Loomal

Verify x402 payments with a facilitator no chain infra required.

Your server's job is to check a payment is real and get it settled — without running a node, watching mempools, or holding keys that can move funds. That's what a facilitator is for.

In the x402 flow, the agent does the paying: it receives your 402 challenge, signs a USDC payment authorization, and retries the request with that signature attached. Your server's remaining job is to answer two questions — is this authorization valid, and did the money actually move — before the handler runs.

You could answer both yourself by running blockchain infrastructure, but the protocol gives you a cleaner option: a facilitator, a service that verifies signatures and submits settlement transactions on your behalf. Your integration stays plain HTTP and JSON.

What the facilitator actually does

A facilitator exposes two endpoints. Verify takes the agent's payment payload plus your payment requirements (price, asset, your receiving address) and checks them off-chain: is the signature valid, does the payer hold sufficient USDC, does the amount cover your price, has this authorization been used before. Settle takes the same inputs and submits the transaction on-chain, returning the transaction hash once it lands.

Crucially, the facilitator never holds your funds. The agent's signed authorization can only move USDC to the address in your payment requirements — the facilitator just carries it to the chain. Settlement on Base confirms in about two seconds, and there are no chargebacks to handle afterward.

The verify-then-settle sequence

When a request arrives with an X-PAYMENT header, decode it, call verify, and reject with a fresh 402 if it fails. If verification passes, call settle, and only run your handler once settlement succeeds. That ordering is the point of x402: the agent pays before your handler does any work, so unpaid calls never consume your compute.

Resource server, verify then settle
const body = JSON.stringify({
  x402Version: 1,
  paymentPayload,        // decoded from the X-PAYMENT header
  paymentRequirements,   // the same terms you sent in the 402
});

const verify = await fetch(`${FACILITATOR_URL}/verify`, {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body,
});
const { isValid, invalidReason } = await verify.json();
if (!isValid) return paymentRequired(invalidReason); // re-issue the 402

const settle = await fetch(`${FACILITATOR_URL}/settle`, {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body,
});
const { success, transaction } = await settle.json();
if (!success) return paymentRequired("settlement_failed");

// Paid. Run the actual handler and return the response.

Why not verify it yourself

Self-verification means maintaining an RPC connection to Base, parsing EIP-712 signatures, tracking authorization nonces to prevent replay, and handling settlement retries when the network is congested. None of that is impossible — it's just infrastructure that has nothing to do with your product, and getting replay protection wrong means serving the same paid call twice for one payment.

The trust trade is narrow and inspectable: a facilitator can lie about verification, but it cannot redirect funds, because the payment authorization names your address. If a facilitator misbehaves, you switch URLs — your code doesn't change, since the verify and settle interfaces are part of the protocol, not the provider. Pin the facilitator URL in configuration, not code, for exactly this reason.

The Loomal shortcut

If your endpoint is listed on Loomal, you don't make these calls at all — Loomal's payment layer sits in front of your URL, runs verification and settlement, and forwards only paid requests to you. Each settled call carries an Ed25519-signed receipt, so you can prove after the fact that any given response was paid for.

The facilitator API still matters even then: it's what you'll use to test flows locally, and what you'll integrate directly if you ever self-host the payment path. Per-call prices start at $0.01; Loomal's fee is 5% on settled transactions, currently waived.

FAQ

Does the facilitator take custody of the payment?

No. The agent signs an authorization that can only move USDC to the address in your payment requirements. The facilitator verifies that authorization and submits it on-chain; it has no ability to redirect the funds to itself.

Should I settle before or after running my handler?

Before. The core guarantee of x402 is that the agent pays before the handler runs — verify, settle, then do the work. If you do expensive work first and settlement fails, you've served a free call.

What happens if verification fails?

Verify returns isValid: false with an invalidReason — insufficient funds, bad signature, expired or replayed authorization. Respond with a fresh 402 challenge; a well-behaved client will correct the problem and retry.

Do I need blockchain expertise to use a facilitator?

No. Your side of the integration is two JSON-over-HTTP calls. The facilitator handles signature parsing, replay protection, and on-chain submission; settlement on Base confirms in about two seconds.

Skip the integration entirely.

List your endpoint on Loomal and verification, settlement, and receipts are handled for you.

Open the Loomal console