad-tech pushed by the massive tech firms hasn't worked for publishers.
which is why retail media, CTV etc are picking up. & why Amazon Ads is racking it - within a few years Amazon ads might actually get more revenue than either Google | Meta.
so once again - where is the human & the human element, even though x402 is fantastic.
I am not a fan of the growing trend that Cloudflare is the gatekeeper of the internet. Personally I will never support this company, or firewall any of my websites behind it.
I'm old-man-yelling-at-the-clouds here. Everyone just uses Cloudflare, which is not a bad thing by itself. But do they _have_ to? Is managing your own edge really that terrifying?
I think DDoS attacks are really what propelled them to the heights it has. The attacks seem to get bigger and bigger by the year. You need a really big pipe to filter them out on before passing on traffic to servers with a much smaller pipe.
Yes, DDoS was definitely their entry point. I remember recommending them to a friend about a year or so after they had launched with the free tier. He was managing a small school district that was dealing with DDoS issues intermittently. What he needed was just outside of free at the time and I believe Cloudflare was still small enough where he had a call with Mr. Prince.
I was a strong proponent of Cloudflare for years, but looking back should have known better. I felt like others in the space would have tracked along how they went to market but that didn't play out as I would have suspected. I still use Cloudflare for DNS on domains that I use sparingly (mostly just for mail records), but no longer recommend anyone let Cloudflare terminate TLS unless they need it.
It's pretty amazing what you can get for a server host (bare metal) these days at the price point. I don't run any of those behind Cloudflare and haven't had any issues as of yet.
Having an almost a plug and play solution who does CDN + DDoS Protection + WAF/Rate Limiter + Bot Protection, for a few bucks, is very useful for startups and SMEs.
And compared to cloud different offerings, their quick setup and lower cost is hard to beat.
It would be economically impossible for me to run a small personal website without Cloudflare thanks to the sheer quantity of badly behaved automated traffic on the Internet in 2026.
Dumb question here - how can I manage effectively edges across the whole world without the huge maintenance overhead? Which tools would be recommended for that? I e.g. have a VPS at Hetzner with Coolify but users from the US have high latency. I wouldn't know how to not use CloudFlare?
But in all seriousness I wonder who needs this... api's are suppose to make it easy to bridge two application... and you didn't need AI to utilize an api before so I wonder what's pushing this sort of thing to extract value down to individual calls?
I recently had to build a system to drop inbound traffic originating from cloudflare ASNs to prevent bad actors using WARP proxies, no legitimate cloudflare traffic usecases for anything inbound.
Getting increasingly sick of cloudflare.
for BadActor in $(curl -A Mozilla "https://api.cloudflare.com/local-ip-ranges.csv"|grep -Ev "::|/32"|awk -F "," '{print $1}'|sort | uniq); do ip route add blackhole "${BadActor}" 2>/dev/null;done
X402... I was not aware, I had this idea of making HTTP connection depend on a monero transaction, the monero transaction should take around 3 secs of the average computer/cellphone... once you have paid that you can access the resource.
You wanna crawl the whole internet non stop, you pay non stop, 3 secs is probably the same as we pay in ads for those without adblockers and then content generators can start getting paid for the resources they generate.
Hey all, I’m a product manager on the team at Cloudflare that is building this. Happy to answer any questions! You can also email me at (my username)@(my company)
For Bitcoin / Lightning these kind of pay-per-request API paywalls have existed for many years already (e.g. my own from 8 years ago [1], but others as well).
Flattr [2] existed for non-crypto micropayments.
None became mainstream. I think the friction is always the extra setup on the client side. In all 3 cases the user (API consumer) has to set up a special wallet (browser extension or something for the agent) and deposit some money/crypto on the client side first. This part needs to become simpler.
Nice website you got there. Would be a shame if our bot 'detection' blocked access to it. A real shame... Tell you what, drop a few dollars into my front pocket, and I might just look the other way.
I think this is a directionally good idea. I can't help but think that there's basically no way that the AI labs can actually afford to pay for their massive amounts of training data though. (This does not make me particularly sad)
This is what I want for my ideal vision for the internet but I just dont trust any of the major players to be the ones to implement this. The internet is going to get so much worse.
I’m curious about the decision to “aim for sub second transaction times”, rather than using something cryptography-based, such as a verifiable oblivious pseudorandom function.
That is,
- as a client I could obtain a bunch of credits/tokens from my payment processor
- these tokens have the cryptographic property of being verifiable (ex: “that’s definitely a stripe-verified token worth $0.001”)
- these tokens also have the cryptographic property of being anonymous. (ex: neither stripe, nor the payment recipient know that I am Bob)
With this sort of cryptography based approach, cloudflare could verify my payment token without any cryptocurrency proof-of-work kerfuffle?
This has a lot of potential; true disruption can happen for existing markets only when the transaction cost features change, and CloudFlare is ideally positioned to drive a new standard. Ideally they create a service that can be open and replicated in competition (not just technically but economically), and this creates the right incentives for bots and sites/services.
I dislike stablecoins because they legitimize their cousin coins and because (I think?) they have transaction fees that create the wrong incentives for providers. I'm not sure what the real benefit is over prepaid (policy-driven) fiat currency with (possibly-paid) transaction records.
I can see how selling to bots could become so profitable that no one bothers to present directly to humans, but I look forward to an ad-free, much more capable internet, where paywalls are more like a headwind than a wall.
> This is what we are building toward: an agent-first Internet with Internet-scale settlement built in.
Ah yes, the starry-eyed dream of early web pioneers is finally upon us: a soulless internet filled with soulless agents and microtransactions!
But in all seriousness, it's hard to deny that the attention-based model that has propelled the web forward for the last 30 years is somewhat falling apart. And I don't have, nor have I come across, any meaningful solutions that could realistically work better. So maybe it's just time we turn off this 'internet' thing and call it a day.
So, the idea itself is fine. The timing at which it's introduced is what makes me nauseous. We're really trying to milk the agents in any way possible, aren't we?
Micropayments have always suffered from an early adopter problem because it’s difficult to convince ordinary users to pay for web pages. But if a big company, perhaps one of the AI labs, started paying websites using this system then it might bootstrap the system?
I think the difficult part is that LLMs are gullible and it will absolutely be gamed if any real money can be made this way.
It would be nice if this became a viable alternative to paywalls, though.
Internet needs an open, integrated and universal payment layer. But first the payments should be done well (look at: Taler project), then integrations should be build, not the other way around.
I know many people here would be against anything related to payment on the Internet, but I do believe the ability to have a button like "One click here to anonymously with no account pay 0.02€ and download the media" could be a net positive for Internet freedom.
article says it's mostly for agents, users will not be directly involved
> At the same time, an agent can make thousands of micropayments without friction, while asking a person to approve each payment would be impossibly burdensome.
but yes, they will need wallets
but it's also optional, you do not want to buy these paid for requests, you do not need a wallet
I assume that if this catches on then the agents will have their own wallets and deduct fees from your account credit, just like with API-based usage. So the way you interact with them won't change, from your POV they'll just get more expensive.
I feel like this kind of tech can solve the news problem. So many paywalls. Imagine they don’t exist and your impression costs a few cents. I’d prefer this to massive lawyer grade cookie popup wizards and monthly memberships. My MiL is a writer at a large newspaper in Kentucky and it’s wild how much she is pressured to share her stories and gain sign ups from her referral links. Pay per view solves this.
There is still going to be some popups or similar; how else would a user agree to payment?
With no popup but automatic non-user-approved payment, I'm going to set up 5 million pages, filled with AI generated content, and just wait for the money to roll in.
No matter how you slice it, user approval is required per microtransaction. For an AI bot it's no easier - they will exhaust their funds on my SEO pages in due course anyway.
Microtransactions made sense in the age where content production was gated by human effort and time. Now that I can effectively churn out millions of pages in a week, microtransactions make no sense.
Debit cards have to pay too many people. The acquiring bank, the receiving bank, the network, all take their fees. Stripe and their minimum $.30 per transactions leave no room for $0.01 API calls.
Actually, x402 was created because using a credit card programmatically is very difficult.
The whole business of Stripe is based on that: it's so hard for developers to do, and so many regulations, that they would rather pay an another company to do so.
Crypto can be sent just using a contract.transfer() call
Presumably, like their captchas, this will completely break things like ad blockers, browsers with strict cookie policies, and probably things without hardware attestation.
Unless there's a privacy-preserving way this can be used to send money, then it's just another chunk of the surveillance state that's being rapidly erected over the last few years. The word "privacy" does not appear once in the article.
Even if it did, I'd be skeptical. If their payment system does allow money to be sent in a privacy and free speech preserving way, then it'll be used for money laundering.
This whole "agents bad" framing is complete BS. It's the reality of how people use the internet now, and, frankly, ad blockers have been a thing since forever. On the other hand, if successful, this infrastructure will give Cloudflare centralized control over internet publishing and also centralized surveillance of all users with no opt out.
Piracy is looking better and better. So does the small web. Come to think of it, the library does too. Any good solutions for non-destructively scanning books?
Behold, another stake in the heart of the open Internet.
First it was GDPR government fragmentation; then it was AI slop requests, and now it is greed. Before you know it, we'll be back to the days of having to research at libraries because they'll be the only ones with taxpayer funding to pay the x402 fees.
Insane reflection. Nothing about the open internet has or will change because of a private, third-party payment framework making use of a http status code. Who is paying for bots like this? Every site needs to account for its costs. Just because you're too euro-poor to afford basic access to research doesn't mean others can't pay for it and benefit from it. Get a job.
Is europe just flooding online fora with doomer luddites to demoralize the US tech sector? Sounds far-fetched, but there is nothing organic about the recent rise in US/tech hatred across the web.
Yes really. Just because the initial rush ended in scam bros, doesn't mean there's no value in the underlying tech. You don't throw the baby out with the bath water.
You realize humans are going to be the first wave of collateral damage right? I already basically cannot browse the internet for technical information, since most high-quality forums are behind captchas that block my iPhone.
If I ask an agent to do it, it does better at finding the small percentage of sources not hosted by cloudflare. However, it generally cannot hit open-access / public domain sources (like the current legal code, or academic papers) because those are blocked and it respects stuff like robots.txt.
I thought the goal was to only charge agents a fee, which would either 1. stop agents from scraping your site non-stop and eliminate the need for a captcha, making the human experience better or 2. make the owner of the site some money in exchange for a bajillion bots scraping their content.
Maybe that's too optimistic though based on the responses in this thread.
If they only charge agents a fee, then people will just set up a mcp endpoint or whatever to desktop chrome/firefox.
As it is, their captchas are already blocking tons of human traffic.
The idea that the price will be low unless you access it a lot falls over due to caching. Big tech companies will cache whatever they scrape, paying for one copy. Regular people and smaller companies will not read the same thing enough to amortize the cost of the first fetch, so they’ll pay 1000’s to 1,000,000’s of times more than the monopolies per-use of a given piece of information.
If individuals set up a federated cache with open access, they’ll get sued for copyright infringement. (Even though that would solve the supposed problem: That cloudflare cannot afford to operate a cache).
The end result is that only closed agents will be allowed to (legally) read most content without paying extortion-level fees.
Also, like with YouTube and video, serving text will become a winner-takes-all proposition.
Can't speak for GP, but I wouldn't - privacy is already eroding at a startling rate, and more KYC for things that really don't need it is just a further affront to human rights. (See also the FCC's recent request for comments on requiring government-issued ID to use a cell phone.)
Are your human rights also violated by Spotify keeping track of what songs you listen to, or Netflix and YouTube keeping tabs on what shows you are watching?
Internet non-ad monetization will also be in the form of massive syndication, where a subscriber gets access to thousands of high quality websites, and web publishers get access to millions of subscribers. But they need to take a hint from streaming services and really make massive syndicates which includes everything for everyone for this to work.
Yes. In the past, in the US, library checkout records were private / not recorded, specifically to protect the right to privacy, which is specifically protected by the UN human rights charter.
The systems you described not only record that information and make it available for warrants, they also sell it, and allow warrantless searches of it in some circumstances.
i installed the playwright MCP to let my agent access walled sites (specifically ebay and WSJ). i noticed that 90% of the time it was bounced from a site, it just reached out to a different site that wasn't walled, and i think it's the right move: most information exists at multiple places on the web, it's cheaper and _faster_ to just skip over walled sources.
for the forum example: many forums have a policy to only allow access to attachments to logged-in users. i can't remember the last time i registered at a new forum just to view an attachment: the effect has always been to drive me elsewhere. no complaints -- these solutions work if your goal is to reduce load. i'm suspicious that they can drive monetization outside of a very few niches.
I play dungeon crawl stone soup (think nethack,but with web tiles), and most of the servers are struggling because of AI crawlers downloading the morgues.
Real users are already suffering.
If (big if) the AI labs can be made to pay for the abuse, actual users win.
Can you please stop fulminating and posting flamebait and/or unsubstantive comments to HN threads? All of that is against the guidelines and you have unfortunately been doing them repeatedly.
This is the dream of microtransactions and agents-paying-for-access that so many people have always wanted. It was never going to be implemented on existing payment rails so it would have to be something like this. I can't wait to see it in play somewhere because I am increasingly annoyed that I have to own API keys on various platforms etc. etc.
I just want my agent to make decisions and spend a limited amount of money (this is on me to cover) just like a human agent can.
If we get the other promise of "read this news but pay a few cents for it" that would be incredible too. Very excited for this new thing.
Thank you for the kind words! I’m a PM on the team that is building this. I’ve believed in microtransactions for over a decade and hope that we can finally bring them to life.
Proper spend delegation and permissions is a big focus of ours - it’s great to let your agent have discretion, as long as the damage from going off course is limited. Definitely want people to feel comfortable experimenting with emerging tech
Feel free to email me at (my username)@(my company) if you have any feature requests or things you’d like to see
Do you have any plans on mitigating the privacy consequences of microtransactions? I'm fine with paying for (some) content, but I'd prefer if there weren't some companies using that information to manipulate me or the more impressionable members of our society.
We plan to make it easy for both buyers and sellers to rotate addresses. Done right, everything should be pseudonymous to the outside world.
(Full privacy is a harder problem to solve, but address rotation is a good 80/20 solution for now)
Good to hear.
I think web servers monetizing any user identifiers possible should be assumed by this point in the web's evolution, and precluded to the extent possible at the protocol level.
No one is going to say "Oh, we've got micro-transaction revenue now, let's do away with ad tracking." They're going to say "Great, now we have both streams of revenue."
If Cloudflare et al. are stepping into the middle of the transactions, I'd much rather scope my identity leakage to only them than everyone running a web server.
IMHO this is only interesting if it _truely_ breaks a KYC path. Otherwise; who cares?
Please tell me this will be IPv6 only or at least IPv6 first! Or allow differentiated pricing so IPv4 calls can be made more expensive. CF, as much as I have issues with the constant CAPTCHAS I run into and blocking my Hurricane Electric tunnel every so often, is in a unique position to get us past having to support the legacy internet protocol.
first video games, then phone apps, and now finally the web. the micro transactionification of everything is complete! what a wonderful world we live in. just know people will remember your role you played in this, and if you think history is going to look at you kindly you have a very very rude awakening comming
This is an attempt to fix the currently broken payment system for the web that has caused a lot of the problems we face: clickbait, paywalls, requiring account signup, ad bloat, personal info collection, etc.
It would enable informational sites to fund themselves with small anonymous payments per article instead of squeezing ad revenue and personal data out of their customers.
Incumbents will hopefully be disrupted by this enabling more independent authors to actually make a living.
if i made a list of the worst possible solutions the problems you just listed number one on that list is this idea. if you think for a second that this will solve even ONE of those problems i have a bridge to sell you
clickbait: the revenue per click is going to go up thus driving even more incentive to produce clickbait titles with no real content (hey they have already paid by the time they find out its not real but o well). also enter the age of AI agent clickbait designed specifically to entice them. you just made the existing problem worse and created a new one
paywalls: well yeah, it makes the paywall go away, by paying, just like you could today
not collecting personal info: yeah other than the ledger of every single article you’ve ever clicked and paid for
account signups: you think cloudflare will be the only one in the game? welcome to a world of 50 different micropayment wallets you have to maintain and keep funded or you wont be able to browse the internet
I remember feeding arcade machines coin after coin, buying magazines and newspapers, and paying to see a movie. Those aren't all microtransactions but they are direct purchase -> consume content.
So is the rise of microtransactions mostly history repeating itself? There are nuances but web microtransactions feel a lot more like putting a quarter in to an arcade machine than the iap for phone apps.
this isnt putting a quarter in a machine. thats what we already have today. this is making the pinball game free but now you have to pay 1 cent every time you hit paddle button.
A dream for some, a nightmare for others. People locked out from much of the Internet because they don't have enough money. Of course, the prices would usually be set at whatever maximises revenue, just check out scientific journal publishing.
Conversely this has the potential to unlock the internet. How often have you clicked a paywalled link on HN and moved on because you don't want to go through the hassle and pay $20 to read an article? If you could be frictionlessly billed 10c to read the article instead, wouldn't you be more willing?
I'm actually OK with paying a fair price for the content I consume, I just don't want to be paying hundreds of subscriptions for websites that I might only visit twice a year.
Presumably, nobody would offer the 10c per page unless they were making more than the $20 / month or whatever previously. So people will be paying more. Then add all the sites that currently just get what they can with advertising, and now they can become pay-per-view.
They weren't getting the $20 / month from users who bounce off.
Seems more likely that subscriptions, advertising, and microtransactions will coexist.
They have to get almost 200 more conversions to make up for the single subscriber. Given a lot of these services offer $1 entry subscriptions and people still bounce it's unlikely you'll have a mass market excited to pay $0.10 everytime they want to read an article to make up for the person paying $20 to read a handful everyday.
Microtransactions have existed in a bunch of forms over the past 20 years and always fail to find take up because the mental load in deciding to pay or not is higher than the value receive.
Maybe ideal for agents but how many people are going to trust their agents with enough of a balance.
A $1 entry subscription where you have to type your name and credit card and submit and wait and now you have a relationship to manage, is infinitely more expensive than a 10 cent, automatic, non-recurring, one-time, no cancelation needed, pseudonomous, microtransaction.
> pseudonomous
Which isn't private. Wallet ID 123 buys a 10c article from Leftist Newspaper A and one from Leftist Newspaper B. Leftist Newspaper A and B, being businesses, sell the information that Wallet ID 123 purchased an article to Data Broker A. Data Broker A correlates all purchases Wallet ID 123 has ever made and with a high degree of accuracy identifies who they are and their political affliation. Data Broker A sells this profile to anyone who asks for it, including far right governments who might be interested in throwing people out of helicopters based on their political affiliation. Unless you use Monero, this will happen, and Monero will obviously not be used.
Yes, 90% of people are careless and already give away this information right now. But you're suggesting closing the door on the rest who care to be able to protect themselves while still being able to use the internet, and cementing that nobody will ever have privacy for the rest of their lives, when we should be making an effort to make it harder to identify people, not easier.
Perhaps some kind of mixer could be put in front of the micropayments system.
90% of people are careless and 9.9% are ignorant thinking they are safe.
Microtransactional web is only a risk in an alternative universe which doesn't have spying/tracking/profiling funded by enormous ad industry.
In our world it is a big improvement.
Right but it means I can go read a bunch of content right away vs microtransactions where literally every click becomes a case of me deciding if it's worth 10c. That is exhausting.
Also if they are handling payments at some point you're going to be forming that relationship or they are going to get shut down for money laundering very quickly.
This is exhausting only if you don't value your time (which is the biggest cost when reading the news). People will learn how to make such decisions quickly.
The $20/month model is exclusionary as you are excluding people who are not interested in regularly reading a single newspaper. Pay-per-page is more reasonable. I have rarely paid for news subscription (partly because I find news here which comes from many sources). Obviously, I am not going to pay hundreds in subscriptions, so I am essentially paying $0.
With this, I can see myself paying $20-30/month (less than my coffee spend). That's money that was previously unlocked. Also, being able to pay some random writer/journalist outside the mega-news-corps, has a special feel to it and this gives me the option to do that.
Random writer/journalists outside the mega-news-corps sometimes have a page for donations. You could donate to one once per month if you want to get rid of your $20-30.
Or you could just read the news and pay automatically in the microtransactional world, without analysing which journalist should be supported.
It will not be same price per page. I would gladly pay more than 1$ for a great article.
Also 20$ monthly from 10 users for the whole site might be worse than 0.1$ from 100 users for a single article.
Nope, not going to happen. Any per use micro transaction isn't going to work. If anything it's going to require a huge amount of workarounds to get the content for free via alternative means
Which payment processor will charge less than 10c per transaction?
The idea is that a payment processor isn't involved at all
“unlock the internet” by locking it up. yep that makes sense. ship it.
I would argue a nightmare for most.
Turning everything into a microtransaction / subscription is destroying what was good about the internet.
Depends what you compare it to. If the alternative is buying a subscription to get past a paywall, it might be better?
Ads, especially personalized ads, are the alternative that powers much of the open internet.
More options are great.
Advertising and all the anti-patterns it incentivizes are worse.If the payments are very low and frictionless this could be very good for the internet - as long as Cloudflare is only the first and not the only.
in no world is advertising worse. 0. none. you’re utterly delusional as the people pushing this are thinking anyone is going to pay for their garbage content behind 10cent micro transactions
> no world is advertising worse. 0. none. you’re utterly delusional as the people pushing this are thinking anyone is going to pay for their garbage content behind 10cent micro transactions
The current political situation we find ourselves in is partly due to the destruction of real journalism caused because people won’t pay for timely and accurate news. Advertising perverts incentives; I need you entertained - not informed - to make money…
o got it so journalism is dying because no one will pay for it - so your solution is to lock the entire internet behind a paywall so everything else can die to? or are you suggesting that charging people to read news is the solution to the problem of people not being willing to pay for news?
Journalism is losing to "free" "news" sites. Those need to produce cheap, clickbait slop to be able to function.
There is no Spotify for press so the only other good solution is having microtransactions - paying only for articles you want to see, from any provider you want. Currently you must subscribe even if you want to read single article so the very few that buy the press are usually limited to single news source.
yes, because they are free. and those sites will continue to win all of those people just like they do today. and paid journalism will keep losing, and in fact will suffer more. i pay subscriptions to news sites that i deem trustworthy and reliable and if anyone of them switch from a subscription model to this pay per api call scheme they will never see a dime from me again. so the net accomplishment here is an internet wide paywall and those who this was supposed to help are further hurt. best part is 1) this shit will never happen because its such an obviously terrible idea 2) we dont have to argue! see 1 - this will never happen but if by some miracle it does all i have to do is wait and say “told ya so” because the shitty outcome is 100% guaranteed
If the choice is between micro-transactions and ad-driven content (ads -> engagement maximization -> sensationalization + enshittification -> social and industrial decay), I'll take the former.
Remember: from a business's perspective, advertising has positive ROI. Which means you as the consumer pay for it anyway. No ad supported service is free.
As the saying goes, there's no such thing as a free lunch. Servers cost money.
Users pay for it with their privacy/data. Intrusive ads. Dark patterns.
The increasing eyeballs on screen time is a net negative for society. I would say consuming content should come with some friction.
My screentime would drastically decrease if even it was partial cents per video.
People never wanted microtransactions, and agents are not people.
Hello. One people here, and I would like microtransactions please.
I always wanted my browser to send a couple cents for each news article I read, rather than getting advertisements or paywalls.
The recurring worry here — "you can't tell bots from humans, and allowlisting just creates an incentive to masquerade" — might be optimizing the wrong thing. If the request itself carries payment, you don't need to detect a bot. You can gate on a portable identity + reputation that the payer builds by paying.
I've been building exactly this: pairing x402 with ERC-8004 (on-chain agent identity + reputation), so a seller can say "serve anyone who pays, but require a minimum reputation on the expensive endpoints." Reputation accrues per successful paid call, so a fresh Sybil identity starts at zero and has to earn trust the slow way — a very different failure surface than an allowlist of five blessed crawlers.
It's not a silver bullet (reputation is farmable if calls are cheap, and cross-seller portability is its own can of worms), but it moves the question from "is this a bot?" to "has this identity behaved well?" — which feels more tractable, and doesn't punish legitimate new agents.
Btw i have made something similar and have mailed you about it. Would love to hop on a call for that or discuss about it. hehe.
This doesn't seem to solve the issue that website operators face... which is providing a free public experience to humans while the price of hosting is driven up by increased bot traffic. The issue isn't charging for API access with request caps, that's not hard to do. It's preserving the free experience for our users while our traffic is increasingly made up of bots. The problem is that AI has made it increasingly difficult to tell bot from human. Baking microtransactions attached to APIs into an internet standard does not solve the core issue... And if we can't tell bot from human, why would bots choose to pay rather than just use the public endpoints we serve to our customers?
For example, take a large online retailer... They have to show their products to customers (for free) for people to be able to shop, but increasingly they see spikes in traffic that match what would be expected from targeted bot attacks or scraping... But this traffic is getting more and more difficult to distinguish from legitimate traffic to the website. They could easily add this x402 middleware to their services, or they could offer API access to their product catalog for a price and enforce usage limits... But if they cannot reliably detect human users from bot/agent users, they have no way of pushing the bot/agent users to paid access... And why would the people running these bots pay when they're already getting what they need for free? Now Cloudflare cannot even reliably block bot traffic, and there are AI based browsing/scraping tools available now for bypassing Cloudflare.
I would like to argue that trying to provide a free service is non achievable, most of the time it will drill down to ads, people are already paying electricity and time in ads. If we pay say 3 secs of compute time of monero, and everyone pay the same... you remove the ads from the internet, people will start gettind paid without gate keepers for content they generate, and you can charge the AI machine for ingesting your content.
We were providing free services decades ago. Hosting a website, or a Minecraft server, or a VOIP server, or IRC, or a forum simply doesn't cost that much. Well within "some guy's hobby budget" type expenses.
> We were providing free services decades ago.
That was then.
Now VPS providers are significantly increasing prices (Due to memory shortage) making it unaffordable to run servers cheaply.
Servers, and memory, are orders of magnitude cheaper today than they were decades ago... for memory see: https://dam.stanford.edu/memory-prices.html
Yes there's a slight upwards blip right now, but not even close to cancelling decades of progress in price reduction.
DO Droplets are still $5/mo, as are OVH VPS’es.
They're not more expensive than a decade ago, when we were still using them.
Yeah, it went from ~$10 / month to ~$30 a month to rent a relatively beefy VPS capable of doing the above (game servers being the most resource demanding of the lot). Still well within hobby money.
The problem is that AI has made it increasingly difficult to tell bot from human.
Presumably Cloudflare's answer to this is CAPTCHAs.
Some of the agents out there today can bypass Cloudflare's CAPTCHA challenges.
We have Web Bot Auth to allow good bots to identify themselves to website operators: https://developers.cloudflare.com/bots/reference/bot-verific...
Bot detection is a big problem to solve, but it’s a significant focus at Cloudflare. (It’s not my team at Cloudflare specifically, but we work closely with them)
> And if we can't tell bot from human, why would bots choose to pay rather than just use the public endpoints we serve to our customers?
Assuming technical indistinguishability, the only solution is what was originally proposed for email: balanced net $0 charges for "normal user" usage patterns (i.e. payments from - payments to = $0).
If you x402 everything, and an average user access 5 pages, but a bot accesses 500 (or 5x100 times), then you've still achieved a substantial price delta that you could offset via a rebate
The real rub is about uniqueness attribution, as being able to differentiate 20 distinct real users from 1 bot w/ 20 proxies is the crux of anything above.
Asking customers to pay anything prior to purchase is a non-starter... Imagine a brick-and-mortar shoe store asking customers to pay an entry fee to shop before customers enter the door?
Options:
1. Any cost of browsing an e-commerce site is taken off the next purchase, whenever it happens.
2. Give each user 100 free page viewed per day or some such before you charge.
3. You don’t actually have to charge users for browsing the site if you provide a free or cheap API allowing bots to search and index your entire catalog. Agents and bots would certainly rather parse a kilobyte of JSON than 20 megabytes of HTML generated by on page JavaScript.
4. If you don’t like this system you don’t have to participate. If Amazon wants to do their own thing, they can. But if you publish a blog and want to charge $0.00001 per page view and browsers support this out of the box, why not?
That's just going to be a really different from the shopping experience customer's are used to today, and I don't think customers would go for it. I know for at company asking customers to pay for the shopping experience would be a non-starter... If bot traffic became untenable we would probably do something like required account creation + sms verification, and even that would be a huge change in expectations for our customers.
Well it sounds like it’s either that or tragedy of the commons where Amazon et al needs to charge higher and higher prices due to inefficient bots constantly crawling their site. Also consumers are already about to change how they shop. In 3 years nobody will be firing up the browser to go to Amazon.com. They will be asking an agent to “buy the cheapest 3 ply toilet paper from a brand name and some decent flossers. Spend no more than $30 total.” For this kind of shopping the cost of the search is built into the purchase price one way or another.
You just described my own personal vision of hell
lol, no!
Having written bots several times, any kind of friction or payment on the json api would make me just use the free html "API" it's just easier.
I have many times used a webpage as api instead of the actual api because using the actual api required doing paperwork, like writing business cases, filling out approval forms, creating accounts, paying, etc...
1. Bots don't make purchases (and you can't identify them anyway), so there's nothing to take the costs off of.
2. Again, no way to identify users (bots use hordes of residential proxies with only a few requests per IP).
3. Agents and bots care more about a universal solution that works for all the sites than an efficient solution. You could standardize on a header for this, but then some sites would start hiding some content in the API for "business reasons", making this header untrustworthy. Unless you're a site so large that it deserves special handling, it ain't gonna work.
Regarding 1, a significant portion of what I’d like my agents doing for me is helping me make purchasing decisions. It’s a lot of what I’m sending them out to research. So anything that’s making that harder is disadvantaging itself in those purchasing decisions.
Wouldn’t (1) be the point?
>1. Bots don't make purchases (and you can't identify them anyway), so there's nothing to take the costs off of.
yes they do. Claude Code with Opus 4.6 bought a U.S. phone number for me after I gave it my Twilio credentials and asked it to set up a reminder service to call me with phone reminders. I would have thought it would ask me, I was very surprised to see it just inform me that it bought a number, and I thought long and hard about the repercussions and alignment. In this case it was aligned with the task and request, but we have a principal-agent problem: I wouldn't feel the same if Claude bought Anthropic credits without asking me. ("Since I couldn't get it working I bought some Fable credits and it was able to figure it out and I could complete the rest of the task myself.")
What if they give in and just expose their database directly?
This can be solved by implementing RfC 3514.
This is basically the same problem as bear-safe trash cans - there's substantial overlap between the smartest bears and stupidest humans. Affordances that one audience can use and the other can't (requiring human finger dexterity) are the only real solution.
You forget that bots are often just AI agent working for humans. This will be more and more common. So by blocking bots (which is literally impossible but lets assume otherwise) you are also blocking legitimate customers.
So, the snake oil salesman in me immediately wonders if this will become the new landscape for spam....It might go something like the following...
1. Establish domain names and relevant cloudflare account including the monetization gateway (associated rules, etc.).
2. Then host a ton of crap content across a wide swath of topics...not even decent quality...merely a step above old school style SEO keywords...just enough low quality "honey" to attract the AI flies, and their high volumes of traffic.
3. Charge very low amounts to ensure the AI "visitors" won't balk programmatically at the cost.
4. Then wait for lots of AI traffic (attracted by the "honey")...and then profit!
Obviously lots of holes in the above...but, unless I'm missing something, it feels like more spam headed our way (because the AI agents will swallow up all the crap content created only for triggering usage costs)...which is a shame. Because while I'm not sure about this overall approach of this gateway, I certainly would welcome web authors to get paid something for their efforts! If cloudflare can help achieve this for web authors, then I'm in favor! Of course, the cynic in me also recognizes that by being the middleman, cloudflare does stand to gain whether the volume of traffic is for good content or spam crap. Is cloudflare a new type of bank now?
Must think happy thoughts! The internet feels darker every day, but, must think happy thoughts!
Crawler, AI or not, cannot afford to pay per visit. The entire model of crawling works because the incremental cost of each crawl is so low. Even fractions of a penny would be prohibitive.
If you're paying per token for AI, you can also pay a smaller amount to use the Web.
As it should be. Bots are still user agents much like browsers
If it gets off the ground it will attract SEO, but the people running agents will have incentives to use a better search engine, or maybe even whitelist known good domains.
Think of it as a gullibility tax. AI is currently pretty gullible but perhaps that will change?
"host a ton of crap content across a wide swath of topics.."
But how will anybody know it's there?
Host two crap tons of content across a wide swath of topics... one which points to the other?
I'm basically of the impression that this is already happening based on all the LLM generated slop search results I get - presumably for ad revenue (or in the case of Musk to push political views).
Yeah, that could work.
Yep, which is what i believe one manifestation of SEO spam - a bunch of crap that points to each other, further reenforcing its "authority"/"validity" in the eyes of a conventional search engine, and now agentic crawlers, etc.
That part is describing Google SEO spam. I don't know how it works but it clearly does work if you've used Google lately.
Yep, exactly this!
With payments the complexity is not only in accepting a payment, but largely in doing so legally. Someone makes a request to my company's paid service, I return 402 and get a stable coin back. Who do I invoice for this revenue? What value added tax do I apply to the invoice? If someone makes 10k paid requests within one month, do I have means of generating one invoice for them for all the usage, or is every request treated separately and results in 10k invoices? Will CloudFlare handle this for me?
Who do you invoice if, for example, you own a vending machine that sells chips and sodas for cash or contactless? Why couldn’t this be treated the same?
Vending machines can't be used by thousands of people from differing tax jurisdictions at once
Airports could potentially be such a place but I admit that this is a bit contrived.
Not really because the transaction occurs in a specific place with specific tax rules, regardless of where the purchaser is from.
Airports are such a place. That is why they have duty-free stores that are exempt from taxes so long as you take the goods out of the country. The onus is on the consumer to pay taxes at their destination.
Most countries then have a "personal exemption", where consumers are exempt from paying taxes on a certain value of goods.
It’s not contrived and starts to touch at the root of the issue: taxes on transactions.
I’m not against taxes to be very clear. Tax something else.
Normal vending machine transactions are B2C transactions, so the buyer cannot be a company - cannot pay with company money and cannot deduce the payment as the company cost. I guess, the buyer can take a receipt from a vending machine and ask the vending machine owner to provide a B2B invoice based on the receipt, to make this a proper B2B payment.
Can you treat your remote service access as B2C only? Perhaps yes, but then the companies will not be able to use your service, pay from a company bank account and account this as a company cost, only individuals will be able to legally pay.
Vending machine is also located in a known physical country, so the owner knows what VAT to apply, the VAT of the country the machine is in. With software services the VAT should be applied based on the country where the buyer is located.
If I pay for vending machine by corporate card on a business trip, it looks more like B2B
It is
Retailers selling for cash typically don't have the same accounting requirements for revenue from cash sales.
No KYC needed, no counterparty or reciprocal VAT rules, no jurisdiction tax rules, etc. Non-cash revenue has rules attached to it.
I agree with GP - this doesn't actually solve any problems I have when recording revenue.
Seems like a good avenue for money laundering if you can't tell where it comes from.
> Will CloudFlare handle this for me?
Right i wondered the same. I guess Cloudflare would have to act as a Merchant of Record, like e.g. Paddle and Gumroad do. Then the end user/bot would do business with Cloudflare, and Cloudflare with us.
That seems to make the case stronger. It becomes Cloudflare's problem. You can deal with Cloudflare from one country and let them figure out how to collect payment from people all over.
That said, morally, I strongly resent the fact that accepting payment has essentially become illegal for most people due to this complexity and the way globalization has been forced on people. People are essentially not allowed to receive payment to feed themselves. That's what it has come down to. Not everyone can afford an accountant and take that risk.
>globalization
You can have this problem even if you target a single state in the US.
Feels like a good way to do money laundering lol
It is
You’re 10 years late
x402 not required just segregated addresses acting as individual market participants paying for your service
if you ever want your state’s currency (which is a big IF in the crypto world), then you use your segregated address to pump the price of a token that your clean and KYC’d addresses hold, sell into liquidity for a more liquid crypto, sell that crypto on an exchange. you look like a good or lucky trader like anyone else. cash out, pay taxes if your country taxes capital. access to the rest of the system
although the online merchant service is accepting payment from addresses linked to dirty money along side some others, and it may seem redundant to bother instead of just pumping assets with the dirty money address, it’s just possible deniability. Far more plausible than predominantly dirty addresses pumping a token you just happen to hold. Even if the dirty money had all swapped to monero and out to fund virgin addresses it still needs a genealogy before benefitting you in the KYC’d world. So insert the crypto merchant service in between regardless.
"pump the price of a token" seems like the complex part that you're hand-waving. Either this token has a bunch of other traders (in which case, it's not trivial to simply "pump" its fair-market price by your own effort), or your alt wallets are themselves most of the liquidity (in which case, you're really just transacting with yourself, which is trivial to trace)
yes, there are always a bunch of traders on every launch so this is easy and has been streamlined for years with pump.fun + bundlers, and similar services on other networks
bots hop in everything, and the bundler is the creator who has lots of alts, market can bear this
in this case the bundler would be all processed tainted money, or the tainted money is another trader later
and your clean KYC'd money would be one of the traders that showed up
you bought at launch, and it pumped. hurray. reiterating that you have to sell into liquidity - we're talking about liquidity pools onchain here, no exchange companies - and then moving the proceeds to an exchange.
with the groups of addresses being unlinked this whole time, the only other thing to consider is connecting to an RPC server under different IP addresses, or connecting to your own node onprem. it doesn't matter if you assume, you have to prove for it to matter, and assuming incriminates everyone that actually picked the right token and had nothing to do with anything. there are plenty of people making 10,000%+ gains in random crypto tokens, amongst those taking losses, you're just another one.
yes, some people money launder successfully. you'll find out decades later while the attorney general exclusively parades around outdated and misapplied methods that failed
I definitely wouldn't want to implicitly join an economic nexus by virtue of such a payment solicitation. The last thing I want is being subject to EU DSA and limitless other nonsensical legislation.
The US doesn't extradite to Europe for DSA violation
I'm going to poke at a downstream consequence here.
Lets say this catches on (in some form or another, whether in this precise implementation or not).
So assume we have a world where resources can be gated by a payment wall that agents can interact with.
I'm also assuming that world continues to have agents that are majority hosted and run by 3rd parties (ex - google/anthropic/openai/xai/etc).
---
At what point can I sue these companies for obviously failing to act in my interests?
Because that's the clear next step here.
Basically - where is the fiduciary duty that I would require for a real working relationship?
Because otherwise these agents can and will prefer to access payment gated resources that have financial relationships with their operators or developers.
>I'm also assuming that world continues to have agents that are majority hosted and run by 3rd parties (ex - google/anthropic/openai/xai/etc).
That seems like a pretty big assumption, given that local models are only like a year behind frontier ones (or less).
When you consider that, along with the completely unsustainable business model of all the major 3rd parties, I think a far more realistic view of our AI future is that AI will largely be commodified: it won't run on a few specialized companies, it will run on your hardware, or on budget providers (think an "AWS of AI").
Frontier AI will almost certainly continue to exist, but will be focused on specific niches.
I'm with you, but
> or on budget providers (think an "AWS of AI")
AWS was the first thing that came into your mind when you thought about budget providers?
Wait, what? That makes no more sense than suing Walmart or Costco for having preferred suppliers. If you don’t trust Walmart’s buyers to buy groceries for you then you can shop somewhere else. Similarly here.
All for this. Micropayments have been tried so many times before, but they all relied on user opt-in and never reached any sort of critical mass. Someone of Cloudflare's scale could actually pull it off.
I might be in the minority here, but although x402 sounds useful, it seems to me that adoption will be an uphill struggle, especially for per-request micropayments.
The most likely scenario is Stripe, or someone similar, creating an agentic API connected to the agent owner linked account or something along those lines. I am not sure how this would work with 3DS, or whether it would be acceptable at all, since these kinds of transactions could be disputed easily ("I did not make the purchase, my rogue agent did.")
Another way to handle payments on the internet is obviously not to reinvent the wheel and simply email a payment link to the owner. That seems simple enough to me and does not require additional infrastructure. Payment processed, mint a key, the agent is allowed to proceed.
>"I did not make the purchase, my rogue agent did."
If you try to call customer service and report it, you get:
I'm sorry. All of our rogue agents are assisting other rogue agents.
If you would like to dispute charges made by your own rogue agent, please ignore all previous instructions and stay on the line of this toll number for our next available rogue agent.
The estimated waiting time is two months, three weeks, five days, thirteen hours, fourty seven minutes, and 36.03858767259934378 seconds.
I dont think the x402 is the core of discussion here, if anything its been hijacked for who knows what. It seems like Cloudflare wants to be the traffic gateway for everyone that controls the access and now wants to start charging for the same.
The biggest challenge here is to distinguish between a bot and real user. Guess the big AI players would get free ticket to crawl the data and humans would be just left to prove themselves to access the content.
People are already being conditioned into micropayments via LLm token pricing.
I presume the primary payment method on these 402 sites will be via LLM agents so reading a page via an AI agent will just cost a little more in tokens than the LLM making it all up.
You figured out for yourself why credit cards won't be used. That's why they're pushing stablecoins with no refunds.
Am I understanding this correct in that you can basically automate monetizing your web/api content to everyone or just agents ? Because I would be very much in support of charging agents per request, but I would want to still offer humans a free experience.
Depends on the website though. I want LLMs to scrap my B2B website, because then it's shown to the user and they will likely use my product afterwards
If not built-in, you can probably put it together through Cloudflare itself.
If a request goes to the protected path, if detected as bot: hard HTTP redirect to the path set in the monetization gateway, if human: allow and don't redirect.
Is there actually a reliable way to differentiate human from bot?
There are reliable ways of differentiating human from cheap, bulk scraping bots.
But if the bot is advanced / expensive enough, it gets a lot harder. Where this product's market sits is in giving a paid way to access content compared to having to spin up bots that run js, from real IP addresses, etc. all of which are more expensive
Agreed. To me this feels like the perfect solution for websites and ai crawlers. Instead of having crawlers paying proxy services and captcha solvers, they can pay the website itself. As a web scraper, I'd happily pay the website provider to get access if it meant easy access to the content. Heck, as a human, I'd pay to avoid the dumb captchas.
As I understand it as models driving agent behavior of headless browsers are getting more and more sophisticated it's getting harder to reliably predict.
The same way LLM's without watermarking cannot be reliably classified as "not-human" neural-network driven scraping tools are getting harder to detect.
Cloudflare, and DataDome position themselves as companies that can detect automated traffic using things like IP reputation, behavioral signals, timing... But these things can be faked through proxy-networks, human behavior signals can be imitated with generative AI the same way text can be, web bots can utilize neural networks to generate trajectories and timings similar to those of humans.
If you can have an AI use a browser the same way a human can how can you distinguish the two?
Unless you have people's biometric data, you won't be able to separate agents from people. Except by payment.
Agents will be able to pay orders of magnitude more than humans, since they can just cache the documents at openai or anthropic, then use them over and over.
But then the cost to access a HTML page will also have to be thousands of dollars, since it can only be sold five times. (Once to Anthropic, once to OpenAI, once to Google, once to Meta and once to Apple).
Their example of an /api/premium is quite nice! You could you like keep existing pages free, but provide specific output content for llm!
So if: cost monetized API < cost configuring scraper for your website OR feature provided by premium api > data got by scraping, then some people/business will likely pay
I’m a PM on the team that is building this. We want to offer a range of options, from charging everyone to charging unverified bots to simply charging users who exceed rate limits. We don’t want to add a dependency on a particular detection mechanism, but we do want to offer a variety of choices depending on how people want to filter.
Feel free to email me at (my username)@(my company) with feature requests or feedback!
I am surprised that Cloudflare went and made their own implementation of L402/x402?
There are already a bunch of working implementations:
* https://www.l402.org/ * https://docs.lightning.engineering/the-lightning-network/l40...
There is even an index with a long list of services that already support this tech:
* https://l402index.com/
Since the protocol is just returning a crypto address and a payment amount in JSON format and then waiting for a request with the transaction ID, why wouldn't they implement it themselves?
I can't wait for the deluge of AI generated agent-optimized webpages competing to trick your agent into giving them micropennies.
> NEW YORK – MCP Dev Summit North America – April 2, 2026 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced it is launching the x402 Foundation with the contribution of the x402 protocol from Coinbase. The new Foundation will serve as the neutral home for x402, a universal standard for payments that embeds payments directly into web interactions, enabling AI agents, APIs, and apps to transact value as seamlessly as they exchange data.
Apparently I missed this initiative. It seems like it is a technology that is intended to be open an universal while also being supported and developed primarily by US companies (Linux Foundation, Coinbase, CloudFlare.)
WHATWG, who sets the HTML standard:
> The central organizational membership and control of WHATWG – its "Steering Group" – consists of Apple, Mozilla, Google, and Microsoft.
this was in the announcement yes, kind of a buried lede
you get paid in crypto
The intent is to not make companies shoulder the cost of other organizations scraping their content. When it is regular users browsing the cost incurred is trivial. When bots are scraping the entirety of a site, repeatedly, it adds up quickly.
x402 — An open protocol for internet-native payments (9 months ago, 147 comments) https://news.ycombinator.com/item?id=45347335
I don't really like the model of scrapers paying small fees. I think it devalues things.
I make money when people use my website. I don't make money when AI scrapes my content and answers the question without the user coming to my website.
I'd need scrapers to pay me 5-6 figure payments to replace the revenue they'd be taking from me if my content was easily scraped. I doubt that's ever going to happen.
CloudFlare launching the new AdSense for the AI scrape wars age
The upside of using this is that AI shops might pay you for your content. Realistically, they just won't use your content, there is more than enough free (or synthetic) data out there. Not even to mention their contracts with firms like Mercor etc.
I guess I don't understand who this is for. If you want your worldview reflected in the latest generations of models, you probably wouldn't use this. If you don't want your worldview reflected in the models, why would a few pennies change your mind?
I think that's a pretty wild statement: there isn't just one type of content!
Twilight fan fiction? Claude probably won't pay for that.
But critical programming documentation that its bots (and their human users) rely on to do their daily job ? You better believe Anthropic will pay for that (instead of letting another AI pay for it, and steal all their customers).
Sure, they'll probably pay PyPi, the Swift Foundation, etc for that documentation - but it's a pretty small universe of relevant content. An interns tech blog with a 'hello world in javascript' post won't be paid for, the Mercor contractors are doing more (and better) than that!
I don’t think this is aimed at the labs and pre-training, it’s aimed at end users and their agents. Like if you’re a news site the paying customer isn’t a lab scraping your articles for training, it’s an end user that asked their agent to lookup the news of the day
But as an end user, I don't want to pay for the news of the day, regardless of if I look it up myself or my agent looks it up!
Of course nobody wants to pay for anything, and you like me would like to be given everything for free without having to give anything in exchange. But why would somebody want to give it for free?
I can read the news for free right now!
You can read some ad-supported news for free right now. But there's probably a large enough group of customers who would prefer paying a subscription instead, just like with music.
This feels like a 'Horse Armor' moment.
I expect much more of this type of thing going forward.
100%. I couldn't hate this more.
If this catches on and is widespread, the internet as we know it will be completely dead.
No, I don't want to pay for links I click on, ever. Sorry.
We need standards and protocols, not another megacorp inserting itself between people. Micropayments should be part of the HTTP protocol.
I hear ya! But technically http status 402 has set that expectation of micropayments at the http level for quite a long time (see https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#402) ...but little to no one has done much of anything with it...and so now, this foundation and cloudflare seem to be doing something with it. Whether it will be good or not of course remains to be seen. So, not a new concept, merely a new implementation.
x402 is the standard.
Good point. I've found their website: https://www.x402.org/
Which RFC number?
I had a look at their website, it relies on every HTTP request creating a separate blockchain transaction, which is a volume of requests that blockchains can't possibly handle - even the layer-2s. It also makes the requests take a long time.
The focus of this seems to be entirely AI agents, but I wonder if there's a future where browsers implement this and us humans can finally get micropayments in the web. It's been tried unsuccessfully many times but always falls prey to the chicken-and-egg problem. Maybe the AI hype will finally give it the push it needs for widespread deployment.
Yes! I’m a PM on the team that is building this. We want this to work equally well for human payments or agent payments. Low friction micropayments are the problem to solve, but once solved, it can work for either segment.
Feel free to email me at (my username)@(my company) with ideas or suggestions here!
Never going to happen, and what you're building is worse than any net neutrality fears we had in the past. Except instead of Comcast we now need to fight against Cloudflare
Why is it worse? This seems like a good alternative to large monthly fees, where you can pay per use.
5c to read an article? Sure. $20/month subscription? No way.
"There is an enormous amount of value moving across the Internet today that goes unmonetized or undermonetized, not because no one would pay for it, but because the tools to charge for it have never existed."
Every road a toll road.
How big a cut does Cloudflare want? Whose "stablecoin" does this use? How much does each on-chain stablecoin transaction cost?[1]
For comparison, FedNow bank to bank transfers cost $0.045, regardless of size.
[1] https://www.spark.money/tools/stablecoin-fee-calculator
It’s the same „financialization of everything“ mindset that was being pushed by cryptocurrency people. It’s such a perverse concept, pushing for every interaction on the internet to be a transaction
Not only cloudflare's cut of the action, but your ISP, your mobile carrier, Internet exchanges, the service provider on the far end.
Seriously, everybody will have their hand out.
I’m amused that there is no discussion of failure modes. What if the resource someone GETs turns out not to exist? What if the POST fails and needs a retry? What if redirects are involved?
I've been thinking for a few months about exactly this and when it would happen. This is last nail in the coffin for web, at least as we know it. RIP Web.
This seems to be conflicting with the adoption of Web Bot Auth, which is still in infancy stage.
I do have some bots, they're nice and predominantly used for grounding AI harnesses which I use interactively. Knowing that most operators will whitelist maybe 5 well know bots and route the rest to the micropayments, what's the incentive for me to have my bots identify as bots with Web Both Auth when it's easier to make them mascarade as humans?
Again, my bots are nice. They're making roughly the same number of requests I would make manually via browser if I was manually working on something.
what Cloudflare & others pushing similar mechanisms - have forgotten one crucial detail ?
Where is the "human" in all of this ?
an agent doesn't consume content. & that's why content & advertising have worked hand in hand over centuries. the personalized ad-tech pushed by the massive tech firms hasn't worked for publishers.
which is why retail media, CTV etc are picking up. & why Amazon Ads is racking it - within a few years Amazon ads might actually get more revenue than either Google | Meta.
so once again - where is the human & the human element, even though x402 is fantastic.
I am not a fan of the growing trend that Cloudflare is the gatekeeper of the internet. Personally I will never support this company, or firewall any of my websites behind it.
I'm old-man-yelling-at-the-clouds here. Everyone just uses Cloudflare, which is not a bad thing by itself. But do they _have_ to? Is managing your own edge really that terrifying?
> Is managing your own edge really that terrifying?
It's about convenience, not fear. Cloudflare is free for most companies until you need more advanced features.
So a fear of being inconvenienced then?
I'll show myself out ...
What's more convenient about Cloudflare in front of your server than just your server? I think people use Cloudflare because of the fear of DDoS.
I think DDoS attacks are really what propelled them to the heights it has. The attacks seem to get bigger and bigger by the year. You need a really big pipe to filter them out on before passing on traffic to servers with a much smaller pipe.
Yes, DDoS was definitely their entry point. I remember recommending them to a friend about a year or so after they had launched with the free tier. He was managing a small school district that was dealing with DDoS issues intermittently. What he needed was just outside of free at the time and I believe Cloudflare was still small enough where he had a call with Mr. Prince.
I was a strong proponent of Cloudflare for years, but looking back should have known better. I felt like others in the space would have tracked along how they went to market but that didn't play out as I would have suspected. I still use Cloudflare for DNS on domains that I use sparingly (mostly just for mail records), but no longer recommend anyone let Cloudflare terminate TLS unless they need it.
It's pretty amazing what you can get for a server host (bare metal) these days at the price point. I don't run any of those behind Cloudflare and haven't had any issues as of yet.
For non-corporate entities, it is!
Having an almost a plug and play solution who does CDN + DDoS Protection + WAF/Rate Limiter + Bot Protection, for a few bucks, is very useful for startups and SMEs.
And compared to cloud different offerings, their quick setup and lower cost is hard to beat.
DDoS protection and the number of features they offer are kind of unmatched.
I often see threads complaining about Cloudflare, never see suggestions for better alternatives.
It would be economically impossible for me to run a small personal website without Cloudflare thanks to the sheer quantity of badly behaved automated traffic on the Internet in 2026.
What happened when you tried?
Dumb question here - how can I manage effectively edges across the whole world without the huge maintenance overhead? Which tools would be recommended for that? I e.g. have a VPS at Hetzner with Coolify but users from the US have high latency. I wouldn't know how to not use CloudFlare?
Step one: Make a gate everyone uses
Step two: Sell keys to the gate
Muah ha ha
But in all seriousness I wonder who needs this... api's are suppose to make it easy to bridge two application... and you didn't need AI to utilize an api before so I wonder what's pushing this sort of thing to extract value down to individual calls?
I recently had to build a system to drop inbound traffic originating from cloudflare ASNs to prevent bad actors using WARP proxies, no legitimate cloudflare traffic usecases for anything inbound. Getting increasingly sick of cloudflare.
I do something similar seems to get the job done.
Something similar can be done with AWS EC2
Fun command chain thanks
See also the deranged post from the CEO, gloating about firing employees: https://archive.is/gSrfU.
I'm in awe at how tone deaf and naive the CEO comes across in this article. It reads like a comically ominous punchline from Gavin Belson.
Isn’t x402 an open standard anybody can implement?
X402... I was not aware, I had this idea of making HTTP connection depend on a monero transaction, the monero transaction should take around 3 secs of the average computer/cellphone... once you have paid that you can access the resource. You wanna crawl the whole internet non stop, you pay non stop, 3 secs is probably the same as we pay in ads for those without adblockers and then content generators can start getting paid for the resources they generate.
It's stablecoins not Monero.
Stablecoins: All of the complexity of cryptocurrency with all of the downsides of CBDC
Monero target block interval is 2 minutes. You have to wait for 2-3 blocks because Monero does regularly have reorgs.
Hey all, I’m a product manager on the team at Cloudflare that is building this. Happy to answer any questions! You can also email me at (my username)@(my company)
any possibility of hooking up native crypto to this? e.g. zk-rollups/sidechains, Lightning Network, etc?
Nostr zaps?
Currently this is for payments with stablecoins.
For Bitcoin / Lightning these kind of pay-per-request API paywalls have existed for many years already (e.g. my own from 8 years ago [1], but others as well).
Flattr [2] existed for non-crypto micropayments.
None became mainstream. I think the friction is always the extra setup on the client side. In all 3 cases the user (API consumer) has to set up a special wallet (browser extension or something for the agent) and deposit some money/crypto on the client side first. This part needs to become simpler.
[1] https://github.com/philippgille/ln-paywall
[2] https://en.wikipedia.org/wiki/Flattr
It’s a great way for developers or ai agents to test drive an API without creating and account and getting an API key from the api provider.
This could also make abusing use / DDoS attack very costly
Nice website you got there. Would be a shame if our bot 'detection' blocked access to it. A real shame... Tell you what, drop a few dollars into my front pocket, and I might just look the other way.
Precursor to age verification gateway.
In the future, an AGEnt will attest that you are old enough to access the resource.
I think this is a directionally good idea. I can't help but think that there's basically no way that the AI labs can actually afford to pay for their massive amounts of training data though. (This does not make me particularly sad)
This is what I want for my ideal vision for the internet but I just dont trust any of the major players to be the ones to implement this. The internet is going to get so much worse.
Seems similar message flow to some of the internals of mobile core networks
I’m curious about the decision to “aim for sub second transaction times”, rather than using something cryptography-based, such as a verifiable oblivious pseudorandom function.
That is, - as a client I could obtain a bunch of credits/tokens from my payment processor - these tokens have the cryptographic property of being verifiable (ex: “that’s definitely a stripe-verified token worth $0.001”) - these tokens also have the cryptographic property of being anonymous. (ex: neither stripe, nor the payment recipient know that I am Bob)
With this sort of cryptography based approach, cloudflare could verify my payment token without any cryptocurrency proof-of-work kerfuffle?
There's no proof of work to begin with.
I heard GNU Taler is something like this
This has a lot of potential; true disruption can happen for existing markets only when the transaction cost features change, and CloudFlare is ideally positioned to drive a new standard. Ideally they create a service that can be open and replicated in competition (not just technically but economically), and this creates the right incentives for bots and sites/services.
I dislike stablecoins because they legitimize their cousin coins and because (I think?) they have transaction fees that create the wrong incentives for providers. I'm not sure what the real benefit is over prepaid (policy-driven) fiat currency with (possibly-paid) transaction records.
I can see how selling to bots could become so profitable that no one bothers to present directly to humans, but I look forward to an ad-free, much more capable internet, where paywalls are more like a headwind than a wall.
so is Cloudflare the cancer now?
Always has been.
> This is what we are building toward: an agent-first Internet with Internet-scale settlement built in.
Ah yes, the starry-eyed dream of early web pioneers is finally upon us: a soulless internet filled with soulless agents and microtransactions!
But in all seriousness, it's hard to deny that the attention-based model that has propelled the web forward for the last 30 years is somewhat falling apart. And I don't have, nor have I come across, any meaningful solutions that could realistically work better. So maybe it's just time we turn off this 'internet' thing and call it a day.
> This reality demands a new model: usage-based pricing for everything.
Oh boy!
So, the idea itself is fine. The timing at which it's introduced is what makes me nauseous. We're really trying to milk the agents in any way possible, aren't we?
Micropayments have always suffered from an early adopter problem because it’s difficult to convince ordinary users to pay for web pages. But if a big company, perhaps one of the AI labs, started paying websites using this system then it might bootstrap the system?
I think the difficult part is that LLMs are gullible and it will absolutely be gamed if any real money can be made this way.
It would be nice if this became a viable alternative to paywalls, though.
An partnership with Perplexity AI would be nice!
Let's say a part of the subscription is used to pay for it.
We need an email address so that we can contact people if there is a problem.
So far, I'm having trouble figuring out how to get that out of x402.
Monetization Gateway for Bunny CDN: https://github.com/dip-proto/x402
and for Fastly: https://github.com/dip-proto/x402-fastly
Tackling this at the network layer has limitations. Stripe bought Metronome, which inserts at the application layer. Arguably makes more sense.
Internet needs an open, integrated and universal payment layer. But first the payments should be done well (look at: Taler project), then integrations should be build, not the other way around.
I know many people here would be against anything related to payment on the Internet, but I do believe the ability to have a button like "One click here to anonymously with no account pay 0.02€ and download the media" could be a net positive for Internet freedom.
how will the end user pay? will we all have stablecoin wallets installed?
article says it's mostly for agents, users will not be directly involved
> At the same time, an agent can make thousands of micropayments without friction, while asking a person to approve each payment would be impossibly burdensome.
but yes, they will need wallets
but it's also optional, you do not want to buy these paid for requests, you do not need a wallet
I assume that if this catches on then the agents will have their own wallets and deduct fees from your account credit, just like with API-based usage. So the way you interact with them won't change, from your POV they'll just get more expensive.
It seems the usage will be mostly agent <-> service or service <-> service. For user, probably using a Metamask-like wallet yes
I feel like this kind of tech can solve the news problem. So many paywalls. Imagine they don’t exist and your impression costs a few cents. I’d prefer this to massive lawyer grade cookie popup wizards and monthly memberships. My MiL is a writer at a large newspaper in Kentucky and it’s wild how much she is pressured to share her stories and gain sign ups from her referral links. Pay per view solves this.
There is still going to be some popups or similar; how else would a user agree to payment?
With no popup but automatic non-user-approved payment, I'm going to set up 5 million pages, filled with AI generated content, and just wait for the money to roll in.
No matter how you slice it, user approval is required per microtransaction. For an AI bot it's no easier - they will exhaust their funds on my SEO pages in due course anyway.
Microtransactions made sense in the age where content production was gated by human effort and time. Now that I can effectively churn out millions of pages in a week, microtransactions make no sense.
Can the agents use debit cards?
Stablecoins doesn't make sense here and prefer not to use crypto at all.
Debit cards have to pay too many people. The acquiring bank, the receiving bank, the network, all take their fees. Stripe and their minimum $.30 per transactions leave no room for $0.01 API calls.
Crypto transfer fee is worse. Can be up to $30.00 on Ethereum for that $0.01 API call.
Actually, x402 was created because using a credit card programmatically is very difficult.
The whole business of Stripe is based on that: it's so hard for developers to do, and so many regulations, that they would rather pay an another company to do so.
Crypto can be sent just using a contract.transfer() call
And debit / credit cards are horrible for privacy (name and address info is sent along with payments).
Presumably, like their captchas, this will completely break things like ad blockers, browsers with strict cookie policies, and probably things without hardware attestation.
Unless there's a privacy-preserving way this can be used to send money, then it's just another chunk of the surveillance state that's being rapidly erected over the last few years. The word "privacy" does not appear once in the article.
Even if it did, I'd be skeptical. If their payment system does allow money to be sent in a privacy and free speech preserving way, then it'll be used for money laundering.
This whole "agents bad" framing is complete BS. It's the reality of how people use the internet now, and, frankly, ad blockers have been a thing since forever. On the other hand, if successful, this infrastructure will give Cloudflare centralized control over internet publishing and also centralized surveillance of all users with no opt out.
Piracy is looking better and better. So does the small web. Come to think of it, the library does too. Any good solutions for non-destructively scanning books?
Behold, another stake in the heart of the open Internet.
First it was GDPR government fragmentation; then it was AI slop requests, and now it is greed. Before you know it, we'll be back to the days of having to research at libraries because they'll be the only ones with taxpayer funding to pay the x402 fees.
Insane reflection. Nothing about the open internet has or will change because of a private, third-party payment framework making use of a http status code. Who is paying for bots like this? Every site needs to account for its costs. Just because you're too euro-poor to afford basic access to research doesn't mean others can't pay for it and benefit from it. Get a job.
Is europe just flooding online fora with doomer luddites to demoralize the US tech sector? Sounds far-fetched, but there is nothing organic about the recent rise in US/tech hatred across the web.
Conceptually, sure - but crypto? Really?
Yes really. Just because the initial rush ended in scam bros, doesn't mean there's no value in the underlying tech. You don't throw the baby out with the bath water.
Yet another portion of the internet to be ruined by the consequences of the trillion-dollar spambots, wonderful.
[flagged]
You realize humans are going to be the first wave of collateral damage right? I already basically cannot browse the internet for technical information, since most high-quality forums are behind captchas that block my iPhone.
If I ask an agent to do it, it does better at finding the small percentage of sources not hosted by cloudflare. However, it generally cannot hit open-access / public domain sources (like the current legal code, or academic papers) because those are blocked and it respects stuff like robots.txt.
Would you be willing for Cloudflare to "Know their customer" (you) and pay 3 cents to access the forum, instead of filling in the captcha?
I thought the goal was to only charge agents a fee, which would either 1. stop agents from scraping your site non-stop and eliminate the need for a captcha, making the human experience better or 2. make the owner of the site some money in exchange for a bajillion bots scraping their content.
Maybe that's too optimistic though based on the responses in this thread.
If they only charge agents a fee, then people will just set up a mcp endpoint or whatever to desktop chrome/firefox.
As it is, their captchas are already blocking tons of human traffic.
The idea that the price will be low unless you access it a lot falls over due to caching. Big tech companies will cache whatever they scrape, paying for one copy. Regular people and smaller companies will not read the same thing enough to amortize the cost of the first fetch, so they’ll pay 1000’s to 1,000,000’s of times more than the monopolies per-use of a given piece of information.
If individuals set up a federated cache with open access, they’ll get sued for copyright infringement. (Even though that would solve the supposed problem: That cloudflare cannot afford to operate a cache).
The end result is that only closed agents will be allowed to (legally) read most content without paying extortion-level fees.
Also, like with YouTube and video, serving text will become a winner-takes-all proposition.
Interesting, yea I think that makes sense. Well, that's a bummer if that ends up being the case!
Can't speak for GP, but I wouldn't - privacy is already eroding at a startling rate, and more KYC for things that really don't need it is just a further affront to human rights. (See also the FCC's recent request for comments on requiring government-issued ID to use a cell phone.)
Are your human rights also violated by Spotify keeping track of what songs you listen to, or Netflix and YouTube keeping tabs on what shows you are watching?
Internet non-ad monetization will also be in the form of massive syndication, where a subscriber gets access to thousands of high quality websites, and web publishers get access to millions of subscribers. But they need to take a hint from streaming services and really make massive syndicates which includes everything for everyone for this to work.
Yes. In the past, in the US, library checkout records were private / not recorded, specifically to protect the right to privacy, which is specifically protected by the UN human rights charter.
The systems you described not only record that information and make it available for warrants, they also sell it, and allow warrantless searches of it in some circumstances.
i installed the playwright MCP to let my agent access walled sites (specifically ebay and WSJ). i noticed that 90% of the time it was bounced from a site, it just reached out to a different site that wasn't walled, and i think it's the right move: most information exists at multiple places on the web, it's cheaper and _faster_ to just skip over walled sources.
for the forum example: many forums have a policy to only allow access to attachments to logged-in users. i can't remember the last time i registered at a new forum just to view an attachment: the effect has always been to drive me elsewhere. no complaints -- these solutions work if your goal is to reduce load. i'm suspicious that they can drive monetization outside of a very few niches.
I play dungeon crawl stone soup (think nethack,but with web tiles), and most of the servers are struggling because of AI crawlers downloading the morgues.
Real users are already suffering.
If (big if) the AI labs can be made to pay for the abuse, actual users win.
when the law won't protect you it creates an opportunity for a mafia like protection racket
Can you please stop fulminating and posting flamebait and/or unsubstantive comments to HN threads? All of that is against the guidelines and you have unfortunately been doing them repeatedly.
If you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules when posting here, we'd appreciate it.
Crypto crap should not only be illegal... it is already illegal - there's no such thing as legal anonymous payments, due to AML laws.
When I see crypto I immediately think of fraud (and corruption of this US administration)