A402: Trust-Minimized Payment Architecture
- A402 is a trust-minimized payment architecture that binds Web3 payments to Web2 services by enforcing atomic service execution, payment, and result delivery using TEEs and adaptor signatures.
- It employs Atomic Service Channels to guarantee that payment finalization occurs only when the requested service is correctly executed and the result is securely delivered.
- The design mitigates x402 limitations by integrating a TEE-based Liquidity Vault for off-chain state management and aggregated, low-cost on-chain settlements.
A402 is a trust-minimized payment architecture for binding Web 3.0 payments to Web 2.0 services in Machine-to-Machine commerce. It is presented as a response to the limitations of x402, an HTTP 402-based bridge whose centralized facilitator sequences payment, service execution, and response delivery but does not enforce end-to-end atomicity across execution, payment, and delivery. A402 introduces Atomic Service Channels (ASCs), integrates off-chain service execution into a payment channel state, uses TEE-assisted adaptor signatures so that payment is finalized if and only if the requested service is correctly executed and the corresponding result is delivered, and adds a TEE-based Liquidity Vault that privately manages ASC lifecycles and aggregates settlements into a single on-chain transaction (Li et al., 1 Mar 2026). A closely related security analysis of x402 uses “A402/x402” to denote the protocol family that revives HTTP 402 for agent-native micropayments and treats binding-focused improvements as necessary mitigations (Li et al., 12 May 2026).
1. Motivation and problem formulation
The motivating setting is autonomous AI agents invoking and paying for Web 2.0 services without pre-provisioned accounts or API keys. In this setting, low-latency, pay-per-request mechanisms require trust-minimized guarantees that payment is finalized if and only if the service is correctly executed and the result delivered (Li et al., 1 Mar 2026).
The problem statement is framed against x402. x402 is an HTTP 402-based bridge between Web 2.0 services and Web 3.0 payments that routes each request through a centralized facilitator who sequences payment, service execution, and response delivery. The architecture has three explicitly identified limitations. First, providers execute optimistically before payment finalization, while facilitators can broadcast payments without verifying execution; this breaks execution–payment binding. Second, x402’s payment-first workflow confirms on-chain before result delivery, so a malicious or failed provider can withhold results post-payment, violating fair exchange. Third, every request is an on-chain transaction, imposing high latency bounded by block confirmation, high fees at micropayment granularity, and public leakage of per-request interactions (Li et al., 1 Mar 2026).
A separate formal analysis of x402 characterizes the same design space as a cross-layer composition of synchronous HTTP authorization and asynchronous blockchain settlement. It models the protocol through Payment Requirements,
and Payment Payload,
and identifies authorization soundness, payment–service correspondence, replay resistance, and facilitator -atomicity as the central security properties (Li et al., 12 May 2026).
Within this problem setting, A402 targets Exec–Pay–Deliver atomicity directly. The design goal is that an exchange terminates in exactly one of two outcomes: success, where the vault obtains the result and the provider obtains the payment amount ; or abort, where the vault retains and the provider does not obtain . Forbidden states occur only with negligible probability (Li et al., 1 Mar 2026).
2. System architecture and trust model
A402 comprises four roles: the client , the vault , the service provider , and the blockchain 0. The client is the autonomous agent or user and delegates ASC management and request execution to the vault. The vault is a TEE-protected service that manages Atomic Service Channels, maintains ASC state in an enclave, forwards requests and results, performs atomic exchange, and can optionally run as a replicated TEE committee for availability. In “liquidity vault” mode, it pre-funds and aggregates multiple ASC settlements into one on-chain transaction. The service provider runs requested service code in its enclave and participates in adaptor-signature-based atomic exchange. The blockchain acts as the settlement and dispute resolution layer; on Ethereum, this is an ASC Manager contract, and on Bitcoin it is realized with Taproot/MAST scripts (Li et al., 1 Mar 2026).
The trust assumptions are explicit. A402 relies on integrity and confidentiality guarantees from modern TEEs such as AMD SEV-SNP and Intel TDX. Remote attestation binds public keys and execution measurements to approved code hashes. Side-channel and supply-chain attacks are out of scope, consistent with prior TEE-assisted designs. The blockchain is assumed to provide persistence and eventual inclusion (Li et al., 1 Mar 2026).
The x402 threat model examined in the companion security analysis is broader at the web/blockchain boundary. It includes a network adversary that can delay, reorder, drop, or replay HTTP traffic; a malicious client; a Byzantine facilitator; blockchain adversaries that exploit mempool replacement, front-running, or bounded reordering; and an honest-but-curious server in the core model. That analysis emphasizes that ordinary web middleware—proxies, caches, and loggers—enters the payment-security boundary when spendable payment material is carried through HTTP headers (Li et al., 12 May 2026).
A concise role decomposition is as follows.
| Role | A402 function | Security relevance |
|---|---|---|
| Client 1 | Delegates ASC management and request execution to 2 | Origin of requests and payment authority |
| Vault 3 | Manages ASC state in an enclave and performs atomic exchange | Enforces protocol logic and aggregation |
| Service provider 4 | Executes requested service code in its enclave | Produces attested execution and encrypted result |
| Blockchain 5 | Settlement and dispute resolution layer | Provides persistence and eventual inclusion |
This architecture shifts the core coordination problem from a centralized facilitator to attested enclaves plus on-chain escape hatches. A plausible implication is that A402 treats the facilitator role not as a trusted coordinator but as a protocol component whose behavior is constrained by attestation, cryptographic binding, and unilateral close paths.
3. Atomic Service Channels and protocol state
An Atomic Service Channel with respect to blockchain 6 is defined as a tuple 7, where 8 is the channel state, 9 is the balance distribution, and 0 is the execution status. The basic operations are:
- 1, which locks 2 on-chain in a 2-of-2 control and initializes 3, 4;
- 5, which updates balances if successful and otherwise returns 6 with no state change;
- 7, which opens an on-chain dispute window and settles according to the latest valid 8 (Li et al., 1 Mar 2026).
The implementation extends the balance state to include transient locks,
9
and refines the status space to
0
OPEN accepts new requests; LOCKED escrows 1 for an in-flight request while execution is ongoing; PENDING denotes that execution is committed and the protocol is waiting for result revelation to finalize payment; CLOSED denotes final settlement and no further requests (Li et al., 1 Mar 2026).
The request identifier is
2
with monotonically increasing 3 to prevent replays. The atomic exchange state machine is organized in four stages. First, the vault checks 4 and 5, moves 6 from 7 to 8, sets 9 with timeout 0, increments the request counter, and sends 1 to the provider. If no reply arrives by 2, the vault reverts to OPEN and restores availability. Second, the provider executes the request in its enclave, produces the result, generates the adaptor secret and pre-signature, encrypts the result, and sends 3 to the vault. Third, the vault reconstructs the payment message, verifies the pre-signature, records a pending tuple, moves to PENDING, and issues a conditional payment authorization 4. Fourth, the provider either reveals the secret off-chain, allowing the vault to decrypt the result and finalize balances, or force-closes on-chain with a completed adaptor signature if the vault is unresponsive beyond 5 (Li et al., 1 Mar 2026).
The protocol pseudocode condenses these transitions into the methods sendRequest, execRequest, onExecReply, revealSecret, and onSecretReveal. The semantics are exact: delivery without payment finalization is impossible because the vault needs 6 to decrypt, and payment without delivery is impossible because finalizing payment reveals 7 (Li et al., 1 Mar 2026).
4. Cryptographic binding, TEEs, and result delivery
A402’s atomicity mechanism is based on TEE-assisted adaptor signatures using Schnorr signatures on secp256k1 under BIP340. Let 8 be the provider public key and 9 the curve order. The provider samples 0 and computes 1; samples adaptor secret 2 and computes statement 3; defines 4; computes the challenge
5
forms the pre-signature
6
and the final signature
7
Verification is
8
and extraction is
9
Pre-signature verification uses 0 to ensure that, given a witness 1 for 2, adapting 3 yields a valid Schnorr signature under 4 for message 5 (Li et al., 1 Mar 2026).
The payment message is defined as
6
where 7. This binds the payment authorization to the specific request identifier, the payment amount, and the hash of the result. Result encryption derives a symmetric key 8 and encrypts the result as
9
Binding the result to 0 in 1 prevents substitution attacks. Revealing 2 is equivalent to releasing the decrypt key and completing the signature; either path enables both payment finalization and result recovery (Li et al., 1 Mar 2026).
Remote attestation is the second essential binding layer. The vault and provider register via
3
which binds the public key 4 to a genuine enclave running code with hash 5. After mutual verification, they derive an authenticated channel key via Diffie–Hellman to protect all ASC messages in transit. Operatively, “correct” execution means that the enclave executed the attested service code over the request to produce the result and then atomically generated 6, 7, and 8. No 9 is emitted without execution, and 0 is bound to 1 (Li et al., 1 Mar 2026).
The security proof sketch states the atomicity argument directly. Exec–Pay atomicity holds because the provider’s enclave emits 2 only after executing the request, and the payment authorization 3 references 4. Pay–Deliver atomicity holds because completing payment, whether by off-chain reveal or on-chain force-close, necessarily reveals 5, enabling decryption of 6; conversely, the vault cannot decrypt without 7 (Li et al., 1 Mar 2026).
5. Liquidity Vault, privacy, and blockchain integrations
A402’s TEE-based Liquidity Vault manages balances off-chain and aggregates settlements. For each party 8, the vault maintains state
9
The private ASC lifecycle consists of initVault(π), which deposits funds to the committee address and increases 0 once confirmed; reqOpenVaultASC(S,v), which debits 1 from 2 and initializes a new off-chain ASC state 3 without any on-chain transaction; and reqCloseVaultASC, which cooperatively releases ASC funds back into vault accounts when 4, or otherwise waits for in-flight requests to complete or observes an on-chain force-close (Li et al., 1 Mar 2026).
Aggregated settlement is performed by a single txsettle that transfers aggregated free balances on-chain. If a party settles multiple off-chain ASCs, only the total is revealed:
5
where each 6 is the net released balance from ASC 7. The on-chain footprint is therefore a single vault-level transaction. ASC creation, updates, and closure are invisible on-chain; only initVault and settleVault appear. This hides the client–provider interaction graph and per-ASC capacities (Li et al., 1 Mar 2026).
The privacy analysis describes the residual leakage surface. In vault mode, observers learn total settled balances, not per-request volume nor counterparty edges. Timing may correlate with off-chain activity, with settlement batching and randomized schedules proposed as mitigation. Network metadata between vault and provider may leak volumes, with authenticated channels, padding, and rate limiting proposed as mitigation. Side-channels in TEEs remain out of scope, with constant-time cryptography and resource partitioning listed as operational mitigations (Li et al., 1 Mar 2026).
The Bitcoin integration is implemented on regtest using Bitcoin Core v25.0, P2TR outputs, Taproot key-path/script-path spending, and a MAST encoding cooperative close, provider force-close via adaptor signature path, and client force-close via CSV relative timelock. The liquidity vault MAST adds cooperative batch settlement and force settlement by client or provider via long CSV timelocks as an emergency path. Adaptor signatures are used as scriptless scripts: the completed Schnorr signature appears standard on-chain, while the adaptor witness 8 is extractable by the vault off-chain using 9 without revealing program logic or per-request metadata (Li et al., 1 Mar 2026).
The Ethereum integration uses an ASC Manager smart contract exposing createASC, closeASC, initForceClose, finalForceClose, forceClose, initVault, settleVault, initForceSettle, and finalForceSettle. Because Ethereum lacks Schnorr precompiles, A402 integrates an optimized Solidity Schnorr verification library to validate adaptor signatures and challenges. The trade-off is explicit: Bitcoin’s Taproot enables cheaper, private scriptless integration and CSV-based disputes, while Ethereum’s account model simplifies lifecycle logic but requires on-chain verification of Schnorr relations with higher gas than ECDSA and careful Solidity optimization (Li et al., 1 Mar 2026).
6. Security properties, attacks on x402, and the A402 hardening perspective
A402’s security model considers malicious clients attempting free-riding or double-spending, malicious vaults that may observe, modify, or censor but cannot deviate from attested code or read TEE memory, malicious providers that may drop, delay, or abort but cannot forge enclave attestations or produce payment commitments without execution, a fully asynchronous network adversary, and a blockchain providing standard persistence and eventual inclusion. Cooperative and unilateral closures ensure assets can be recovered without relying on the vault’s availability or honesty. Vault-mode force settlement guarantees exit with a dispute window 00. Timeouts 01 and 02 prevent indefinite stalls, and the monotone counter 03 in 04, together with authenticated channels, provides replay resistance (Li et al., 1 Mar 2026).
A formal attack study of x402 shows why binding-centric mechanisms are necessary. The analysis defines authorization failure as
05
payment–service mismatch as
06
replay as reuse of the same 07 for another grant, and facilitator atomicity failure as premature reporting of finality before 08 confirmations (Li et al., 12 May 2026).
The attack taxonomy contains five concrete classes. Attack I-A, revert-grant under optimistic execution, exploits the timing gap between verify/grant and durable finality, producing unpaid service when access is granted before sufficient confirmations. Attack I-B, settlement preemption, exploits caller-unbound settlement paths so that an observer or Byzantine component consumes the signed authorization first, leading to paid-but-denied outcomes. Attack II, replay/idempotency across the HTTP–chain boundary, exploits missing atomic claims over 09, allowing many grants for one settlement. Attack III, HTTP header/proxy confusion and cache leakage, exploits mutable headers and publicly cacheable paid responses. Attack IV, server-selection attacks, exploits weak metadata and Sybil resistance in discovery layers to steer agents to attacker-controlled endpoints (Li et al., 12 May 2026).
The empirical results quantify these failures. In local tests, Attack I-A produced 10 up to 11 at 12 ms when 13; increasing 14 drove 15 to the confidence-interval floor while increasing grant-to-finality delay from approximately 16 s to approximately 17 s. Attack II yielded 18 without idempotency, and a live endpoint on Base Sepolia returned 19 HTTP 200 grants for one on-chain settlement under 20 concurrent replays. nginx produced 21 cache leakage without Cache-Control: no-store, private and 22 leakage with that header setting. In discovery-layer experiments, metadata manipulation produced selection rates of approximately 23, 24, and 25 for three model configurations, while Sybil flooding increased aggregate selection from 26 at 27 to 28 at 29, with some categories reaching 30 (Li et al., 12 May 2026).
The mitigations proposed for secure A402/x402 deployments align closely with A402’s stated design goals: typed canonical signing over pay identifier, resource identifier, facilitator, amount, token, chain identifier, expiry, and timestamp; atomic claim of 31 before grant; facilitator-bound settlement; a conservative confirmation policy or reserve-then-settle policy; Cache-Control: no-store, private on paid routes; and discovery-layer defenses such as metadata validation, Sybil-resistant registration, diversified ranking, and trustworthy provenance signals (Li et al., 12 May 2026). This suggests that A402 can be read both as a concrete ASC-based protocol and as a binding-oriented security doctrine for HTTP 402 micropayments.
7. Performance, cost profile, interoperability, and limitations
A402 was implemented and evaluated against x402 with integrations on both Bitcoin and Ethereum. The evaluation setup used an AMD EPYC 9965 with 192 cores and 512GB RAM, a fixed 10 ms network delay per link, 200 ms simulated compute at the provider, 100 ASCs, and 100 concurrent clients. Peak throughput reached 32 requests per second at approximately 33 concurrent requests, with mild saturation up to 34 due to contention. Average end-to-end latency was approximately 35–36 ms and was dominated by service delay and network, indicating small protocol overhead (Li et al., 1 Mar 2026).
Compared to x402, A402 exceeded Ethereum throughput of approximately 37 TPS by approximately 38 and Bitcoin throughput of approximately 39 TPS by approximately 40. Latency was 41–42 s end-to-end versus chain-confirmation times of approximately 43 s for Solana, approximately 44 min for Ethereum, and approximately 45 min for Bitcoin in the comparison used by the paper (Li et al., 1 Mar 2026).
The on-chain cost profile is similarly explicit. On Ethereum, in standard mode, createASC costs 46 gas (47), for a total of 48. In liquidity-vault mode, initVault costs 49 gas (50), for a total of 51, versus A402’s approximately 52, a cost reduction of approximately 53–54. On Bitcoin, a standard ASC lifecycle costs approximately 55 for 56 requests, a cost reduction of approximately 57 (Li et al., 1 Mar 2026).
Interoperability is organized around Web 2.0 invocation, APIs, and off-chain callbacks. Providers expose an attested TEE endpoint compatible with HTTP 402 flows. The vault translates client requests into ASC messages and manages conditional payments. The U-API and S-API define the off-chain calls sendRequest, execRequest, onExecReply, revealSecret, and onSecretReveal, while on-chain interfaces map to create/close and force-close/settlement operations. Result verification is performed by checking 58 embedded in 59, and per-request 60 provides fine-grained micropayment updates. Practical considerations include pre-funding ASCs via vault deposits to avoid liquidity stalls and using Raft in replicated vault deployments to keep ASC state consistent (Li et al., 1 Mar 2026).
The limitations are also explicit. TEE risks include side-channel and microarchitectural leakage, malicious firmware or supply-chain compromise, and reliance on vendor attestation services. Replication incurs coordination overhead, and optimizing enclave cryptography and batching may further improve throughput. Ethereum lacks native Schnorr support, so reliance on Solidity libraries increases gas cost. Regulatory issues include custody and KYC implications for vault-mode deployments. Planned improvements include stronger functional bindings, standardized encrypted result formats, and cross-chain settlement bridges (Li et al., 1 Mar 2026).
Within the comparative framing, the central distinction remains stable. x402 provides a payment-first workflow with no enforcement of execution–payment binding and no guarantee that result delivery cannot be withheld after payment. A402 instead enforces Exec–Pay–Deliver atomicity by combining TEE attestation, adaptor-signature-based conditional payment, off-chain channel updates, unilateral close mechanisms, and vault-level aggregation. The resulting system is described as providing formal atomicity, 61 on-chain cost per ASC or vault lifecycle, and stronger privacy through vault-mode aggregation (Li et al., 1 Mar 2026).