A combat medic doesn't wait to be asked. You assess the situation, you move, you make decisions with incomplete information, and you keep people alive. That's the job.
I served as a 91W Combat Medic in the U.S. Army from 1997 to 2007. Ten years. I came home with a 100% disability rating, three sons I raised on my own, and a mind that doesn't know how to stop solving problems.
My sons are in their twenties now — kind, strong, respectful young men. I'm remarried, living in North Carolina, helping raise two stepchildren ages seven and nine. Life is full.
And somewhere in between all of that, I built 402Proof.
The Problem Nobody Was Solving
When AI agents started becoming real — not demos, but actual autonomous systems making API calls, fetching data, executing decisions — I noticed something nobody was talking about.
How do they pay?
Not "how do developers pay for their agents' API usage" — that's just a credit card on file. I mean: how does an agent pay, autonomously, mid-task, for a specific piece of data it needs right now, with no human in the loop?
The answer was: it couldn't. Not really. API keys get shared, leaked, rate-limited. Subscriptions are blunt instruments. There was no infrastructure for an agent to walk up to a tollbooth, pay exactly what something costs, prove it paid, and get the data — all in under five seconds, all on-chain, all auditable.
So I built the tollbooth.
What 402Proof Is
402Proof is an AI agent payment compliance firewall built on the x402 protocol — an emerging standard that uses HTTP's long-forgotten 402 Payment Required status code to create a native pay-per-call web.
Here's the full cycle, start to finish:
An AI agent hits a protected endpoint
It receives HTTP 402 with a payment invoice — destination wallet, amount in RLUSD or XRP, and a memo binding the payment to the invoice
The agent signs and submits the payment on the XRP Ledger — sub-5 second finality
It calls /v1/verify with the transaction hash
The server verifies on-chain, issues a signed HMAC-SHA256 access token
The agent retries the original request with X-Payment-Token header
The endpoint serves the data
No API keys. No subscriptions. No human involvement. Every payment generates a tamper-evident compliance receipt.
Token verification is local HMAC — sub-millisecond, zero network call on the hot path.
What I've Built Since the Last Article
- Agent Passport — Identity Without KYC
Every agent gets a live risk profile tied to their XRPL wallet. Risk score 0–100, updated after every payment. New wallets start elevated. Consistent payers score down. Verified entities get a discount.
No OAuth. No email signup. The wallet is the identity. {
"wallet": "rXXXXX...",
"domain": "my-agent.example.com",
"total_calls": 47,
"total_spend": "4.7000",
"risk_score": 28.5,
"loyalty_tier": "Gold",
"first_seen": "2026-05-01T..."
} 2. Spend Firewall — Per-Endpoint Policy Engine
Each endpoint gets its own policy: {
"endpoint_id": "12a0e7a1-...",
"max_daily_calls_per_agent": 100,
"block_high_risk": true,
"allowed_assets": ["RLUSD"]
} The firewall runs before the access token is issued. An agent that trips a policy paid on-chain but doesn't get access. That's compliance working exactly as designed.
- Loyalty Program — 5 Tiers, Automatic Free Credits
Tier
Min Spend
Reward
Bronze
0+ RLUSD
Standard
Silver
1+ RLUSD
1 free per 10 paid
Gold
5+ RLUSD
1 free per 5 paid
Platinum
25+ RLUSD
1 free per 3 paid
Diamond
100+ RLUSD
1 free per 2 paid
Credits are redeemed via POST /v1/loyalty/redeem — no XRPL payment required. Fully autonomous. No billing cycles. Pure pay-per-call with compounding loyalty built in.
The verify response now includes loyalty state on every settlement: {
"status": "PAYMENT_VERIFIED",
"access_token": "eyJ...",
"loyalty_tier": "Gold",
"loyalty_badge": "",
"free_credits": 2,
"credits_awarded": 1,
"tier_upgraded": false
} 4. Python Agent SDK — Pays Its Own Way from proof402.agent import Proof402Client, wallet_from_seed
wallet = wallet_from_seed(os.environ["AGENT_XRPL_SEED"])
client = Proof402Client(wallet, agent_domain="my-agent.example.com")
Handles the entire x402 cycle automatically:
402 intercept → XRPL payment → verify → token cache → retry
response = client.get("https://api.scriptmasterlabs.com/api/council")
data = response.json()
print(client.receipts[-1]) # Full compliance receipt One object. The client handles the 402 intercept, XRPL payment, verification, token caching, and retry. Works with XRP and RLUSD. Manages trust lines automatically on first use.
- Email Receipts on Every Settlement
Every verified payment fires an async email — receipt ID, endpoint, amount, XRPL tx hash, agent wallet, risk level, and a direct compliance receipt link. Built in Go's net/smtp. No external dependencies. Never blocks the payment flow.
- AI Agent Discovery Stack
How does an agent find out you exist?
/llms.txt — Perplexity, ChatGPT, and Claude crawl this automatically
/.well-known/ai-plugin.json — ChatGPT plugin manifest, auto-discovered by agent frameworks
/.well-known/openapi.json — Full OpenAPI 3.1 spec with x402 security scheme
robots.txt — explicitly allows GPTBot, PerplexityBot, ClaudeBot, Googlebot
An agent that's never heard of your API can discover it, read the payment requirements, pay autonomously, and get data — zero human involvement at any step.
Live Endpoints —
Four premium endpoints live, gated by RLUSD micropayment:
POST /api/council — 0.10 RLUSD
AI multi-engine market verdict. Returns regime, directional bias, confidence score, and actionable thesis for any symbol.
GET /api/scan — 0.05 RLUSD
Full $1–$50 universe market scanner. Live squeeze signals and options picks.
GET /api/options — 0.05 RLUSD
Institutional options flow: sweeps, whale detection, unusual volume, scored recommendations.
GET /api/iwm — 0.03 RLUSD
IWM zero-day-to-expiry scanner. Scored contracts, parity watch, realized vol, greeks.
The Flask Integration Is One Line from proof402_integration import require_payment
@app.route('/api/council', methods=['POST'])
@require_payment
def council():
# Only reaches here with valid X-Payment-Token
# Otherwise returns 402 + invoice automatically
... Fail-open by design — if 402Proof is unreachable, the decorator passes through. Your API never goes down because of the payment layer.
The Bigger Picture
A combat medic's job is to stabilize the situation so the mission can continue. You don't get credit for it. You just make sure the people who need to move can move.
That's what 402Proof is. Not the flashy part of the AI agent economy — the infrastructure underneath it. The part that makes sure value flows correctly, payments are verifiable, bad actors get blocked, and honest agents get rewarded for consistency.
I built it because it needed to exist. I'm a disabled veteran in North Carolina with a blended family and a mission that didn't end when I took off the uniform. It just changed shape.
If you're building AI agents that need to pay for data autonomously — or building an API that deserves to be monetized per-call without the overhead of subscriptions and API key management — the infrastructure is ready.
The tollbooth is open. Agents welcome.
Dashboard: four02proof.onrender.com
OpenAPI spec: /.well-known/openapi.json
AI discovery: /llms.txt
Script Master Labs: scriptmasterlabs.com
Timothy Walton — 91W Combat Medic, U.S. Army 1997–2007. Founder, Script Master Labs.
ScriptMasterLabs@gmail.com