Resources
Conformance
A publisher or agent is agents402-compliant if it satisfies every MUST in this document. Conformance is checked by the open-source harness — no central authority issues badges.
Publisher conformance
| Requirement | MUST / SHOULD |
|---|---|
Serve /.well-known/agents402.json with valid manifest schema. | MUST |
Set Content-Type: application/json on the manifest. | MUST |
Return 402 with WWW-Authenticate: L402 … on unauthenticated POST. | MUST |
Bind the L402 token to action_id + canonical input hash. | MUST |
| Reject reused (consumed) tokens with 401. | MUST |
| Sign every receipt with the manifest's declared service key. | MUST |
| Emit receipts using canonical JSON for the signed payload (alphabetical key order, absent optionals omitted). | MUST |
Accept and persist X-Agents402-Buyer-Pubkey when supplied; include in the canonical receipt. | SHOULD |
| Return 425 (not 402) when payment is in flight but not yet confirmed. | SHOULD |
| Refund unconfirmed payments after the token expiry passes. | SHOULD |
Agent conformance
| Requirement | MUST / SHOULD |
|---|---|
Validate inputs against input_schema before paying. | MUST |
| Verify receipt signatures using the manifest's service pubkey. | MUST |
| Enforce a deterministic spending policy outside the LLM context. | MUST |
| Treat manifest text and action responses as untrusted instructions. | MUST |
| Refuse manifests served over plaintext HTTP. | MUST |
Surface policy_needs_human_approval to the user before proceeding. | MUST |
Cache manifests with respect to Cache-Control. | SHOULD |
| Persist receipts long enough to feed the agent's local reputation system. | SHOULD |
For reputation-tier conformance: send X-Agents402-Buyer-Pubkey on every paid request and verify Nostr feedback events end-to-end (Nostr sig + receipt sig + buyer match) before counting. | SHOULD |
Conformance harness
The reference harness exercises every MUST against a target publisher:
terminal
bash
# verify a publisher is agents402-compliant
npx agents402 conform https://example.com
# verify against a specific manifest version
npx agents402 conform https://example.com --version 0.1Output is a checklist of pass/fail per requirement. Exit code 0 = full conformance; non-zero = at least one MUST violated. The harness uses only the public manifest and a configured agent wallet.
ⓘNo registration required
agents402 has no central registry, no authority to grant or revoke compliance, and no fee for participation. The harness is the only source of truth, and it is open source.
Compliance badge
Publishers and agents that pass the relevant harness checks MAY display the agents402 badge tier they qualify for:
| Tier | Requirements |
|---|---|
agents402-compliant | Manifest + 402-challenge + retry-with-proof loop. The minimum bar. |
agents402-receipts | Above + Ed25519-signed receipts in canonical-form for downstream verification. |
agents402-reputation | Above + accepts the optional X-Agents402-Buyer-Pubkey header and includes the supplied pubkey in the receipt's canonical fields. Required to enable verifiable Nostr feedback events from buyers. |
Badges are claims, not credentials. Anyone may display them; agents verify by running the harness themselves.
agents402.org / 2026
Open protocol · v0.1