A Cloudflare Worker that sits in front of your website and enforces HTTP 402 Payment Required for AI agents. Humans and crawlers like Googlebot browse free; AI bots (GPTBot, ClaudeBot, etc.) must present a signed payment intent to access paid paths.

Philosophy: “Humans browse free; Bots pay fee.”

1. Bot detection — Requests are checked by User-Agent. Payable bots (e.g. GPTBot, ClaudeBot, CCBot, Anthropic) are flagged.
2. Path-based pricing — Rules in src/config/rules.ts map URL paths to price, token (a ticker like USDC from the TOKENS map), and strategy (PAY, FREE, or BLOCK). First matching rule wins; no match uses DEFAULT_PRICE and TOKEN_TICKER from env. Only stablecoins with a configured contract address (e.g. USDC on Base) are accepted.
3. 402 challenge — For payable paths, the worker requires an Authorization: x402 <payload>.<signature> header. The signature is EIP-712 (Gatekeeper Protocol, AccessGrant). The signed message includes the token contract address (not the ticker) so only the official stablecoin is accepted. If missing or invalid, the response is 402 with x402-price, x402-recipient, x402-token, and x402-token-address.
4. Proxy — When the request is allowed (human, free path, or valid payment), it is forwarded to your origin and the response is streamed back.

• Runtime: Cloudflare Workers
• Framework: Hono
• Language: TypeScript
• Crypto: viem (EIP-712 signature verification)

Set these in wrangler.toml under [vars] or via Cloudflare secrets. For local dev, use .dev.vars (gitignored).

A TOKENS map defines allowed stablecoins by ticker → contract address (e.g. USDC on Base). Only these contracts are accepted; agents must sign the exact address to prevent fake or wrong-token payments.

Pricing and access are controlled by an ordered list of rules. Each rule has:

The worker evaluates rules in array order and uses the first rule whose pattern matches the path. If no rule matches, it falls back to DEFAULT_PRICE and TOKEN_TICKER from env (which must be a key in TOKENS).

Example:

export const TOKENS = {
  USDC: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913", // Base mainnet
};

export const RULES: PricingRule[] = [
  { pattern: "^/research/premium/.*", price: "1.00", token: "USDC", strategy: "PAY" },
  { pattern: "^/blog/.*",             price: "0.05", token: "USDC", strategy: "PAY" },
  { pattern: "^/$|^/about",           price: "0",    token: "USDC", strategy: "FREE" },
];

Put more specific patterns first so they take precedence over broader ones.

npm install
npm run dev

Point your client at the URL Wrangler prints (e.g. http://localhost:8787). Set ORIGIN_URL in wrangler.toml or .dev.vars to the site you want to proxy to.

1. Cloudflare: Dashboard → My Profile → API Tokens → Create token (e.g. “Edit Cloudflare Workers”).
2. GitHub: Repo → Settings → Secrets and variables → Actions. Add CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID.
3. Config: Set ORIGIN_URL, PAYMENT_ADDRESS, and other vars in wrangler.toml or as Worker secrets.
4. Push: git push origin main — the .github/workflows/deploy.yml workflow deploys with Wrangler.
5. DNS: In Cloudflare, add a route or CNAME so your domain is handled by this Worker.

When a request returns 402, the response includes:

• x402-price — Required amount (e.g. 0.05)
• x402-recipient — Recipient address
• x402-token — Token ticker (e.g. USDC)
• x402-token-address — Token contract address to use in the signed message (e.g. USDC on Base)

Sign an EIP-712 AccessGrant (domain: “Gatekeeper Protocol”, version “1.0”, chainId e.g. 8453 for Base, verifyingContract = recipient) with fields: visitor (your address), url (exact request URL), price, tokenAddress (the token contract address, e.g. from x402-token-address), and nonce (timestamp in ms). Encode the payload as base64 and the signature in hex, then send:

Authorization: x402 <base64(payload)>.<signature>