Authentication

There are two distinct authentication concerns:

Gx402 Server ↔ x402 provider (machine-to-machine)
Client (player wallet) ↔ Middleware (signature-based proof of ownership)

We keep credentials and secret tokens strictly on the server. Clients never hold provider secrets.

Server ↔ x402 provider

Use the API key or OAuth scheme the x402 provider gives you.
Store provider credentials in environment variables or a secret manager (DO NOT commit them).
Protect server endpoints that call x402 with your own authorization (API tokens, JWTs, or internal network rules).

When making a call:

await fetch(`${X402_API_BASE}/payments`, {
  method: 'POST',
  headers: { 'Authorization': `Bearer ${process.env.X402_API_KEY}`, 'Content-Type': 'application/json' },
  body: JSON.stringify(payload)
});

node example:

Backend overview Payment flow

⌘I

Overview

Platform Guides

Backend & API

Authentication

Authentication

Server ↔ x402 provider

Overview

Platform Guides

Backend & API

​Authentication

​Server ↔ x402 provider

Authentication

Server ↔ x402 provider