Specification

manifest.json

Wire-level reference for the agents402 manifest. This is the contract between a publisher and any conforming agent.

Endpoint

Property	Value
Path	`/.well-known/agents402.json`
Method	GET
Auth	None — manifest is fully public
Status (success)	200 OK
Status (not implemented)	404 Not Found

Required headers

Header	Value	Notes
`Content-Type`	`application/json`	MUST be application/json. UTF-8 encoded.
`Access-Control-Allow-Origin`	`*`	Manifest must be CORS-readable so browser-based agents can fetch it.
`Cache-Control`	max-age ≤ 3600	Recommended. Manifests are expected to change infrequently but not be immutable.

JSON schema

agents402-manifest-v0.1.schema.json

json

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "type":    "object",
  "required": ["version", "service", "actions", "receipts"],
  "properties": {
    "version": { "const": "0.1" },
    "service": {
      "type": "object",
      "required": ["name", "homepage"],
      "properties": {
        "name":              { "type": "string", "maxLength": 256 },
        "description":       { "type": "string", "maxLength": 1024 },
        "homepage":          { "type": "string", "format": "uri" },
        "lightning_address": { "type": "string", "maxLength": 256 }
      }
    },
    "actions": {
      "type": "array",
      "minItems": 1,
      "items": {
        "type": "object",
        "required": ["id", "type", "endpoint", "method", "price_msats"],
        "properties": {
          "id":           { "type": "string", "pattern": "^[a-z][a-z0-9_.-]*$", "maxLength": 128 },
          "type":         { "enum": ["web_access", "structured_data", "site_agent_query", "verification"] },
          "title":        { "type": "string", "maxLength": 256 },
          "description":  { "type": "string", "maxLength": 1024 },
          "endpoint":     { "type": "string", "format": "uri" },
          "method":       { "const": "POST" },
          "price_msats":  { "type": "integer", "minimum": 0, "maximum": 1000000000 },
          "input_schema": { "type": "object" },
          "risk":         { "enum": ["low", "medium", "high"] }
        }
      }
    },
    "receipts": {
      "type": "object",
      "required": ["pubkey_hex", "algorithm"],
      "properties": {
        "pubkey_hex": { "type": "string", "pattern": "^[0-9a-f]+$" },
        "algorithm":  { "const": "ed25519" }
      }
    }
  }
}

Validation rules

Rule	Reason
Action ids MUST match `^[a-z][a-z0-9_.-]*$`.	Lowercase, dot-separated. Stable identifiers across reputation systems.
Action ids MUST be unique within a manifest.	Receipts reference id; collisions create ambiguity.
Endpoint URLs MUST be absolute and use https.	Plaintext discovery is acceptable; payment redirects are not.
Endpoint hostnames MUST share an eTLD+1 with the manifest URL.	Prevents a site from publishing endpoints at a third party.
Service pubkey MUST be a valid Ed25519 SPKI in hex.	Verification with standard libraries; no per-impl key formats.

Error responses

A publisher that does not support agents402 SHOULD return 404 Not Found for the manifest path. Other statuses are reserved:

Status	Meaning
404	Publisher does not support agents402 (or temporarily disabled).
503	Manifest temporarily unavailable; agents may retry with backoff.
410	Publisher has permanently retired agents402 support.

Wire format

Exact HTTP request and response shapes for the 402 challenge and retry.

→

agents402.org / 2026

Open protocol · v0.1