Okx X402 Payment

1---2name: okx-x402-payment3description: "This skill should be used when the user encounters an HTTP 402 Payment Required response, wants to pay for a payment-gated API or resource, or mentions 'x402', 'pay for access', '402 payment', 'payment-gated URL', or 'sign x402 payment'. Primary path signs via TEE with a wallet session (JWT) — recommended. Fallback path allows local EIP-3009 signing with the user's own private key only when the user explicitly opts in (key stays local but is not TEE-protected). Returns the payment proof (signature + authorization) that the caller can attach as a payment header to access the resource. Do NOT use for swap or token transfers — use okx-dex-swap instead. Do NOT use for wallet balance or portfolio queries — use okx-agentic-wallet or okx-wallet-portfolio. Do NOT use for security scanning — use okx-security. Do NOT use for transaction broadcasting — use okx-onchain-gateway. Do NOT use for general programming questions."4license: MIT5metadata:6  author: okx7  version: "2.3.0"8  homepage: "https://web3.okx.com"9---10 11# Onchain OS x402 Payment12 13Sign an [x402](https://x402.org) payment authorization and return the payment proof for accessing payment-gated resources. Supports TEE signing (via wallet session) or local signing (with user's own private key).14 15## Pre-flight Checks16 17> Read `../okx-agentic-wallet/_shared/preflight.md`. If that file does not exist, read `_shared/preflight.md` instead.18 19## Skill Routing20 21- For querying authenticated wallet balance / send tokens / tx history → use `okx-agentic-wallet`22- For querying public wallet balance (by address) → use `okx-wallet-portfolio`23- For token swaps / trades / buy / sell → use `okx-dex-swap`24- For token search / metadata / rankings / holder info / cluster analysis → use `okx-dex-token`25- For token prices / K-line charts / wallet PnL / address tracker activities → use `okx-dex-market`26- For smart money / whale / KOL signals / leaderboard → use `okx-dex-signal`27- For meme / pump.fun token scanning → use `okx-dex-trenches`28- For transaction broadcasting / gas estimation → use `okx-onchain-gateway`29- For security scanning (token / DApp / tx / signature) → use `okx-security`30 31## Chain Name Support32 33`--network` uses CAIP-2 format: `eip155:<realChainIndex>`. All EVM chains returned by `onchainos wallet chains` are supported. The `realChainIndex` field in the chain list corresponds to the `<chainId>` portion of the CAIP-2 identifier.34 35Common examples:36 37| Chain        | Network Identifier |38|--------------|--------------------|39| Ethereum     | `eip155:1`         |40| X Layer      | `eip155:196`       |41| Base         | `eip155:8453`      |42| Arbitrum One | `eip155:42161`     |43| Linea        | `eip155:59144`     |44 45For the full list of supported EVM chains and their `realChainIndex`, run:46```bash47onchainos wallet chains48```49 50> Non-EVM chains (e.g., Solana, Tron, Ton, Sui) are **not** supported by x402 payment — only `eip155:*` identifiers are accepted.51 52## Background: x402 Protocol53 54x402 is an HTTP payment protocol with two versions:55 56|                                | v2                                                                | v1                                          |57|--------------------------------|-------------------------------------------------------------------|---------------------------------------------|58| **402 payload location**       | `PAYMENT-REQUIRED` **header** (base64-encoded JSON); body is `{}` | Response **body** (direct JSON, not base64) |59| **Client header name**         | `PAYMENT-SIGNATURE`                                               | `X-PAYMENT`                                 |60| **Client payload structure**   | `{ x402Version, resource, accepted, payload }`                    | `{ x402Version, scheme, network, payload }` |61| **Amount field in accepts**    | `amount`                                                          | `maxAmountRequired`                         |62| **Settlement response header** | `PAYMENT-RESPONSE`                                                | `X-PAYMENT-RESPONSE`                        |63 64The full flow is:65 661. Send request → receive `HTTP 402`672. Decode the payload (from `PAYMENT-REQUIRED` header for v2; from response body for v1), pass the `accepts` array to the CLI683. Sign via TEE → `onchainos payment x402-pay --accepts '<accepts array>'` → CLI selects best scheme, returns payment proof694. Assemble payment header and replay the original request70 71This skill owns **steps 2–4** end to end.72 73## Quickstart74 75```bash76onchainos payment x402-pay \77  --accepts '[{"scheme":"aggr_deferred","network":"eip155:196","amount":"1000000","payTo":"0xRecipientAddress","asset":"0x4ae46a509f6b1d9056937ba4500cb143933d2dc8","maxTimeoutSeconds":300}]'78```79 80## Command Index81 82| # | Command                           | Description                                                          |83|---|-----------------------------------|----------------------------------------------------------------------|84| 1 | `onchainos payment x402-pay`      | Sign an x402 payment via TEE (wallet session) and return the proof   |85| 2 | `onchainos payment eip3009-sign`  | Sign an EIP-3009 authorization locally with a hex private key        |86 87## Operation Flow88 89### Step 1: Send the Original Request90 91Make the HTTP request the user asked for. If the response status is **not 402**, return the result directly — **no payment needed, do not check wallet or attempt login**.92 93> **IMPORTANT**: Do NOT check wallet status or attempt login before sending the request. Only proceed to payment steps if the response is HTTP 402.94 95### Step 2: Decode the 402 Payload96 97If the response is `HTTP 402`, extract the payment requirements. The location differs by version:98 99**v2** — payload is in the `PAYMENT-REQUIRED` response **header** (base64-encoded JSON):100 101```102headerValue = response.headers['PAYMENT-REQUIRED']103decoded     = JSON.parse(atob(headerValue))104```105 106**v1** — payload is in the response **body** (direct JSON, not base64):107 108```109decoded = JSON.parse(response.body)110```111 112In both cases, extract the `accepts` array:113 114```115accepts = decoded.accepts        // keep the full array for the CLI116option  = decoded.accepts[0]     // for display purposes117```118 119Save `decoded.accepts` as a JSON string — it will be passed directly to the CLI via `--accepts`. The CLI handles scheme selection internally (prefers `"exact"` > `"aggr_deferred"` > first entry).120 121Save `decoded` for later — you will need `decoded.x402Version` and `decoded.resource` (v2) when assembling the payment header in Step 5.122 123**⚠️ MANDATORY: Display payment details and STOP to wait for user confirmation. Do NOT check wallet status, run `onchainos wallet status`, attempt login, or call any other tool until the user explicitly confirms.**124 125Present the following information to the user:126 127> This resource requires x402 payment:128> - **Network**: `<chain name>` (`<option.network>`)129> - **Token**: `<token symbol>` (`<option.asset>`)130> - **Amount**: `<human-readable amount>` (from `option.amount` for v2, or `option.maxAmountRequired` for v1; convert from minimal units using token decimals)131> - **Pay to**: `<option.payTo>`132>133> Proceed with payment? (yes / no)134 135Then STOP and wait for the user's response. Do not proceed in the same turn.136 137- **User confirms** → proceed to Step 3.138- **User declines** → stop immediately, no payment is made, no wallet check.139 140### Step 3: Check Wallet Status (only after user explicitly confirms payment)141 142Now that payment is required, check if the user has a wallet session:143 144```bash145onchainos wallet status146```147 148- **Logged in** → proceed to Step 4 (Sign via TEE).149- **Not logged in** → **STOP and ask the user** which signing method to use. Do NOT check for private keys, read files, or call any other tool until the user responds:150 151> "You are not logged in. How would you like to sign the payment?"152> 1. **Wallet login** — log in to the wallet, then sign via TEE (recommended)153> 2. **Local private key** — sign locally with your own private key (no login needed)154 155Then STOP and wait for the user's response. Do not proceed in the same turn.156 157#### Option 1: Wallet Login158 159Run `onchainos wallet login` (AK login, no email) or `onchainos wallet login <email>` (OTP login), then proceed to Step 4.160 161#### Option 2: Local Private Key162 163Only after the user chooses this option, read `~/.onchainos/.env` to check if `EVM_PRIVATE_KEY` is already configured:164 165- **Key found** → inform the user and proceed to the **Local Signing Fallback** below. The payer address will be derived from the private key automatically by the CLI.166 167- **Key not found** → inform the user:168 169  > "No private key configured. Please save it to `~/.onchainos/.env`: add a line `EVM_PRIVATE_KEY=0x<your_hex_key>`, then let me know."170 171  Wait for user action before proceeding.172 173### Step 4: Sign174 175Pass the raw `accepts` array to the CLI. The CLI automatically selects the best scheme (prefers `"exact"` over `"aggr_deferred"`):176 177```bash178onchainos payment x402-pay \179  --accepts '<JSON.stringify(decoded.accepts)>'180```181 182The CLI returns different fields depending on the scheme it selected:183 184- **`aggr_deferred` scheme** (preferred): Only Session Key (Ed25519) signing, skips EOA signing. Returns `{ signature, authorization, sessionCert }`. The `signature` is the base64-encoded session-key signature.185- **`exact` scheme**: Full EIP-3009 signing via TEE. Returns `{ signature, authorization }`. The `signature` is the secp256k1 EIP-3009 signature.186 187Check the response: if `sessionCert` is present, the CLI selected aggr_deferred scheme.188 189**If signing fails** (e.g., session expired, not logged in, AK re-login failed):190 191- Do NOT simply cancel or give up.192- Ask the user: "Signing failed because there is no active wallet session. Would you like to log in now, or sign locally with your own private key?"193  - **User wants to log in** → run `onchainos wallet login` or `onchainos wallet login <email>`, then retry this step.194    - **User wants local signing** → switch to the **Local Signing Fallback** (see below).195    - **User wants to cancel** → only then cancel the request.196 197### Step 5: Assemble Header and Replay198 199The PaymentPayload structure and header name differ between v1 and v2.200 201#### v2 (`x402Version >= 2`)202 203Header name: `PAYMENT-SIGNATURE`204 205The `accepted` field is a **single object** (the entry the CLI selected from `accepts`), not the whole array. If the CLI returned `sessionCert` (aggr_deferred scheme), **merge** it into the existing `accepted.extra` (preserve original fields like `name`, `version`):206 207```208// Pick the accepted entry (CLI selected aggr_deferred if available)209accepted = decoded.accepts.find(a => a.scheme === selectedScheme)210 211// aggr_deferred: merge sessionCert into existing extra212if (sessionCert) {213  accepted.extra = { ...accepted.extra, sessionCert }214}215 216paymentPayload = {217  x402Version: decoded.x402Version,218  resource:    decoded.resource,          // from the 402 payload219  accepted:    accepted,                  // single object, NOT the array220  payload:     { signature, authorization }221}222headerValue = btoa(JSON.stringify(paymentPayload))223```224 225#### v1 (`x402Version < 2` or absent)226 227Header name: `X-PAYMENT`228 229v1 has no `accepted` or `resource` — instead, `scheme` and `network` are top-level:230 231```232paymentPayload = {233  x402Version: 1,234  scheme:      selectedScheme,            // "exact" or "aggr_deferred"235  network:     option.network,236  payload:     { signature, authorization }237}238headerValue = btoa(JSON.stringify(paymentPayload))239```240 241#### Replay242 243Attach the header and replay the original request:244 245```246GET/POST <original-url>247<header-name>: <headerValue>248```249 250Return the final response body to the user.251 252### Step 6: Suggest Next Steps253 254After a successful payment and response, suggest:255 256| Just completed          | Suggest                                                                                     |257|-------------------------|---------------------------------------------------------------------------------------------|258| Successful replay       | 1. Check balance impact → `okx-agentic-wallet` 2. Make another request to the same resource |259| 402 on replay (expired) | Retry from Step 4 with a fresh signature                                                    |260 261Present conversationally, e.g.: "Done! The resource returned the following result. Would you like to check your updated balance?" — never expose skill names or internal field names to the user.262 263## Cross-Skill Workflows264 265### Workflow A: Pay for a 402-Gated API Resource (most common)266 267> User: "Fetch https://api.example.com/data — it requires x402 payment"268 269```2701. Send GET https://api.example.com/data                              → HTTP 402271       ↓ decode (v2: PAYMENT-REQUIRED header; v1: response body)2722. okx-x402-payment   onchainos payment x402-pay \273                        --accepts '<accepts array JSON>'         → { signature, authorization[, sessionCert] }274       ↓ CLI selects best scheme; assemble payment header per version2753. Replay with payment header (v2: PAYMENT-SIGNATURE, v1: X-PAYMENT)  → HTTP 200276```277 278**Data handoff**:279 280- `decoded.accepts` → `--accepts`281- CLI output `sessionCert` → `accepted.extra.sessionCert` (present only when aggr_deferred scheme was selected)282 283### Workflow B: Pay then Check Balance284 285> User: "Access this paid API, then show me how much I spent"286 287```2881. okx-x402-payment   (Workflow A above)                              → payment proof + successful response2892. okx-agentic-wallet  onchainos wallet balance --chain 196            → current balance after payment290```291 292### Workflow C: Security Check before Payment293 294> User: "Is this x402 payment safe? The asset is 0x4ae46a..."295 296```2971. okx-security        onchainos security token-scan \298                        --address 0x4ae46a509f6b1d9056937ba4500cb143933d2dc8 \299                        --chain 196                                        → token risk report300       ↓ if safe3012. okx-x402-payment   (Workflow A above)                              → sign and pay302```303 304## CLI Command Reference305 306### 1. onchainos payment x402-pay307 308Sign an x402 payment and return the payment proof. Pass the raw `accepts` array from the 402 payload — the CLI selects the best scheme automatically (prefers `"exact"` > `"aggr_deferred"` > first entry).309 310```bash311onchainos payment x402-pay \312  --accepts '<accepts array JSON>' \313  [--from <address>]314```315 316| Param       | Required | Default          | Description                                                        |317|-------------|----------|------------------|--------------------------------------------------------------------|318| `--accepts` | Yes      | -                | JSON `accepts` array from the 402 payload; CLI selects best scheme |319| `--from`    | No       | selected account | Payer address; if omitted, uses the currently selected account     |320 321**Return fields (exact scheme)**:322 323| Field                       | Type   | Description                                                                              |324|-----------------------------|--------|------------------------------------------------------------------------------------------|325| `signature`                 | String | EIP-3009 secp256k1 signature (65 bytes, r+s+v, hex) returned by TEE backend              |326| `authorization`             | Object | Standard x402 EIP-3009 `transferWithAuthorization` parameters                            |327| `authorization.from`        | String | Payer wallet address                                                                     |328| `authorization.to`          | String | Recipient address (= `payTo`)                                                            |329| `authorization.value`       | String | Payment amount in minimal units (= `amount` or `maxAmountRequired` from the 402 payload) |330| `authorization.validAfter`  | String | Authorization valid-after timestamp (Unix seconds)                                       |331| `authorization.validBefore` | String | Authorization valid-before timestamp (Unix seconds)                                      |332| `authorization.nonce`       | String | Random nonce (hex, 32 bytes), prevents replay attacks                                    |333 334**Return fields (aggr_deferred scheme)**:335 336| Field           | Type   | Description                                                                          |337|-----------------|--------|--------------------------------------------------------------------------------------|338| `signature`     | String | Base64-encoded Ed25519 session-key signature (no EOA signing)                        |339| `authorization` | Object | Standard x402 EIP-3009 `transferWithAuthorization` parameters (same fields as exact) |340| `sessionCert`   | String | Session certificate proving the session key's authority over the wallet              |341 342### 2. onchainos payment eip3009-sign343 344Sign an EIP-3009 `TransferWithAuthorization` locally using a hex private key (from `EVM_PRIVATE_KEY` env var or `~/.onchainos/.env`). No wallet session or TEE required. The payer address (`from`) is derived automatically from the private key. Uses the same `--accepts` interface as `x402-pay` — EIP-712 domain `name`/`version` are extracted from `accepts[].extra.name` / `extra.version`.345 346```bash347onchainos payment eip3009-sign \348  --accepts '<accepts array JSON>'349```350 351| Param             | Required | Default | Description                                                                                                             |352|-------------------|----------|---------|-------------------------------------------------------------------------------------------------------------------------|353| `EVM_PRIVATE_KEY` | Yes      | -       | Hex-encoded secp256k1 private key; read from env var, falls back to `~/.onchainos/.env`                                 |354| `--accepts`       | Yes      | -       | JSON `accepts` array from the 402 payload (same as `x402-pay`); `extra.name`/`extra.version` provide the EIP-712 domain |355 356The CLI derives the payer address from the private key, and extracts `network`, `amount`, `payTo`, `asset`, `maxTimeoutSeconds` from the accepts array (same logic as `x402-pay`), plus `extra.name` → EIP-712 domain name, `extra.version` → EIP-712 domain version (defaults to `"2"` if absent).357 358**Return fields**:359 360| Field                       | Type   | Description                                                     |361|-----------------------------|--------|-----------------------------------------------------------------|362| `signature`                 | String | EIP-3009 secp256k1 signature (hex, 0x-prefixed, 65 bytes r+s+v) |363| `authorization`             | Object | Standard x402 EIP-3009 `transferWithAuthorization` fields       |364| `authorization.from`        | String | Payer address                                                   |365| `authorization.to`          | String | Recipient address                                               |366| `authorization.value`       | String | Payment amount in minimal units                                 |367| `authorization.validAfter`  | String | `"0"`                                                           |368| `authorization.validBefore` | String | Computed expiry timestamp (Unix seconds)                        |369| `authorization.nonce`       | String | Random nonce (hex, 0x-prefixed, 32 bytes)                       |370 371## Input / Output Examples372 373**User says:** "Fetch https://api.example.com/data — it requires x402 payment"374 375**Step 1** — original request returns 402 (v2 example):376 377```378HTTP/1.1 402 Payment Required379PAYMENT-REQUIRED: eyJ4NDAyVmVyc2lvbiI6Miwi...   ← base64 in header380Content-Type: application/json381 382{}383```384 385Decoded `PAYMENT-REQUIRED` header:386 387```json388{389  "x402Version": 2,390  "error": "PAYMENT-SIGNATURE header is required",391  "resource": {392    "url": "https://api.example.com/data",393    "description": "Premium data",394    "mimeType": "application/json"395  },396  "accepts": [397    {398      "scheme": "aggr_deferred",399      "network": "eip155:196",400      "amount": "1000000",401      "payTo": "0xAbC...",402      "asset": "0x4ae46a509f6b1d9056937ba4500cb143933d2dc8",403      "maxTimeoutSeconds": 300,404      "extra": {405        "name": "USDG",406        "version": "1"407      }408    },409    {410      "scheme": "exact",411      "network": "eip155:196",412      "amount": "1000000",413      "payTo": "0xAbC...",414      "asset": "0x4ae46a509f6b1d9056937ba4500cb143933d2dc8",415      "maxTimeoutSeconds": 300,416      "extra": {417        "name": "USDG",418        "version": "1"419      }420    }421  ]422}423```424 425**Step 3–4** — check wallet + sign (CLI selects aggr_deferred automatically):426 427```bash428onchainos payment x402-pay \429  --accepts '<JSON.stringify(decoded.accepts)>'430# → { "signature": "base64...", "authorization": { ... }, "sessionCert": "..." }431# sessionCert present → CLI selected aggr_deferred scheme432```433 434**Step 5** — assemble v2 header (aggr_deferred, merge sessionCert into existing extra):435 436```437accepted       = decoded.accepts.find(a => a.scheme === "aggr_deferred")438accepted.extra = { ...accepted.extra, sessionCert }  // merge, keep name/version439 440paymentPayload = {441  x402Version: 2,442  resource:    decoded.resource,443  accepted:    accepted,444  payload:     { signature, authorization }445}446headerValue = btoa(JSON.stringify(paymentPayload))447 448GET https://api.example.com/data449PAYMENT-SIGNATURE: <headerValue>450 451→ HTTP 200  { "result": "..." }452```453 454## Local Signing Fallback (No Wallet)455 456> **⚠️ Security Notice**: This fallback uses your local private key for signing — the key stays on your machine but is **not** protected by TEE. Only use this path if you cannot log in to the wallet, and ensure your private key is stored securely (e.g., `~/.onchainos/.env` with `chmod 600`). The recommended path is always TEE signing via `onchainos payment x402-pay`.457 458If the user chose "Local private key" in Step 3, use the native `onchainos payment eip3009-sign` command to sign locally.459 460### Prerequisites461 462- A private key is available (via `EVM_PRIVATE_KEY` env var or `~/.onchainos/.env`) — Step 3 already verified this by reading the file463- The payer address must hold sufficient ERC-20 balance of the `asset` token on the target chain464- The `asset` token contract must support EIP-3009 `transferWithAuthorization`465- The 402 payload's `accepts[].extra` must include `name` (EIP-712 domain name); `version` is optional (defaults to `"2"`)466 467### Step 1: Decode the 402 Payload468 469Same as the main flow Step 2 — decode from `PAYMENT-REQUIRED` header (v2) or response body (v1):470 471```472// v2:473decoded = JSON.parse(atob(response.headers['PAYMENT-REQUIRED']))474// v1:475decoded = JSON.parse(response.body)476 477option = decoded.accepts[0]478```479 480Extract: `network`, `amount` (v2) or `maxAmountRequired` (v1), `payTo`, `asset`, `maxTimeoutSeconds`.481 482### Step 2: Sign with `onchainos payment eip3009-sign`483 484The CLI reads `EVM_PRIVATE_KEY` from env var or `~/.onchainos/.env` automatically, and derives the payer address from the private key:485 486```bash487onchainos payment eip3009-sign \488  --accepts '<JSON.stringify(decoded.accepts)>'489```490 491The CLI parses the accepts array (same as `x402-pay`), extracts `extra.name`/`extra.version` as the EIP-712 domain, and handles nonce generation, `validBefore` calculation, struct hashing, and secp256k1 signing internally. It returns `{ signature, authorization }` — same structure as the TEE path (exact scheme).492 493### Step 3: Assemble Header and Replay494 495Same as the main flow Step 5 — build the `paymentPayload` per version:496 497- **v2**: `{ x402Version: 2, resource: decoded.resource, accepted: option, payload: { signature, authorization } }` → header `PAYMENT-SIGNATURE`498- **v1**: `{ x402Version: 1, scheme: option.scheme, network: option.network, payload: { signature, authorization } }` → header `X-PAYMENT`499 500Base64-encode and replay the original request with the header attached.501 502### Important Notes for Local Signing503 504- The private key is read from the `EVM_PRIVATE_KEY` environment variable or `~/.onchainos/.env` — it **never** leaves the local machine505- The CLI generates a random 32-byte nonce and computes `validBefore = now + maxTimeoutSeconds` automatically506- The EIP-712 domain `name` must be present in `accepts[].extra.name`; if missing the CLI will error. `version` defaults to `"2"` if `extra.version` is absent507- The signed authorization only authorizes the **exact** `(from, to, value, nonce)` tuple — it cannot be modified or reused508 509## Edge Cases510 511- **Not logged in**: Ask user to choose between wallet login or local private key signing (see Step 3). If local: read `~/.onchainos/.env` to check for a key — the CLI derives the address automatically. If wallet: proceed with `onchainos wallet login`512- **Unsupported network**: Only EVM chains with CAIP-2 `eip155:<chainId>` format are supported513- **No wallet for chain**: The logged-in account must have an address on the requested chain; if not, inform the user514- **Amount in wrong units**: `amount` (v2) / `maxAmountRequired` (v1) must be in minimal units — remind user to convert (e.g., 1 USDG = `1000000` for 6 decimals)515- **Expired authorization**: If the server rejects the payment as expired, retry with a fresh signature516- **Network error**: Retry once, then prompt user to try again later517 518## Amount Display Rules519 520- `amount` (v2) / `maxAmountRequired` (v1) is always in minimal units (e.g., `1000000` for 1 USDG)521- When displaying to the user, convert to UI units: divide by `10^decimal`522- Show token symbol alongside (e.g., `1.00 USDG`)523 524Common token decimal reference:525 526| Token | Decimals | 1 unit in minimal     | Example                        |527|-------|----------|-----------------------|--------------------------------|528| USDC  | 6        | `1000000`             | `1000000` → 1.00 USDC          |529| USDG  | 6        | `1000000`             | `500000` → 0.50 USDG           |530| USDT  | 6        | `1000000`             | `2500000` → 2.50 USDT          |531| ETH   | 18       | `1000000000000000000` | `10000000000000000` → 0.01 ETH |532 533## Global Notes534 535- **Primary path** (`onchainos payment x402-pay`): requires an authenticated JWT session; signing is performed inside a TEE — the private key never leaves the secure enclave536- **Fallback path** (`onchainos payment eip3009-sign`): requires the user's own private key via `EVM_PRIVATE_KEY` env var or `~/.onchainos/.env`; signing is done entirely on the local machine — no JWT or TEE needed537- This skill only signs — it does **not** broadcast or deduct balance directly; payment settles when the recipient redeems the authorization on-chain538- The returned `authorization` object must be included alongside `signature` when building the payment header