Verify our
infrastructure.
Every contract address, custody role, security check, and evidence artifact is documented here. No sales call required.
Deployed contracts
All contracts are deployed on Base Mainnet (Chain ID: 8453). Verify independently on Basescan.
ERC-20 asset used for all settlements. Circle-issued. Audited.
Receives USDC from settled payments. Platform fee destination.
Marketplace settlement contract. Applies 1% platform fee on settlement.
Handles recurring subscription billing via EIP-2612 permit. Month 1 sets allowance; months 2+ draw without new signatures.
On-chain agent identity registration and DID resolution.
On-chain agent reputation scoring. Read by routing engine for trust-weighted decisions.
{
name: 'USD Coin',
version: '2',
chainId: 8453,
verifyingContract: '0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913'
}Used to produce the EIP-712 domain separator for TransferWithAuthorization signatures. Verify against the USDC contract on Basescan.
Who controls what
P402 never holds user funds. The facilitator executes signed authorizations — it does not custody assets.
Signs EIP-3009 authorization. Controls validAfter, validBefore, nonce, and value. User never submits a transaction — the facilitator does.
User sets authorization bounds. Once signed, the facilitator can execute within those bounds before validBefore.
Hot wallet that executes transferWithAuthorization on USDC. Pays gas on behalf of the user. Does not hold user funds.
If compromised, could execute valid but not-yet-settled authorizations. Mitigated by short validBefore windows and replay protection.
Receives settled USDC. Read-only from protocol perspective — only receives, does not send.
Separate from facilitator wallet. Compromise of facilitator does not affect treasury funds.
Defines paymentRequirements (amount, payTo, asset, resource URL). Calls verify then settle via P402 facilitator API.
Must validate verify response before serving content. Failure to check valid: true results in serving without confirmed payment.
Checks before settlement
Every settlement attempt passes all six checks. Any failure returns an ApiError with a code and requestId — no partial state.
Every EIP-3009 nonce is recorded in PostgreSQL and Redis before settlement executes. Reuse of any nonce returns REPLAY_DETECTED immediately — no second settlement occurs.
validBefore must be in the future at settlement time. Expired authorizations are rejected server-side before any chain interaction.
The value field in the authorization must equal maxAmountRequired from the payment requirements. Mismatches are rejected.
Settlements are rejected if Base network gas exceeds a configured limit (default 50 gwei). This prevents facilitator drain during fee spikes.
$0.01 USDC minimum per settlement. Sub-floor amounts are rejected before any signing occurs.
Billing webhooks use await req.text() before JSON parsing to preserve the raw body required for Stripe signature verification. Signatures are validated via stripe.webhooks.constructEvent before any state changes.
What happens on each call
EIP-3009 TransferWithAuthorization. Gas-free for the user.
Checks amount, sig, nonce, expiry, gas price. Returns valid: true or error code.
Facilitator calls transferWithAuthorization on USDC. Nonce recorded.
Base Mainnet confirms. Tx hash returned with payer metadata.
Receipt ID tied to settled tx. Reusable for repeat access.
Evidence bundles
Every transaction produces a structured evidence bundle. Export it from the dashboard or via API for risk review, compliance, or dispute resolution.
requestId — unique per callpayer address + payTo addressasset contract + amount + chainIdtxHash — on-chain referencereceiptId, mandateId, policyIddeny code (if rejected)timestamps (initiated, settled, expired)trace events summaryaudit findings summaryGET /api/v1/analytics/evidence-bundle
Authorization: Bearer $P402_API_KEY
# Query by request ID:
?requestId=req_01HX...
# Or by date range:
?from=2025-01-01&to=2025-01-31
# Response:
{
"requestId": "req_01HX...",
"payer": "0x...",
"txHash": "0xabc...",
"receiptId": "rcpt_...",
"denyCode": null,
"timestamps": { ... },
"auditFindings": [ ... ]
}Also available from the Transactions page and Audit page in the dashboard. Bulk export supported via date range.
Common questions
Does P402 hold user funds at any point?+
No. The facilitator wallet executes transferWithAuthorization on the USDC contract. Funds move directly from the user's wallet to the treasury or resource server. The facilitator is never in the custody chain.
What happens if a settlement fails mid-flight?+
All billing events use INSERT ... ON CONFLICT to prevent duplicate charges. If the chain call fails after nonce recording, the nonce is consumed — the user must re-sign with a fresh nonce. No double charge can occur.
How are API keys stored?+
Raw API keys (p402_live_...) are returned exactly once at creation. Only the SHA-256 hash is stored. P402 cannot recover a lost key — the user must generate a new one.
Can we verify the contracts ourselves?+
Yes. All contract addresses are listed above with direct Basescan links. Source code is verifiable on-chain. Chain ID 8453 (Base Mainnet).
What is the platform fee?+
1% of each settled payment, taken at settlement time by the P402Settlement contract. See /pricing for plan-level fees and limits.
Where do I report a security issue?+
Email security@p402.io. Include reproduction steps, affected endpoint, and requestId if available. We acknowledge within 24 hours.