Who authorized this? The gray area of x402

The success of x402 relies heavily on native integrators. Unauthorized wrapper programs can turn potential partners into adversaries.

Last week, Coinbase launched agentic.market, a platform showcasing x402 endpoints designed to make the x402 ecosystem easier to discover.

By browsing agentic.market, you’ll find real-time, on-demand access to various services, from on-chain tools to mainstream APIs. Some endpoints are provided directly by original providers. Many others come from third parties: some companies package existing APIs into x402 (and/or MPP) and bundle them into tools for agents to use, allowing users to pay a small fee for access through a single connection.

The second approach complicates matters. Among the third-party endpoints listed on Agentic Market are services from Wolfram Alpha, Google Flights, and Amadeus (a widely used travel data platform). I focus on these three because they have not announced x402 integrations themselves, and their terms of service suggest they are unlikely to authorize third-party development of integrations on their behalf.

Each endpoint indexed on Agentic Market could be first-party (directly provided by the original provider), third-party authorized (licensed with explicit permission, often through formal certification or partner programs), or unauthorized third-party (companies reselling paid API access without permission).

Throughout the market and the entire x402 ecosystem, we cannot immediately distinguish which are first-party and which are third-party; many endpoints seem to fall into the latter category.

Contract Terms

As mentioned, the terms of these three providers make unauthorized third-party arrangements highly likely, and in some cases, completely exclude other options.

Wolfram Alpha explicitly prohibits “dealers and aggregators,” forbids data scraping or mining in any form, and bans the sale or transfer of services without permission. These terms seem to leave no room for authorized third-party pathways. Moreover, a quick look at their quick-start guide makes it clear this is not a first-party integration.

(Wolfram Alpha API Terms of Service Content Restrictions)

Amadeus’s main subscription service agreement only allows clients to access for internal business purposes and prohibits any “renting, leasing, distributing, selling, reselling, transferring, or otherwise transferring” their access rights. Any third-party connection requires Amadeus’s certification and must be documented via a formal service order. This means the only way to obtain third-party authorization, and whether existing endpoints meet this requirement, cannot be verified externally.

(Restrictions in the Agreement Amadeus Main Subscription Service Agreement Restrictions)

Google’s situation is the most typical. Google Flights does not have a public API, and Google enforces strict protections on its data.

However, third-party wrapper programs are packaging access to Google Flights data sourced from SerpApi—a company Google is actively suing for scraping search results and reselling access. Google’s lawsuit states that SerpApi developed tools to bypass access controls, sending “hundreds of millions” of fake requests daily to scrape data, and reselling copyrighted content embedded in search results.

Therefore, Google is suing SerpApi for reselling copyrighted content and bypassing access controls. Meanwhile, SerpApi’s service is wrapped by a tool provider that supplies it to agents for a fee. This is worth pondering.

(Details on accessing SerpApi via the StableTravel endpoint)

How Compliance Is Demonstrated

It’s clear even without legal expertise that these dynamics are “complex.” The good news is that a clearer pattern is emerging.

MPP is Tempo’s proxy payment protocol launched alongside its mainnet, offering over 100 compatible services on day one. Providers that integrate directly with MPP—such as Parallel, Stripe Climate, Browser Base, etc.—are marked with a green circle on their cards, indicating they are first-party providers.

(Service directory view via mpp.dev)

About two weeks ago, popular AI research tool Exa announced native support for the x402 protocol in its search and content endpoints—becoming a first-party provider and partnering with Coinbase. Exa stated that choosing x402 over proprietary protocols was due to its oversight by the Linux Foundation.

Inevitable Outcomes

Currently, external parties cannot determine whether an endpoint is first-party, third-party authorized, or unauthorized. This is a solvable problem, and the service directory of MPP—which clearly displays the source of each integration—is a step in that direction.

Unauthorized scraping has already exerted measurable pressure on service providers: server load, bandwidth costs, and traffic they never agreed to provide. Third parties packaging scraped data into x402 protocols and charging fees make things worse. Providers bear all costs but see no revenue.

Therefore, it’s necessary to clarify the root of the issue. x402 is an open protocol—just as any developer can build on HTTP, anyone can develop on x402. Payment mechanisms cannot track whether upstream data was obtained with authorization. Responsibility lies with the developers packaging these endpoints for user access.

Without accountability, the overall development of x402 could be negatively impacted—potential native integrators might become opponents rather than participants. These revenues should belong to the service providers. Native integration is how they claim to earn these revenues, and it’s also the legitimate basis for x402’s growth.

Note: As of April 25, Google Flights is no longer included in Agentic Market.