Hardening x402: PII-Safe Agentic Payments via Pre-Execution Metadata Filtering

TL;DR

This paper introduces presidio-hardened-x402, an open-source middleware that detects and redacts PII in x402 payment requests, ensuring privacy and policy enforcement with high accuracy and low latency.

Contribution

It presents the first middleware for intercepting and sanitizing x402 payment requests to protect PII and enforce policies, validated by a comprehensive synthetic corpus and performance evaluation.

Findings

Achieves micro-F1 score of 0.894 in PII detection

Maintains latency under 6ms, within the 50ms overhead budget

Provides publicly available code, corpus, and experiment setup

Abstract

AI agents that pay for resources via the x402 protocol embed payment metadata - resource URLs, descriptions, and reason strings - in every HTTP payment request. This metadata is transmitted to the payment server and to the centralised facilitator API before any on-chain settlement occurs; neither party is typically bound by a data processing agreement. We present presidio-hardened-x402, the first open-source middleware that intercepts x402 payment requests before transmission to detect and redact personally identifiable information (PII), enforce declarative spending policies, and block duplicate replay attempts. To evaluate the PII filter, we construct a labeled synthetic corpus of 2,000 x402 metadata triples spanning seven use-case categories, and run a 42-configuration precision/recall sweep across two detection modes (regex, NLP) and five confidence thresholds. The recommended configuration (mode=nlp, min_score=0.4, all entity types) achieves micro-F1 = 0.894 with precision 0.972, at a p99 latency of 5.73ms - well within the 50ms overhead budget. The middleware, corpus, and all experiment code are publicly available at https://github.com/presidio-v/presidio-hardened-x402.