Ben Greenberg

Cloudflare just made x402 a compliance checkbox

Ben Greenberg
Ben Greenberg
@hummusonrails

tl;dr Agentic payments are not a nice to have anymore, they are becoming a requirement. Arbitrum provides the execution layer to make this reliable and performant. x402 is just the beginning of what agentic development looks like on Arbitrum, this blog post covers more of it.

Last week Cloudflare shipped a scanner that grades every website on how ready it is for AI agents. Most of what it checks is familiar. Robots.txt. Sitemaps. A few newer things like MCP server cards and markdown content negotiation.

Then, in the agentic commerce section, it checks for x402.

That’s the part I want to talk about.

The scanner is the real story, not the score

If you actually run your site through isitagentready.com, your score will probably be bad. That’s not the interesting part. Almost every site’s score is bad. Cloudflare’s own Radar data says MCP server cards appear on fewer than 0.019% of sites out of the top 200,000 domains.

The new Compliance checklist from Cloudflare

The interesting part is that this scanner exists at all, and who built it.

Cloudflare is pretty explicit about the analogy they’re reaching for. They compare it to Google Lighthouse, which turned web performance from a nice-to-have into a thing every developer checks before shipping. Lighthouse didn’t invent performance. It made the absence of performance visible. The scanner is pointing at the same dynamic for agent-readiness.

When the infra layer builds a scoreboard, the checklist becomes the spec.

Why a 29-year-old status code suddenly has a job

HTTP 402 Payment Required has been in the HTTP spec since 1997. For nearly three decades it sat there, reserved, unused, waiting.

The reason it waited so long is that it didn’t fit how humans buy things. Humans don’t want an API response that says “pay to continue.” They want a checkout page, a stored card, and a session that remembers them. So 402 stayed reserved and developers built the whole web around cookies and merchant processing services.

AI agents are not humans. An agent doesn’t have a stored card or a session. What an agent has is a budget and a goal. When it hits a paywall, it needs the paywall to be machine-readable. Status code, payment terms, retry instructions. That’s exactly what 402 was designed for, and it’s exactly what x402 finally puts to work.

The flow is pretty simple. Agent requests a resource. Server responds with 402 and a JSON payload describing what payment is required and where to send it. Agent signs a payment, retries the request with proof, gets the resource.

No cart. No checkout. No redirect. Just a request, a price, and a settlement.

https://radar.cloudflare.com/ai-insights#adoption-of-ai-agent-standards

What makes this different from the last hype wave

I’ve watched a lot of “this protocol will change everything” posts over the last three years. Most of them ran on vibes and transaction counts from dashboards that nobody outside crypto read. This isn’t that.

Cloudflare sits in front of a double-digit percentage of the internet. When they put a protocol into a scanner their customers run against their own websites, they’re not guessing which way the wind blows. They’re telling you where the wind is going.

You can believe x402 is overhyped. You can argue the transaction volume is thin, because it is. You can point out that a lot of the early activity is self-testing by developers, because it is. None of those critiques change the fact that an engineer doing a quarterly audit on their own site next year is going to open the scanner and see x402 sitting next to robots.txt with a red X next to it.

That’s a different kind of pressure than a price chart. That’s the kind of pressure that shows up in planning docs.

Where Arbitrum fits into this

x402 defines the handshake. It does not define where the money actually moves. That part is left to the implementation, and the implementation needs a settlement rail that’s cheap, fast, and has stablecoin liquidity deep enough to be reliable.

That’s a pretty short list of chains.

@Arbitrum is one of the few that meets that criteria.

The pattern that’s starting to form is not “crypto versus traditional payments.” It’s crypto becoming the settlement layer under a web flow that otherwise looks exactly like the flow every developer already knows.

Agentic payments is just the tip of the iceberg for what becomes possible and what you need to get ready for. Arbitrum remains the execution layer to help you accomplish all of it. This blog post covers what you need to know about the intersection of AI x Arbitrum, check it out today.