Problem
Every x402 payment on EVM exposes the payer's wallet address on-chain. For AI agents making hundreds of API calls per day, this creates a complete trail of which services they use, how much they spend, and how often they call each endpoint. Any observer can reconstruct an agent's operational behavior from its payment history.
Proposed Solution
Add assetTransferMethod: "shielded" to the existing exact scheme on EVM. Clients withdraw tokens from an on-chain privacy pool directly to the resource server's payTo address. The privacy pool contract handles ZK proof verification and nullifier-based double-spend prevention on-chain. The facilitator confirms the resulting ERC-20 Transfer event matches the payment requirements.
How it works
On-chain (handled by the privacy pool contract):
- Client generates a groth16 ZK proof proving ownership of a shielded UTXO
- The proof includes nullifiers — cryptographic commitments that mark the UTXO as spent
- Client submits the proof to the pool contract
- Contract verifies the ZK proof, checks nullifiers against its on-chain spent set, and executes the ERC-20 transfer
- If the tx succeeds, the proof was valid and the UTXO is now spent (nullified)
Facilitator verification:
- Client sends
txHash in PAYMENT-SIGNATURE header
- Facilitator fetches tx receipt, confirms it was not reverted (meaning the pool contract accepted the ZK proof)
- Facilitator checks the ERC-20 Transfer event:
from is a registered pool contract, to matches payTo, value >= required amount
- Facilitator tracks txHash to prevent the same payment from being reused for multiple API calls
The payer's wallet address never appears on-chain. The from field in the Transfer event shows the pool contract. The ZK proof ensures the payer owns sufficient funds without revealing which funds.
Why assetTransferMethod under exact
The exact scheme means the client pays the exact amount specified. shielded is a new transfer method — same semantics as EIP-3009, Permit2, and ERC-7710, but with sender privacy. The resource server advertises extra.assetTransferMethod: "shielded" in the 402 response.
Works with any ERC-20 on any EVM chain that has a compatible privacy pool (e.g., Railgun on Base, Ethereum, BSC, Polygon, Arbitrum).
Problem
Every x402 payment on EVM exposes the payer's wallet address on-chain. For AI agents making hundreds of API calls per day, this creates a complete trail of which services they use, how much they spend, and how often they call each endpoint. Any observer can reconstruct an agent's operational behavior from its payment history.
Proposed Solution
Add
assetTransferMethod: "shielded"to the existingexactscheme on EVM. Clients withdraw tokens from an on-chain privacy pool directly to the resource server'spayToaddress. The privacy pool contract handles ZK proof verification and nullifier-based double-spend prevention on-chain. The facilitator confirms the resulting ERC-20 Transfer event matches the payment requirements.How it works
On-chain (handled by the privacy pool contract):
Facilitator verification:
txHashinPAYMENT-SIGNATUREheaderfromis a registered pool contract,tomatchespayTo,value>= required amountThe payer's wallet address never appears on-chain. The
fromfield in the Transfer event shows the pool contract. The ZK proof ensures the payer owns sufficient funds without revealing which funds.Why assetTransferMethod under exact
The
exactscheme means the client pays the exact amount specified.shieldedis a new transfer method — same semantics as EIP-3009, Permit2, and ERC-7710, but with sender privacy. The resource server advertisesextra.assetTransferMethod: "shielded"in the 402 response.Works with any ERC-20 on any EVM chain that has a compatible privacy pool (e.g., Railgun on Base, Ethereum, BSC, Polygon, Arbitrum).