security · audit-friendly by default
Security by design. Audit-friendly by default.
No security through obscurity. The router that handles every payment is audit-friendly by design — diagrams, EIP-712 signature recovery, public test counts, and an Ed25519-signed event stream. Every settlement is on-chain at 0xD6E8aF2F65B4C9ACC7BF14A3096056e89E312878. Every operational event is Ed25519-signed and publicly verifiable. Our 48-hour security burn-in ran five independent audits — three full passes, two partial (all findings now closed).
moat #1 · facilitator resilience
Multi-facilitator failover. Sub-500 ms.
Multiple x402 facilitators run in parallel on Base, Polygon, and Solana — Coinbase CDP, PayAI, and a local-key signer per chain — with sub-500 ms automatic failover. A local-key signer covers full external-facilitator outages. The router cycles by measured p95 latency, not by static priority. Buyers pay on those 3 chains; seller payouts run on Base, Polygon, Arbitrum, Optimism, Avalanche, or Solana via CCTP.
Cycle on health check fail. No human in the loop.
The piece that keeps us alive during a facilitator outage is a proprietary routing engine — 105 tests, 100 % coverage, battle-tested in production.
audits · May 2026
Five audits ran in May 2026. All findings closed.
Our 48-hour burn-in dedicated structured audit time to the sell-side V1 stack. Three audits passed clean. Two surfaced findings — all six closed in the May 2026 hardening cycle.
0xD6E8aF2F65B4C9ACC7BF14A3096056e89E312878 vs CDP managed settlement walletsledger.take_rateThe two partials produced six concrete findings : autosuspend inline check < 1s, EIP-3009 fast-path recordLedger, cache lag 60s → 10s post-cron, SENTRY_DSN injection prod, GIT_SHA deploy inject, balance pre-batch alert. All six are closed. Audit log entries for each in /v1/_audit.
cryptography · signatures
EIP-712 signatures. Ed25519 audit chain.
Quotes are signed. Every 402 quote is an EIP-712 typed-data structure (domain, primary type X402Quote, scheme exact, network base, amount, asset, payTo, expiry). The recipient address is recoverable from the signature, so even if the response is intercepted, the buyer can verify the quote came from tools402.
Mandates are signed. AP2 IntentMandates issued by /v1/agent/identity are EIP-712 typed data with chainId 8453 (Base). The verify endpoint returns a recoverable signature you can match against tools402's wallet.
Audit events are signed. Every operational event in /v1/_audit carries an Ed25519 signature. The public key is at /v1/_audit/pubkey. Pin it once, verify any event from any future URL we ever publish.
monitoring · sentry stack
22 metrics. 7 alert rules. Sliding window P99.
Sentry tracks 22 named metrics across error rates, payment latency, facilitator latency, sell-side settlement, AP2 mandate verification, and observability infrastructure. Seven alert rules fire on P99 sliding-window thresholds — not single-event spikes, which generate noise.
Stack components, all open source : Bun 1.3.13 + Hono runtime, viem wallet ops, SQLite WAL + litestream with Cloudflare R2 backup (RPO 85ms), Modal Firecracker microVMs for /v1/agent/sandbox, Pinecone serverless us-east-1 for /v1/agent/memory, Sentry for monitoring.
Lead-only-commit discipline : no commit ships without Lead audit. 1500+ tests pass on every commit.
responsible disclosure
Report a vulnerability.
How to reach us.
Found something that needs our attention? Email us directly. We acknowledge every report within 24 hours and run triage within 48. Critical issues get fixed and disclosed publicly within 7 days; low-severity ones get a public writeup on /proof after the fix ships.
security@tools402.dev