Forced Tender

x402 opens payment authorization at the HTTP layer, but leaves execution, gas provision, compliance screening, chain choice, liquidity access, and operator continuity outside the protocol core. This article argues that the resulting market-structure question is regulatory rather than purely technical: whether open authorization decentralizes the legally consequential layers of payment infrastructure. Using Kahn and Roberds as primary framework, with CPSS-IOSCO, CPMI, Brunnermeier-James-Landau, and open-banking scholarship as supporting context, the article develops the concept of residual settlement. Residual settlement names the pattern in which protocol openness at the authorization layer coexists with concentration pressure in execution and compliance. x402 is the clearest current case.

The paper does not claim that x402 invented authorization-execution decomposition; card networks, ACH, SWIFT, and PSD2 already separate initiation from downstream execution and settlement. Its contribution is narrower: x402 combines open HTTP authorization, public-chain stablecoin settlement, and residualized compliance burdens in a way that favors operators with existing licensing, merchant access, and operational capacity. For financial regulation, the implication is straightforward. Opening authorization does not by itself decentralize payment-system power.

Keywords: x402, machine payments, payment systems, stablecoins, compliance, PSD2, open banking, Kahn-Roberds, residual settlement, authorization.

x402 was launched to solve a real problem. Conventional card pricing makes sub-dollar machine payments irrational. Autonomous agents cannot use ordinary card or bank-account credentials as human consumers do. x402 responds by standardizing cryptographic authorization at the HTTP layer so that software agents can sign payment intent and merchants can respond in a machine-readable way (x402 Foundation n.d.; Cloudflare 2025).

The protocol’s technical core is relatively simple and, by current public evidence, competently built. The harder institutional questions sit outside that core. Who simulates and broadcasts transactions? Who advances gas? Who performs OFAC screening, transaction monitoring, fraud review, and merchant policy enforcement? Which chain and which settlement asset become default? Which operator accumulates enough compliance, liquidity, and developer-installation advantage to become the practical center of the system?

Those are payment-system questions. They are best approached first through Kahn and Roberds’s analysis of how payment systems allocate settlement work, liquidity, and compliance burdens across participants. The open-protocol surface matters, but it does not settle market structure by itself (Kahn and Roberds 2009).

It does not claim that authorization-execution separation was invented by x402. That architecture is familiar from card networks, ACH, SWIFT, and PSD2’s payment-initiation regime. Nor does it claim that machine-payment concentration is caused by one company alone. The argument is narrower. x402 creates a specific configuration in which open authorization coexists with residual operator functions that are expensive to replicate, especially once compliance, liquidity, and developer integration are combined (Arner, Buckley, and Zetzsche 2022; CPSS 2003).

That is also why this is a financial-regulation paper rather than only a protocol-governance paper. The central question is not whether x402 is elegantly designed. It is whether a formally open payment surface changes the location of legally and economically decisive power. The argument developed here is that it does, but not in the direction protocol rhetoric might suggest: authorization opens while the most consequential regulatory and operational burdens remain concentrated downstream.

Williamson is relevant at the margin but not primary. Compliance capacity plainly exhibits asset-specific features: specialized personnel, licensed tools, regulatory relationships, and merchant-specific onboarding processes. That is real analytical leverage. But the paper’s object is the allocation of payment-system functions after authorization has been opened, not governance-form selection in the abstract. Kahn-Roberds therefore remains primary, with Williamson acknowledged as a secondary language for the compliance-capacity subproblem (Williamson 1985, 1991).

This article uses functional-institutional reconstruction. It first identifies the function x402 formalizes, payment authorization at the HTTP layer, and then reconstructs the functions left outside that formalized core: verification, settlement submission, gas advancement, chain and asset selection, compliance screening, merchant onboarding, transaction monitoring, liquidity access, and continuity of service. The paper’s unit of analysis is therefore not the smart contract alone and not Coinbase alone. It is the post-authorization burden profile created by the protocol architecture.

The evidence base has four layers. First, official protocol and platform materials establish the technical architecture: the x402 repository, x402 Foundation materials, Coinbase and Base facilitator documentation, Cloudflare’s x402 materials, and the Cantina audit. Second, official legal and regulatory materials establish the surrounding payment-stablecoin environment: the GENIUS Act, OCC rulemaking, EBA PSD2/MiCA materials, Van Loon, and Treasury’s Tornado Cash delisting. Third, issuer, exchange, and infrastructure disclosures establish the commercial setting in which x402 is being deployed, including Circle and Coinbase disclosures. Fourth, public reporting and dashboards are used only for bounded adoption-context claims, not for a complete market-share reconstruction.

The method is comparative in a limited sense. Direct machine-payment comparators, including L402, AP2, and Stripe’s Machine Payments Protocol, show whether x402’s machine-payment design choices are unusual among adjacent protocols. Institutional-contrast comparators, including PSD2/PISP, card and ACH arrangements, SEPA Instant, and PIX, show how mature payment systems allocate compliance, reporting, dispute, settlement, and access functions through regulated institutional design. The paper’s key comparison is not "old payments versus crypto payments." It is regulated initiation and execution bundles versus open authorization plus residual operator functions.

That comparison can be stated functionally:

The article’s inference is deliberately bounded. The sources support claims about protocol design, documented facilitator burdens, visible default-path clustering, and the regulatory environment. They do not yet support a measured claim about total x402 market share, durable monopoly, hidden commercial arrangements, or the absence of viable independent facilitators. The claim is therefore structural rather than outcome-final: open authorization can coexist with concentration pressure where the expensive downstream payment functions remain residual.

This evidence design also sets the paper’s publication burden. Repository-level x402 architecture claims have now been pinned at commit, file, line, and hash level for the bounded protocol-design claims. Before journal submission, live regulatory and product sources should still be checked again; dashboard or adoption claims should be archived with dates and methodological caveats; and operator-specific claims should be supported by source-pinned service evidence. Without those controls, the article can remain a strong public working paper, but it should not be represented as a fully submission-pinned empirical manuscript.

The x402 empirical base is stronger than the review severity might suggest. The protocol core is narrow, publicly inspectable, and technically disciplined. The repository pin used for this article is commit 85f6123f30dc3935c442dd5e7187d4d743fecad0. The EVM contract surface consists of Exact and Upto Permit2 proxy contracts over a shared base contract; the repository documents deterministic deployment, witness-bound destinations, and constrained settlement paths. The Cantina audit reviewed the three-contract scope at commit c0a80b76; the report records no Critical, High, or Medium findings, while identifying Low and Informational issues that it records as fixed in later commits. That does not prove the system will succeed commercially. It does tell us the interesting institutional problems are not hidden inside a sprawling mutable contract system (x402 Foundation n.d.; Cantina 2026; x402 repository commit 85f6123f30dc3935c442dd5e7187d4d743fecad0, contract sources at contracts/evm/src/x402BasePermit2Proxy.sol, contracts/evm/src/x402ExactPermit2Proxy.sol, contracts/evm/src/x402UptoPermit2Proxy.sol).

The adoption arc is also publicly visible. By late 2025, public x402 materials were reporting rapid uptake and high payment counts. Independent reporting in early 2026 then documented a sharp contraction in activity, with daily transaction counts falling from roughly 731,000 in December 2025 to roughly 57,000 by February 2026. The empirical point is not that x402 failed. It is that early activity concentrated in a small set of use cases and that volume did not by itself settle whether the open protocol had produced plural operator structure (Cloudflare 2025; BeInCrypto 2026).

The Coinbase-linked economic path is cleaner when sourced correctly than earlier drafts made it. Circle’s S-1 reports $907.9 million in distribution costs paid to Coinbase in 2024 under their commercial arrangements. Coinbase’s Q4 2024 shareholder letter reports $910 million in stablecoin revenue. These are related but distinct figures, and the distinction matters. Together they show that stablecoin-linked payments sit inside an already meaningful revenue relationship between Circle and Coinbase. x402 adoption therefore develops inside, not outside, a preexisting commercial settlement stack (Circle Internet Group 2025; Coinbase Global 2025).

The empirical claim is correspondingly narrow. Adoption figures rest on public reporting and dashboard summaries rather than on an independent chain-level reconstruction by the author. Revenue figures rest on issuer and partner disclosures rather than inferred operator economics. That is enough to support the paper’s argument about visible default-path clustering, but it would not support a stronger claim about total market share or hidden operator arrangements.

Base deepens the same pattern. Public x402 materials and Coinbase-hosted facilitator documentation repeatedly route the default production path through Base and USDC. The result is not a proof of monopoly. It is a public demonstration that authorization can be open while the commercially coherent default path remains institutionally concentrated (Coinbase Developer Platform n.d.; Coinbase Developer Documentation n.d.).

Residual settlement names the pattern in which authorization is opened while the downstream payment functions remain institutionally allocated outside the protocol. In x402, those functions include execution, gas advancement, chain selection, stablecoin choice, compliance screening, merchant onboarding, transaction monitoring, and continuity of service (Kahn and Roberds 2009; Awrey 2022).

This matters because each residual function has a cost structure. Gas advancement requires working capital and reliable automation. Chain selection requires integration and risk judgment. Merchant onboarding requires support, contracts, and often licensing. Compliance requires sanctions screening, transaction-monitoring tools, merchant policy systems, legal review, and audit trails. The protocol leaves those tasks open. It does not make them cheap.

The strongest concentration mechanism is compliance. Merchant-grade compliance is expensive to replicate and difficult to modularize fully. It requires specialized staff, licensed analytics, reporting systems, policy infrastructure, and jurisdiction-specific legal posture. A protocol that leaves compliance residual therefore invites clustering at operators that already possess those capabilities. That is the core institutional claim of the paper (Williamson 1985, 1991; Vatiero 2022).

The operational content of that burden is easy to understate. Merchant-grade compliance is not a single sanctions API call. It includes onboarding review, risk scoring, transaction monitoring, escalation paths, recordkeeping, suspicious-activity judgment, policy updates, and the ability to adapt quickly across jurisdictions and counterpart categories. Those requirements are exactly what make the residual layer sticky. Once one operator already has the personnel, tooling, legal posture, and merchant installation base to perform them at scale, protocol openness at the authorization layer does not neutralize that advantage (Coinbase Developer Platform n.d.).

This is where the Williamson adjacency becomes real. Compliance capacity looks like an asset-specific bundle: human expertise, dedicated tooling, merchant-specific review processes, and jurisdictional authorizations that are costly to duplicate. But the analytical point remains payment-systemic rather than purely Williamsonian. The deeper issue is structural. A payment architecture that opens authorization while residualizing compliance predictably shifts competitive advantage toward already regulated or regulation-ready operators.

That is why the paper’s novelty claim is now narrower and stronger. The contribution is not "x402 discovered decomposition." It is that x402 shows how open authorization combined with public-chain stablecoin settlement can reproduce concentration pressure at the operator layer, with compliance serving as the most durable channel.

The regulatory section needed the heaviest revision because the manuscript was previously written against a stale baseline.

In the United States, the GENIUS Act was signed into law on July 18, 2025, creating the first federal framework for payment stablecoins. The law changed the legal environment materially. Any treatment of payment stablecoins as merely awaiting a basic statutory frame is now outdated. At the same time, implementation remains incomplete, and the operator landscape is still shaped by transitional uncertainty, state money-transmission regimes, and enforcement history (United States Congress 2025; White House 2025).

That implementation lag matters for the paper’s argument. The statutory baseline is now clearer, but the operator burden has not been dissolved into a single settled compliance regime. The OCC’s February 2026 notice of proposed rulemaking confirms that major parts of the federal framework still depend on subsequent administrative specification. In practice, x402 therefore develops in a transitional zone: clearer than the pre-GENIUS environment, but still fragmented enough that existing compliance and licensing capacity remains a competitive advantage rather than a commoditized input (Office of the Comptroller of the Currency 2026).

That uncertainty must also be described precisely. SEC v. Coinbase was dismissed with prejudice in February 2025, but state actions persisted and Oregon filed a new case in April 2025. The result is not regulatory absence but fragmented oversight. On the payments side, the state money-transmission landscape remains heterogeneous. CSBS reports that thirty-one states have enacted the MTMA in full or in part. That is substantial harmonization, but not a single nationwide regime (Securities and Exchange Commission 2025; Conference of State Bank Supervisors 2026).

The European baseline also changed. PSD3 and the Payment Services Regulation reached political agreement in November 2025 but are not yet fully adopted or applied. USDC, meanwhile, has been MiCA-compliant as an electronic money token since July 1, 2024 through Circle’s French EMI structure. The EBA’s February 2026 opinion is especially important because it clarifies that EMT transfers may still count as PSD2 payment transactions. MiCA therefore does not displace payments-law analysis for stablecoin flows (European Banking Authority 2026).

That overlap is analytically valuable because it defeats an easy but wrong simplification. Stablecoin transfer in Europe is not exhausted by token-regulation status alone. The same flow can sit inside both an EMT framework and a payments-law framework. For x402, that means the legal burden is layered in a way that mirrors the institutional argument of the paper: even where authorization is technically open, execution and settlement remain embedded in multiple regulatory shells that reward actors already positioned to navigate them.

The OFAC environment changed as well. Tornado Cash was removed from the SDN list in March 2025 after Van Loon held that immutable smart contracts are not IEEPA property. That development does not make compliance irrelevant for x402. It does mean that any broad claim that DeFi code remains categorically subject to the old OFAC logic would now be overstated (Van Loon v Department of the Treasury, 122 F.4th 549 (5th Cir. 2024); United States Department of the Treasury 2025).

The upshot is that x402 sits in a regulatory environment that is more structured than earlier drafts allowed but still institutionally fragmented enough to reward operators with existing compliance, licensing, and legal-adaptation capacity. That reinforces the residual-settlement argument rather than undermining it.

The revised comparator structure has three tiers.

First, there are direct machine-payment protocol peers: x402, L402, AP2, and Stripe MPP. These are the systems that most directly share the problem of protocolized authorization for machine or agent-driven payment requests (x402 Foundation n.d.; Lightning Labs 2020; Google Agentic Commerce n.d.; Stripe n.d.-b).

Second, there are adjacent network programs: Mastercard Agent Pay and Visa Intelligent Commerce. These matter because incumbent networks are building agent-facing acceptance and trust layers, but they should not be conflated with open protocol specifications (Mastercard 2025; Visa n.d.-a, n.d.-b).

The distinction is worth keeping sharp. Mastercard’s Acceptance Framework and Visa’s Trusted Agent Protocol are evidence that incumbent payment networks also recognize machine-facing identity, trust, and merchant acceptance as central design problems. But they are solving those problems inside governed network environments with branded rule systems and controlled participation. x402 is informative precisely because it tries to open authorization without importing that full institutional shell.

Third, there are institutional-contrast comparators: SEPA Instant and PIX. They are not direct peers. They do not solve agent authorization or HTTP-native machine commerce. They are still analytically useful because they show how mature payment systems distribute compliance, reporting, dispute handling, and access governance through tightly specified institutional frameworks rather than leaving those tasks residual at an open operator layer (European Payments Council n.d.; Banco Central do Brasil n.d.).

This taxonomy matters for the paper’s argument. Direct peers tell us whether x402 is unusual among machine-payment systems. Institutional contrasts tell us what kinds of governance burdens traditional payment systems internalize through regulated design. Both comparisons are useful once they are separated properly.

The residual-settlement claim would weaken under three conditions. First, it would weaken if independent facilitators repeatedly demonstrated merchant-grade compliance, gas provision, and liquidity access at comparable cost and scale, eroding concentration pressure. Second, it would weaken if merchants regularly switched operators across comparable service levels without meaningful installed-base or policy friction. Third, it would weaken if open authorization in practice generated durable execution-layer plurality despite the current default-path clustering.

The scope is deliberately narrow. The paper does not claim that Coinbase control is complete or irreversible. It does not claim that open protocols are futile. It claims only that payment-system openness at the authorization layer is insufficient, by itself, to guarantee plurality when execution, compliance, and liquidity remain residual and expensive.

That is the central lesson of x402. The protocol can be open, elegant, and technically disciplined while the economically decisive functions remain concentrated elsewhere. If that pattern persists, the important market-structure question is not whether authorization was opened. It is where settlement work, compliance capacity, and operator continuity actually reside after authorization has been opened.