Apparently I missed this initiative. It seems like it is a technology that is intended to be open an universal while also being supported and developed primarily by US companies (Linux Foundation, Coinbase, CloudFlare.)
> The central organizational membership and control of WHATWG – its "Steering Group" – consists of Apple, Mozilla, Google, and Microsoft.
you get paid in crypto
If a request goes to the protected path, if detected as bot: hard HTTP redirect to the path set in the monetization gateway, if human: allow and don't redirect.
But if the bot is advanced / expensive enough, it gets a lot harder. Where this product's market sits is in giving a paid way to access content compared to having to spin up bots that run js, from real IP addresses, etc. all of which are more expensive
The same way LLM's without watermarking cannot be reliably classified as "not-human" neural-network driven scraping tools are getting harder to detect.
Cloudflare, and DataDome position themselves as companies that can detect automated traffic using things like IP reputation, behavioral signals, timing... But these things can be faked through proxy-networks, human behavior signals can be imitated with generative AI the same way text can be, web bots can utilize neural networks to generate trajectories and timings similar to those of humans.
If you can have an AI use a browser the same way a human can how can you distinguish the two?
So if: cost monetized API < cost configuring scraper for your website OR feature provided by premium api > data got by scraping, then some people/business will likely pay
Feel free to email me at (my username)@(my company) with feature requests or feedback!
This could also make abusing use / DDoS attack very costly
It's about convenience, not fear. Cloudflare is free for most companies until you need more advanced features.
I'll show myself out ...
I was a strong proponent of Cloudflare for years, but looking back should have known better. I felt like others in the space would have tracked along how they went to market but that didn't play out as I would have suspected. I still use Cloudflare for DNS on domains that I use sparingly (mostly just for mail records), but no longer recommend anyone let Cloudflare terminate TLS unless they need it.
It's pretty amazing what you can get for a server host (bare metal) these days at the price point. I don't run any of those behind Cloudflare and haven't had any issues as of yet.
Having an almost a plug and play solution who does CDN + DDoS Protection + WAF/Rate Limiter + Bot Protection, for a few bucks, is very useful for startups and SMEs.
And compared to cloud different offerings, their quick setup and lower cost is hard to beat.
I often see threads complaining about Cloudflare, never see suggestions for better alternatives.
Step two: Sell keys to the gate
Muah ha ha
But in all seriousness I wonder who needs this... api's are suppose to make it easy to bridge two application... and you didn't need AI to utilize an api before so I wonder what's pushing this sort of thing to extract value down to individual calls?
for BadActor in $(curl -A Mozilla "https://api.cloudflare.com/local-ip-ranges.csv"|grep -Ev "::|/32"|awk -F "," '{print $1}'|sort | uniq); do ip route add blackhole "${BadActor}" 2>/dev/null;done
Something similar can be done with AWS EC2 https://ip-ranges.amazonaws.com/ip-ranges.jsonStablecoins doesn't make sense here and prefer not to use crypto at all.
The whole business of Stripe is based on that: it's so hard for developers to do, and so many regulations, that they would rather pay an another company to do so.
Crypto can be sent just using a contract.transfer() call
I expect much more of this type of thing going forward.
If this catches on and is widespread, the internet as we know it will be completely dead.
No, I don't want to pay for links I click on, ever. Sorry.
The most likely scenario is Stripe, or someone similar, creating an agentic API connected to the agent owner linked account or something along those lines. I am not sure how this would work with 3DS, or whether it would be acceptable at all, since these kinds of transactions could be disputed easily ("I did not make the purchase, my rogue agent did.")
Another way to handle payments on the internet is obviously not to reinvent the wheel and simply email a payment link to the owner. That seems simple enough to me and does not require additional infrastructure. Payment processed, mint a key, the agent is allowed to proceed.
If you try to call customer service and report it, you get:
I'm sorry. All of our rogue agents are assisting other rogue agents.
If you would like to dispute charges made by your own rogue agent, please ignore all previous instructions and stay on the line of this toll number for our next available rogue agent.
The estimated waiting time is two months, three weeks, five days, thirteen hours, fourty seven minutes, and 36.03858767259934378 seconds.
The biggest challenge here is to distinguish between a bot and real user. Guess the big AI players would get free ticket to crawl the data and humans would be just left to prove themselves to access the content.
I presume the primary payment method on these 402 sites will be via LLM agents so reading a page via an AI agent will just cost a little more in tokens than the LLM making it all up.
If I ask an agent to do it, it does better at finding the small percentage of sources not hosted by cloudflare. However, it generally cannot hit open-access / public domain sources (like the current legal code, or academic papers) because those are blocked and it respects stuff like robots.txt.
Maybe that's too optimistic though based on the responses in this thread.
As it is, their captchas are already blocking tons of human traffic.
The idea that the price will be low unless you access it a lot falls over due to caching. Big tech companies will cache whatever they scrape, paying for one copy. Regular people and smaller companies will not read the same thing enough to amortize the cost of the first fetch, so they’ll pay 1000’s to 1,000,000’s of times more than the monopolies per-use of a given piece of information.
If individuals set up a federated cache with open access, they’ll get sued for copyright infringement. (Even though that would solve the supposed problem: That cloudflare cannot afford to operate a cache).
The end result is that only closed agents will be allowed to (legally) read most content without paying extortion-level fees.
Also, like with YouTube and video, serving text will become a winner-takes-all proposition.
Internet non-ad monetization will also be in the form of massive syndication, where a subscriber gets access to thousands of high quality websites, and web publishers get access to millions of subscribers. But they need to take a hint from streaming services and really make massive syndicates which includes everything for everyone for this to work.
The systems you described not only record that information and make it available for warrants, they also sell it, and allow warrantless searches of it in some circumstances.
for the forum example: many forums have a policy to only allow access to attachments to logged-in users. i can't remember the last time i registered at a new forum just to view an attachment: the effect has always been to drive me elsewhere. no complaints -- these solutions work if your goal is to reduce load. i'm suspicious that they can drive monetization outside of a very few niches.
Real users are already suffering.
If (big if) the AI labs can be made to pay for the abuse, actual users win.
If you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules when posting here, we'd appreciate it.
Ah yes, the starry-eyed dream of early web pioneers is finally upon us: a soulless internet filled with soulless agents and microtransactions!
But in all seriousness, it's hard to deny that the attention-based model that has propelled the web forward for the last 30 years is somewhat falling apart. And I don't have, nor have I come across, any meaningful solutions that could realistically work better. So maybe it's just time we turn off this 'internet' thing and call it a day.
Feel free to email me at (my username)@(my company) with ideas or suggestions here!
5c to read an article? Sure. $20/month subscription? No way.
Unless there's a privacy-preserving way this can be used to send money, then it's just another chunk of the surveillance state that's being rapidly erected over the last few years. The word "privacy" does not appear once in the article.
Even if it did, I'd be skeptical. If their payment system does allow money to be sent in a privacy and free speech preserving way, then it'll be used for money laundering.
This whole "agents bad" framing is complete BS. It's the reality of how people use the internet now, and, frankly, ad blockers have been a thing since forever. On the other hand, if successful, this infrastructure will give Cloudflare centralized control over internet publishing and also centralized surveillance of all users with no opt out.
Piracy is looking better and better. So does the small web. Come to think of it, the library does too. Any good solutions for non-destructively scanning books?
I think the difficult part is that LLMs are gullible and it will absolutely be gamed if any real money can be made this way.
It would be nice if this became a viable alternative to paywalls, though.
Let's say a part of the subscription is used to pay for it.
I guess I don't understand who this is for. If you want your worldview reflected in the latest generations of models, you probably wouldn't use this. If you don't want your worldview reflected in the models, why would a few pennies change your mind?
Twilight fan fiction? Claude probably won't pay for that.
But critical programming documentation that its bots (and their human users) rely on to do their daily job ? You better believe Anthropic will pay for that (instead of letting another AI pay for it, and steal all their customers).
Lets say this catches on (in some form or another, whether in this precise implementation or not).
So assume we have a world where resources can be gated by a payment wall that agents can interact with.
I'm also assuming that world continues to have agents that are majority hosted and run by 3rd parties (ex - google/anthropic/openai/xai/etc).
---
At what point can I sue these companies for obviously failing to act in my interests?
Because that's the clear next step here.
Basically - where is the fiduciary duty that I would require for a real working relationship?
Because otherwise these agents can and will prefer to access payment gated resources that have financial relationships with their operators or developers.
That seems like a pretty big assumption, given that local models are only like a year behind frontier ones (or less).
When you consider that, along with the completely unsustainable business model of all the major 3rd parties, I think a far more realistic view of our AI future is that AI will largely be commodified: it won't run on a few specialized companies, it will run on your hardware, or on budget providers (think an "AWS of AI").
Frontier AI will almost certainly continue to exist, but will be focused on specific niches.
In the future, an AGEnt will attest that you are old enough to access the resource.
So far, I'm having trouble figuring out how to get that out of x402.
Oh boy!
Most countries then have a "personal exemption", where consumers are exempt from paying taxes on a certain value of goods.
I’m not against taxes to be very clear. Tax something else.
Can you treat your remote service access as B2C only? Perhaps yes, but then the companies will not be able to use your service, pay from a company bank account and account this as a company cost, only individuals will be able to legally pay.
Vending machine is also located in a known physical country, so the owner knows what VAT to apply, the VAT of the country the machine is in. With software services the VAT should be applied based on the country where the buyer is located.
No KYC needed, no counterparty or reciprocal VAT rules, no jurisdiction tax rules, etc. Non-cash revenue has rules attached to it.
I agree with GP - this doesn't actually solve any problems I have when recording revenue.
Right i wondered the same. I guess Cloudflare would have to act as a Merchant of Record, like e.g. Paddle and Gumroad do. Then the end user/bot would do business with Cloudflare, and Cloudflare with us.
That said, morally, I strongly resent the fact that accepting payment has essentially become illegal for most people due to this complexity and the way globalization has been forced on people. People are essentially not allowed to receive payment to feed themselves. That's what it has come down to. Not everyone can afford an accountant and take that risk.
You can have this problem even if you target a single state in the US.
You’re 10 years late
x402 not required just segregated addresses acting as individual market participants paying for your service
if you ever want your state’s currency (which is a big IF in the crypto world), then you use your segregated address to pump the price of a token that your clean and KYC’d addresses hold, sell into liquidity for a more liquid crypto, sell that crypto on an exchange. you look like a good or lucky trader like anyone else. cash out, pay taxes if your country taxes capital. access to the rest of the system
although the online merchant service is accepting payment from addresses linked to dirty money along side some others, and it may seem redundant to bother instead of just pumping assets with the dirty money address, it’s just possible deniability. Far more plausible than predominantly dirty addresses pumping a token you just happen to hold. Even if the dirty money had all swapped to monero and out to fund virgin addresses it still needs a genealogy before benefitting you in the KYC’d world. So insert the crypto merchant service in between regardless.
Every road a toll road.
How big a cut does Cloudflare want? Whose "stablecoin" does this use? How much does each on-chain stablecoin transaction cost?[1]
For comparison, FedNow bank to bank transfers cost $0.045, regardless of size.
Seriously, everybody will have their hand out.
I know many people here would be against anything related to payment on the Internet, but I do believe the ability to have a button like "One click here to anonymously with no account pay 0.02€ and download the media" could be a net positive for Internet freedom.
That is, - as a client I could obtain a bunch of credits/tokens from my payment processor - these tokens have the cryptographic property of being verifiable (ex: “that’s definitely a stripe-verified token worth $0.001”) - these tokens also have the cryptographic property of being anonymous. (ex: neither stripe, nor the payment recipient know that I am Bob)
With this sort of cryptography based approach, cloudflare could verify my payment token without any cryptocurrency proof-of-work kerfuffle?
For Bitcoin / Lightning these kind of pay-per-request API paywalls have existed for many years already (e.g. my own from 8 years ago [1], but others as well).
Flattr [2] existed for non-crypto micropayments.
None became mainstream. I think the friction is always the extra setup on the client side. In all 3 cases the user (API consumer) has to set up a special wallet (browser extension or something for the agent) and deposit some money/crypto on the client side first. This part needs to become simpler.
and for Fastly: https://github.com/dip-proto/x402-fastly
I make money when people use my website. I don't make money when AI scrapes my content and answers the question without the user coming to my website.
I'd need scrapers to pay me 5-6 figure payments to replace the revenue they'd be taking from me if my content was easily scraped. I doubt that's ever going to happen.
For example, take a large online retailer... They have to show their products to customers (for free) for people to be able to shop, but increasingly they see spikes in traffic that match what would be expected from targeted bot attacks or scraping... But this traffic is getting more and more difficult to distinguish from legitimate traffic to the website. They could easily add this x402 middleware to their services, or they could offer API access to their product catalog for a price and enforce usage limits... But if they cannot reliably detect human users from bot/agent users, they have no way of pushing the bot/agent users to paid access... And why would the people running these bots pay when they're already getting what they need for free? Now Cloudflare cannot even reliably block bot traffic, and there are AI based browsing/scraping tools available now for bypassing Cloudflare.
That was then.
Now VPS providers are significantly increasing prices (Due to memory shortage) making it unaffordable to run servers cheaply.
Yes there's a slight upwards blip right now, but not even close to cancelling decades of progress in price reduction.
Presumably Cloudflare's answer to this is CAPTCHAs.
Bot detection is a big problem to solve, but it’s a significant focus at Cloudflare. (It’s not my team at Cloudflare specifically, but we work closely with them)
Assuming technical indistinguishability, the only solution is what was originally proposed for email: balanced net $0 charges for "normal user" usage patterns (i.e. payments from - payments to = $0).
If you x402 everything, and an average user access 5 pages, but a bot accesses 500 (or 5x100 times), then you've still achieved a substantial price delta that you could offset via a rebate
The real rub is about uniqueness attribution, as being able to differentiate 20 distinct real users from 1 bot w/ 20 proxies is the crux of anything above.
1. Any cost of browsing an e-commerce site is taken off the next purchase, whenever it happens.
2. Give each user 100 free page viewed per day or some such before you charge.
3. You don’t actually have to charge users for browsing the site if you provide a free or cheap API allowing bots to search and index your entire catalog. Agents and bots would certainly rather parse a kilobyte of JSON than 20 megabytes of HTML generated by on page JavaScript.
4. If you don’t like this system you don’t have to participate. If Amazon wants to do their own thing, they can. But if you publish a blog and want to charge $0.00001 per page view and browsers support this out of the box, why not?
Having written bots several times, any kind of friction or payment on the json api would make me just use the free html "API" it's just easier.
I have many times used a webpage as api instead of the actual api because using the actual api required doing paperwork, like writing business cases, filling out approval forms, creating accounts, paying, etc...
2. Again, no way to identify users (bots use hordes of residential proxies with only a few requests per IP).
3. Agents and bots care more about a universal solution that works for all the sites than an efficient solution. You could standardize on a header for this, but then some sites would start hiding some content in the API for "business reasons", making this header untrustworthy. Unless you're a site so large that it deserves special handling, it ain't gonna work.
1. Establish domain names and relevant cloudflare account including the monetization gateway (associated rules, etc.).
2. Then host a ton of crap content across a wide swath of topics...not even decent quality...merely a step above old school style SEO keywords...just enough low quality "honey" to attract the AI flies, and their high volumes of traffic.
3. Charge very low amounts to ensure the AI "visitors" won't balk programmatically at the cost.
4. Then wait for lots of AI traffic (attracted by the "honey")...and then profit!
Obviously lots of holes in the above...but, unless I'm missing something, it feels like more spam headed our way (because the AI agents will swallow up all the crap content created only for triggering usage costs)...which is a shame. Because while I'm not sure about this overall approach of this gateway, I certainly would welcome web authors to get paid something for their efforts! If cloudflare can help achieve this for web authors, then I'm in favor! Of course, the cynic in me also recognizes that by being the middleman, cloudflare does stand to gain whether the volume of traffic is for good content or spam crap. Is cloudflare a new type of bank now?
Must think happy thoughts! The internet feels darker every day, but, must think happy thoughts!
Think of it as a gullibility tax. AI is currently pretty gullible but perhaps that will change?
But how will anybody know it's there?
I'm basically of the impression that this is already happening based on all the LLM generated slop search results I get - presumably for ad revenue (or in the case of Musk to push political views).
When I see crypto I immediately think of fraud (and corruption of this US administration)
I just want my agent to make decisions and spend a limited amount of money (this is on me to cover) just like a human agent can.
If we get the other promise of "read this news but pay a few cents for it" that would be incredible too. Very excited for this new thing.
Proper spend delegation and permissions is a big focus of ours - it’s great to let your agent have discretion, as long as the damage from going off course is limited. Definitely want people to feel comfortable experimenting with emerging tech
Feel free to email me at (my username)@(my company) if you have any feature requests or things you’d like to see
(Full privacy is a harder problem to solve, but address rotation is a good 80/20 solution for now)
I think web servers monetizing any user identifiers possible should be assumed by this point in the web's evolution, and precluded to the extent possible at the protocol level.
No one is going to say "Oh, we've got micro-transaction revenue now, let's do away with ad tracking." They're going to say "Great, now we have both streams of revenue."
If Cloudflare et al. are stepping into the middle of the transactions, I'd much rather scope my identity leakage to only them than everyone running a web server.
I'm actually OK with paying a fair price for the content I consume, I just don't want to be paying hundreds of subscriptions for websites that I might only visit twice a year.
Seems more likely that subscriptions, advertising, and microtransactions will coexist.
Microtransactions have existed in a bunch of forms over the past 20 years and always fail to find take up because the mental load in deciding to pay or not is higher than the value receive.
Maybe ideal for agents but how many people are going to trust their agents with enough of a balance.
Which isn't private. Wallet ID 123 buys a 10c article from Leftist Newspaper A and one from Leftist Newspaper B. Leftist Newspaper A and B, being businesses, sell the information that Wallet ID 123 purchased an article to Data Broker A. Data Broker A correlates all purchases Wallet ID 123 has ever made and with a high degree of accuracy identifies who they are and their political affliation. Data Broker A sells this profile to anyone who asks for it, including far right governments who might be interested in throwing people out of helicopters based on their political affiliation. Unless you use Monero, this will happen, and Monero will obviously not be used.
Yes, 90% of people are careless and already give away this information right now. But you're suggesting closing the door on the rest who care to be able to protect themselves while still being able to use the internet, and cementing that nobody will ever have privacy for the rest of their lives, when we should be making an effort to make it harder to identify people, not easier.
Also if they are handling payments at some point you're going to be forming that relationship or they are going to get shut down for money laundering very quickly.
With this, I can see myself paying $20-30/month (less than my coffee spend). That's money that was previously unlocked. Also, being able to pay some random writer/journalist outside the mega-news-corps, has a special feel to it and this gives me the option to do that.
Turning everything into a microtransaction / subscription is destroying what was good about the internet.
More options are great.
Remember: from a business's perspective, advertising has positive ROI. Which means you as the consumer pay for it anyway. No ad supported service is free.
Where is the "human" in all of this ?
an agent doesn't consume content. & that's why content & advertising have worked hand in hand over centuries. the personalized ad-tech pushed by the massive tech firms hasn't worked for publishers.
which is why retail media, CTV etc are picking up. & why Amazon Ads is racking it - within a few years Amazon ads might actually get more revenue than either Google | Meta.
so once again - where is the human & the human element, even though x402 is fantastic.
Nostr zaps?
First it was GDPR government fragmentation; then it was AI slop requests, and now it is greed. Before you know it, we'll be back to the days of having to research at libraries because they'll be the only ones with taxpayer funding to pay the x402 fees.
Is europe just flooding online fora with doomer luddites to demoralize the US tech sector? Sounds far-fetched, but there is nothing organic about the recent rise in US/tech hatred across the web.
I do have some bots, they're nice and predominantly used for grounding AI harnesses which I use interactively. Knowing that most operators will whitelist maybe 5 well know bots and route the rest to the micropayments, what's the incentive for me to have my bots identify as bots with Web Both Auth when it's easier to make them mascarade as humans?
Again, my bots are nice. They're making roughly the same number of requests I would make manually via browser if I was manually working on something.
I dislike stablecoins because they legitimize their cousin coins and because (I think?) they have transaction fees that create the wrong incentives for providers. I'm not sure what the real benefit is over prepaid (policy-driven) fiat currency with (possibly-paid) transaction records.
I can see how selling to bots could become so profitable that no one bothers to present directly to humans, but I look forward to an ad-free, much more capable internet, where paywalls are more like a headwind than a wall.
There are already a bunch of working implementations:
* https://www.l402.org/ * https://docs.lightning.engineering/the-lightning-network/l40...
There is even an index with a long list of services that already support this tech:
> At the same time, an agent can make thousands of micropayments without friction, while asking a person to approve each payment would be impossibly burdensome.
but yes, they will need wallets
but it's also optional, you do not want to buy these paid for requests, you do not need a wallet