v0.4.0 · USDC on Base · Python and TypeScript SDKs

Risk engine for AI agent payments.

smart402 evaluates every x402 payment request against your policy rules. Deterministically, in under 100ms, before any funds move.

Get Started View on GitHub
result = await client.evaluate_payment(amount=100000, token="USDC", ...)
# decision: "approve" or "deny". triggered_rules tells you exactly why

Your agent proposes. Your rules decide.

Deterministic x402 payments risk engine

01

Agent triggers payment

Your AI agent encounters an x402-protected resource and initiates a payment request. The smart402 hook intercepts it before any funds move.

02

smart402 evaluates policies

13 policy types are checked in order: amount limits, budget windows, allowed tokens and chains, counterparty rules, time restrictions, on-chain risk score. Pure logic. No model inference.

03

Approved or denied

The response arrives in <10ms with a clear decision and full audit trail.

Approved: agent proceeds to pay Denied: agent skips, logs reason

Get started

Install the SDK, add one hook, set your policies. First evaluation in under five minutes.

$ pip install smart402 
from smart402 import Smart402Guard

guard = Smart402Guard(
    api_key="ag_live_...",       # dashboard → Settings → API Keys
    agent_id="agent_abc123",
    wallet_address="0x...",      # your agent's EVM address
    fail_mode="fail_open",       # or "fail_closed" to block when API is down
)

# register once — fires before every payment
x402_client.on_before_payment_creation(guard.as_hook())
$ npm install smart402 
import { createSmart402Guard } from 'smart402';

const guard = createSmart402Guard({
  apiKey: 'ag_live_...',        // dashboard → Settings → API Keys
  agentId: 'agent_abc123',
  agentWalletAddress: '0x...',  // optional: for audit trail
  failMode: 'fail_open',         // or 'fail_closed' to block when API is down
});

// In your x402 payment flow, before signing:
const result = await guard.evaluate({
  amount: req.amount,    // raw USDC units from x402 PaymentRequirements
  token: 'USDC',
  network: req.network,
  pay_to: req.payTo,
});

if (result.decision === 'deny') {
  console.log('Blocked by:', result.triggeredRules);
  return; // agent skips, nothing moves
}
// approved — proceed to sign
PyPI: smart402 npm: smart402 smart402-python → smart402-js →

13 policy types

Configure any combination. Each policy is a pure predicate: same inputs, same result, every time.

max_transaction_amount
Cap any single payment at a fixed amount in USD.
budget
daily_budget
Maximum cumulative spend in a rolling 24-hour window.
budget
weekly_budget
Maximum cumulative spend in a rolling 7-day window.
budget
monthly_budget
Maximum cumulative spend in a rolling 30-day window.
budget
allowed_tokens
Whitelist specific ERC-20 token contract addresses.
token
allowed_chains
Whitelist blockchain networks by CAIP-2 identifier.
chain
counterparty_allowlist
Explicitly trusted recipient addresses. Always approve.
counterparty
counterparty_blocklist
Explicitly blocked recipient addresses. Always deny.
counterparty
time_restriction
Allow payments only within specified hours and days of week.
time
contract_restriction
Require counterparty to be a verified smart contract.
counterparty
counterparty_familiarity
Require a minimum number of prior interactions with the address.
counterparty
wallet_age_restriction
Require the counterparty wallet to be at least N days old.
counterparty
counterparty_risk_threshold
Deny if on-chain risk score exceeds your configured threshold.
counterparty

Trust model

What smart402 is and isn't. Read this before you integrate.

No LLM in the decision path

Every decision is made by deterministic rules, not model inference. Same inputs always produce the same output (no hallucinations, no model drift, no API dependency in the hot path). Read why →

Reproducible decisions

Every evaluation returns triggered_rules: the exact list of policies that fired. You can reproduce any decision by replaying the inputs. You can write tests for it. You can explain it to a user whose payment was blocked.

Full audit log

Every evaluation is recorded: agent, amount, token, chain, counterparty, decision, triggered rules, latency. Nothing happens without a trace. All logs are accessible via API or the dashboard.

Open source, Apache 2.0

Both SDKs are open source under Apache 2.0. Read every line of code that runs in your agent. Verify what data leaves your machine. The SDK is ~200 lines per language. No obfuscation, no minification, no telemetry.

Facilitator Trust Registry

Public trust scores for every x402 payment facilitator. On-chain data, compliance signals, and uptime — scored deterministically.

View full registry →

See every decision in real time

The dashboard shows live transaction feeds, per-agent spend stats, and full key management.

Agent fleet: agents showing Active, Paused, and Disabled status badges with per-agent spend stats
Transaction feed: live rows with Approve and Deny decisions, counterparty addresses, and latency
Agent detail: spend stats, approval rate progress bar, and evaluation history for a single agent

From the blog

Writing about AI agent infrastructure and x402.

March 2026 · 6 min read

The Safest x402 Risk Layer Is One That Doesn't Speak Agent

What happens after a prompt injection attack succeeds? smart402 sits outside the blast radius: deterministic policy checks, no LLM, no attack surface that text can reach.

Read post →

Frequently asked questions

Can a compromised AI agent bypass smart402?

No. smart402's policy engine runs in a separate process from your agent. A compromised agent can attempt a payment, but the decision is made by a deterministic rule engine that the agent cannot influence or reason past. There is no LLM in the decision path, which means there is no prompt injection surface to exploit.

What x402 agent frameworks does smart402 support?

Any framework that supports Python or TypeScript: LangChain, CrewAI, AutoGen, Coinbase AgentKit, or a custom agent. Integration is a single lifecycle hook before payment execution (framework-agnostic by design).

What happens if smart402 goes down?

You choose the failure mode at configuration time. fail_open (default) lets payments proceed with a warning log if the policy engine is unreachable. fail_closed blocks all payments until the engine is available. No upstream model provider is involved.

Is smart402 open source?

Both SDKs (Python and TypeScript) are open source under Apache 2.0. You can read every line of code that runs in your agent. The API and dashboard are proprietary. View on GitHub →

How does smart402 compare to LLM-based guardrails?

LLM-based guardrails use a model to evaluate whether an action is safe, which means the same inputs can produce different outputs on different runs and a sufficiently creative prompt can change the decision. smart402 uses deterministic policy rules: same inputs, same output, every time. For decisions that control money movement, determinism is not optional.

What does the audit trail look like?

Every evaluation returns a triggered_rules array: the exact list of policies that fired. Every evaluation is logged with agent, amount, token, chain, counterparty, decision, and latency. A human can read the policy config and the evaluation log and independently verify that the right decision was made (no code required).