An AWS Bedrock agent now holds a crypto wallet, receives HTTP 402 Payment Required from a paywalled API, signs a USDC transfer on Arbitrum One, and retries the request with proof of payment. No human approval, no API key rotation, no credit card on file. The transaction settles on mainnet and prints an Arbiscan link.
This is not a demo token or testnet experiment. It is a working implementation of an agent as an economic actor with its own funds and the ability to spend them autonomously.
The Plumbing: AgentCore Payments
AWS AgentCore is a hosted runtime for AI agents, currently in preview. The critical piece here is AgentCore Payments, a managed signer that holds an embedded wallet and produces payment authorizations without exposing private keys to your code or AWS logs.
You configure four resources:
- PaymentManager: connects to Coinbase CDP (Coinbase Developer Platform) as the wallet provider
- PaymentInstrument: the embedded crypto wallet itself
- PaymentSession: carries a spend budget and expiry timestamp
- Connector: links the PaymentManager to the external wallet service
Once configured, the agent calls PaymentManager.pay() and receives a signed authorization. The private key never leaves the AgentCore runtime.
The x402 Protocol
The paywalled API uses x402, a protocol that repurposes HTTP 402 Payment Required. Here is the flow:
- Agent requests a resource without payment
- API responds with
402 Payment Requiredand a JSON body specifying network, token, recipient address, and amount - Agent signs an EIP-3009
transferWithAuthorizationfor USDC - Agent retries the request with the signature attached
- API verifies the signature, submits the transfer on-chain via a facilitator, and returns the content
EIP-3009 allows a third party to submit the transfer, so the API server can settle the payment without holding the agent’s private key. The agent signs, the API submits.
No account creation, no API key lifecycle, no monthly billing. Charges can be fractions of a cent, which is why this works without human approval.
Architecture
The implementation uses:
- AWS Bedrock AgentCore: orchestration and managed wallet
- Coinbase CDP: wallet custody and signing
- Arbitrum One: L2 network for low gas fees
- USDC: stablecoin payment token
- CloudFront + Lambda@Edge + API Gateway: paywalled API infrastructure
The paywalled API is a serverless stack. CloudFront serves the public endpoint, Lambda@Edge handles payment verification, and API Gateway routes to the protected resource. The Lambda function checks the signature, calls the USDC contract to verify the transfer, and only then proxies the request.
# Simplified agent tool call
def fetch_paid_report(report_id: str) -> dict:
# Initial request
response = requests.get(f"{API_URL}/reports/{report_id}")
if response.status_code == 402:
payment_required = response.json()
# Agent calls PaymentManager
authorization = payment_manager.pay(
network=payment_required["network"],
token=payment_required["token"],
recipient=payment_required["recipient"],
amount=payment_required["amount"]
)
# Retry with proof
response = requests.get(
f"{API_URL}/reports/{report_id}",
headers={"X-Payment-Authorization": authorization}
)
return response.json()The agent does not need to understand blockchain mechanics. It calls a payment method and receives a signed blob. The API handles settlement.
Security Boundaries
The private key never touches the LLM context or agent code. AgentCore Payments isolates the signing operation inside a managed runtime. The agent receives only the signed authorization, not the key material.
The PaymentSession enforces a spend budget and expiry. If the agent tries to pay more than the budget allows, the call fails. If the session expires, the agent cannot sign new payments until a human creates a new session.
The API verifies the signature against the USDC contract before settling. A malicious agent cannot forge a valid signature without the private key. A compromised API cannot drain the wallet because it only receives individual authorizations, not the key.
Failure Modes
| Failure | Behavior | Recovery |
|---|---|---|
| Agent runs out of USDC mid-task | Payment call fails, agent halts or retries | Human funds wallet, agent resumes |
| PaymentSession expires | Signing fails, agent cannot pay | Human creates new session |
| API rejects signature | HTTP 403, agent logs error | Check signature format, network mismatch |
| On-chain transaction reverts | API returns 402 again | Agent retries with new authorization |
| Gas spike on Arbitrum | Transaction delayed or fails | Facilitator retries or agent waits |
The agent does not have a fallback payment method. If the wallet is empty or the session is expired, the task stops. This is intentional. Autonomous spending requires hard limits.
Cost Accounting
Every payment produces an on-chain transaction with a public hash. The agent logs the Arbiscan link, so you can audit every spend. The API also logs the transaction hash before returning content.
For cost tracking, you can:
- Parse agent logs for transaction hashes
- Query Arbiscan API for transaction details
- Sum USDC transfers from the agent wallet address
- Compare against the PaymentSession budget
Arbitrum One gas fees are low enough that micro-payments are viable. A $0.01 API call might cost $0.0001 in gas, making the total $0.0101. The agent does not need to reason about gas. The PaymentManager handles it.
Observability
The agent emits structured logs at each step:
- Initial API request
- 402 response received
- Payment authorization requested
- Payment signed
- Retry with authorization
- Final response
The API logs:
- Incoming 402 request
- Payment verification start
- On-chain transaction submitted
- Transaction confirmed
- Content returned
You can correlate agent logs with API logs using the transaction hash. If the agent claims it paid but the API says it did not receive payment, check the transaction status on Arbiscan.
Deployment Shape
The agent runs as a Bedrock AgentCore instance. You deploy it with:
- An AgentCore agent definition (YAML or SDK)
- A PaymentManager resource
- A PaymentInstrument linked to Coinbase CDP
- A PaymentSession with budget and expiry
The paywalled API deploys as:
- CloudFront distribution
- Lambda@Edge function for payment verification
- API Gateway for routing
- Backend service (Lambda, ECS, or external)
The agent and API are independent. The agent does not need to know the API’s internal architecture. The API does not need to know the agent’s orchestration logic. They communicate via HTTP and signed USDC authorizations.
When to Use This
Use this pattern when:
- You need agents to access paywalled APIs without human approval
- Per-request billing makes more sense than monthly subscriptions
- You want cryptographic proof of every payment
- You need to audit agent spending on a public ledger
- You want to avoid API key rotation and lifecycle management
Avoid this pattern when:
- Your API calls cost more than a few cents (gas overhead becomes significant)
- You need instant settlement (on-chain confirmation takes seconds)
- Your users cannot hold crypto (regulatory or technical constraints)
- You need refunds or chargebacks (blockchain transactions are final)
- Your agent must work offline (requires network access to sign and settle)
Technical Verdict
This implementation shows that agents can be economic actors with their own funds and the ability to spend them autonomously. The plumbing is straightforward: a managed wallet, a payment protocol, and a paywalled API that verifies signatures.
The hard parts are not technical. They are operational: setting spend budgets, monitoring wallet balances, handling empty wallets mid-task, and auditing agent spending. The code is simple. The governance is not.
If you are building agents that need to pay for resources, this pattern works. If you are building APIs that agents will call, x402 is a viable alternative to API keys. The infrastructure exists, the transaction costs are low, and the security model is clear.
The question is whether you want your agents to hold money.