Who authorized this? The gray area of x402

Article Author: David Christopher

Article Translation: Block unicorn

The success of x402 depends on native integrators. Unauthorized wrapping programs can turn potential partners into opponents.

Last week, Coinbase launched agentic.market, a platform showcasing x402 endpoints, aimed at making the x402 ecosystem easier to discover.

By browsing agentic.market, you’ll find real-time, on-demand access to various services, from on-chain tools to mainstream APIs. Some endpoints are provided directly by original providers. Many endpoints come from third parties: some companies package existing APIs into x402 (and/or MPP) and bundle them into toolkits for proxies, allowing users to access through a single connection for a small fee.

The second approach complicates matters. Among the third-party endpoints listed on Agentic Market are services from Wolfram Alpha, Google Flights, and Amadeus (a widely used travel data platform). I focus on these three because they have not announced x402 integrations themselves, and their terms of service suggest they are unlikely to authorize third-party developers to build integrations on their behalf.

Every endpoint indexed on Agentic Market could be first-party (directly provided by the original provider), third-party authorized (licensed with explicit permission, usually through formal certification or partner programs), or unauthorized third-party (companies reselling paid API access without permission).

Throughout the market and the entire x402 ecosystem, we cannot immediately distinguish which are first-party, which are third-party authorized, and many endpoints seem to fall into the last category.

Contract Terms

As mentioned, the terms of these three providers make unauthorized third-party arrangements very likely, and in some cases, even completely exclude other options.

Wolfram Alpha explicitly prohibits “dealers and aggregators,” forbids data scraping or mining in any form, and bans unauthorized sale or transfer of services. These terms seem to leave no room for authorized third-party pathways. Moreover, after reviewing the quick start guide for that endpoint, it’s clear this is not a first-party integration.

_API restrictions in Wolfram Alpha’s Terms of Service(

Amadeus’s main subscription service agreement only allows clients to access for internal business purposes and prohibits any “renting, leasing, distributing, selling, reselling, transferring, or otherwise transferring” their access rights. Any third-party connection requires Amadeus’s certification and must be documented via a formal service order. This means the only way to obtain third-party authorization, and whether existing endpoints meet this requirement, cannot be verified externally.

![])https://img-cdn.gateio.im/social/moments-c97823cfca-f1b59ece1d-8b7abd-badf29(

_Limitations in the Agreement: Restrictions in Amadeus’s Main Subscription Service Agreement)

Google’s case is the most typical. Google Flights does not have a public API, and Google enforces strict protections on its data.

However, third-party wrapping programs are packaging access to Google Flights data sourced from SerpApi—a company Google is actively suing, accusing it of scraping search results and reselling access. Google’s lawsuit states that SerpApi developed tools to bypass access controls, sending “hundreds of millions” of fake requests daily to scrape data, and reselling copyrighted content embedded in search results.

Therefore, Google is suing SerpApi for reselling copyrighted content and bypassing access controls. Meanwhile, SerpApi’s service is wrapped by a proxy toolkit provider, who supplies it to agents and charges fees. This warrants deep reflection.

_Details on accessing SerpApi via StableTravel endpoints(

) How Compliance Is Demonstrated

Even without legal expertise, it’s clear these dynamics are “complex.” The good news is that a clearer pattern has emerged.

MPP is a proxy payment protocol launched by Tempo at its mainnet, offering over 100 compatible services on launch day. Providers that directly integrate MPP—such as Parallel, Stripe Climate, Browser Base, etc.—are marked with a green circle on their cards, indicating they are first-party providers.

_Service directory view via mpp.dev###

About two weeks ago, the popular AI research tool Exa announced native support for the x402 protocol in its search and content endpoints—becoming a first-party provider and partnering with Coinbase. Exa stated that choosing x402 over proprietary protocols was because it is regulated by the Linux Foundation.

( The Inevitable Outcome

Currently, external parties cannot determine whether an endpoint is first-party, third-party authorized, or unauthorized. This is a solvable problem, and the service directory of MPP—clearly showing the source of each integration—is a step in that direction.

Unauthorized scraping has already exerted measurable pressure on service providers: server load, bandwidth costs, and traffic they never agreed to provide. Third parties packaging scraped data into x402 and charging fees make things worse. Service providers bear all costs but see no revenue.

Therefore, it’s necessary to identify the root cause. x402 is an open protocol—just as any developer can build on HTTP, any developer can build on x402. The payment mechanism cannot track whether upstream data was obtained with authorization. Responsibility lies with the developers packaging these endpoints for user access.

Without accountability, the overall development of x402 could be negatively impacted—potential native integrators might become opponents rather than participants. These revenues should belong to the service providers. Native integration is their way of claiming these revenues and is also essential for x402’s legitimacy and growth.

Note: As of April 25, Google Flights is no longer included in Agentic Market.