Who authorized this? The gray area of x402

Author: David Christopher, Translated by: Block Unicorn

The success of x402 depends on native integrators. Unauthorized wrapper programs can turn potential partners into opponents.

Last week, Coinbase launched agentic.market, a platform showcasing x402 endpoints designed to make the x402 ecosystem easier to discover.

By browsing agentic.market, you will find real-time, on-demand access to various services, ranging from on-chain tools to mainstream APIs. Some endpoints are provided directly by original providers. Many endpoints come from third parties: some companies package existing APIs into x402 (and/or MPP) and bundle them into toolkits for agents to use, allowing users to pay a small fee to access through a single connection.

The second approach complicates matters. Among the third-party endpoints listed on Agentic Market are services from Wolfram Alpha, Google Flights, and Amadeus (a widely used travel data platform). I focus on these three because they have not announced x402 integrations themselves, and their terms of service suggest they are unlikely to authorize third-party developers to build integrations on their behalf.

Each endpoint indexed on Agentic Market could be first-party (directly provided by the original provider), third-party authorized (licensed with explicit permission, often through formal certification or partnership programs), or unauthorized third-party (companies reselling paid API access without permission).

Throughout the market and the entire x402 ecosystem, we cannot immediately distinguish which are first-party, which are third-party authorized, and many endpoints seem to fall into the last category.

Contract Terms

As mentioned earlier, the terms of these three providers make unauthorized third-party arrangements seem very likely, and in some cases, even completely exclude other options.

Wolfram Alpha explicitly prohibits “dealers and aggregators,” forbids data scraping or mining in any form, and bans unauthorized sale or transfer of services. These terms seem to leave no room for authorized third-party pathways. Moreover, after reviewing the quick start guide for this endpoint, it’s clear that this is not a first-party integration.

Prohibited Content in Wolfram Alpha API Terms of Service

Amadeus’ main subscription service agreement only allows clients to access for internal business purposes and prohibits any “renting, leasing, distributing, selling, reselling, transferring, or otherwise transferring” their access rights. Any third-party connection requires Amadeus’s certification and must be documented via a formal service order. This means the only way to obtain third-party authorization is through this process, and whether existing endpoints meet this requirement cannot be verified externally.

Restrictions in the Amadeus Main Subscription Service Agreement

Google’s case is the most typical. Google Flights does not have a public API, and Google enforces strict protections on its data.

However, third-party wrapper programs are packaging access to Google Flights data sourced from SerpApi—a company Google is actively suing, accusing it of scraping search results and reselling access. Google’s lawsuit states that SerpApi developed tools to bypass access controls, sending “hundreds of millions” of fake requests daily to scrape data, and reselling copyrighted content embedded in search results.

Therefore, Google is suing SerpApi for reselling copyrighted content and bypassing access controls. Meanwhile, SerpApi’s service is being wrapped by a proxy toolkit provider, who supplies it to agents and charges fees. This warrants deep consideration.

Details of accessing SerpApi via StableTravel endpoints

How Compliance Is Demonstrated

Even without legal expertise, it’s clear that these dynamics are “intricately complex.” The good news is that a clearer pattern has emerged.

MPP is a proxy payment protocol launched by Tempo at its mainnet launch, offering over 100 compatible services on day one. Providers that integrate directly with MPP—such as Parallel, Stripe Climate, Browser Base, and others—are marked with a green circle on their cards, indicating they are first-party providers.

Service directory viewed through mpp.dev

About two weeks ago, the popular AI research tool Exa announced native support for the x402 protocol in its search and content endpoints—becoming a first-party provider and partnering with Coinbase. Exa stated that choosing x402 over proprietary protocols was because it is regulated by the Linux Foundation.

Inevitably, the Results

Currently, external parties cannot determine whether an endpoint is first-party, third-party authorized, or unauthorized. This is a solvable problem, and the service directory of MPP—clearly showing the source of each integration—is a step in that direction.

Unauthorized scraping has already exerted measurable pressure on service providers: server load, bandwidth costs, and traffic they never agreed to provide. Third parties packaging scraped data into x402 protocols and charging fees make things worse. Service providers bear all costs but receive no compensation.

Therefore, it is necessary to clarify the root of the problem. x402 is an open protocol—just as any developer can build on HTTP, any developer can build on x402. The payment mechanism cannot track whether upstream data was obtained with authorization. Responsibility lies with the developers packaging these endpoints for user access.

Without accountability, the overall development of x402 could be negatively impacted—potential native integrators might become opponents rather than participants. These revenues should belong to the service providers. Native integration is how they claim ownership of these revenues and is also the legitimate basis for x402’s growth.