tate@programs ~/tools/x402-surface-check manifest / challenge / launch surface

x402 surface check / may 2026

Inspect the public payment surface before a real agent spends.

Paste a manifest, OpenAPI spec, and 402 challenge, or try a public URL when CORS permits. The check looks for HTTP resource leaks, missing price fields, inconsistent networks, placeholder payees, staging rails, broad browser surfaces, and payment metadata risks. It never sends payment headers and never attempts a paid call.

run surface check commerce gate sample report checklist

mode: no payment
input: manifest + 402
output: patch order

x402 surface

$ check .well-known/x402
manifest: agent, wallet, networks
challenge: amount, payTo, asset
resource: https only
browser: CORS and headers
metadata: minimal fields
result: private patch order

x402 manifest or OpenAPI URL

Paste manifest or OpenAPI JSON Paste 402 challenge JSON

Manual proof Challenges use HTTPS resource URLs in every field. Browser clients can send the required payment header. Manifest networks match the live payment challenges. Payment metadata is documented and minimized. Failed, expired, duplicate, and disputed payments are documented.

what it checks

The public surface should tell wallets exactly what is being bought.

402

Challenge shape

Amount, asset, network, payTo, resource URL, and timeout should be present before any client signs or pays.

https

Canonical resources

Resource URLs should use HTTPS and match the endpoint a wallet or facilitator is actually paying for.

cors

Browser payment path

If the public flow expects browser clients, the API must allow the payment header path it documents.

scope

Metadata boundary

Payment descriptions and resource strings should avoid prompts, private user content, internal IDs, and broad query context.

private pass

Need the external pass against a live x402 launch?

The private review runs no-payment probes, maps spend surfaces, and returns a ranked patch order before any public write-up.

view sample report send scope