@@ -55,11 +55,13 @@ The operator configures:
5555- which facilitator to use (` facilitator_url ` )
5656- which tokens and chains are accepted (` accepted_tokens ` )
5757- conversion rates from wei-denominated job prices into token amounts (` rate_per_native_unit ` , plus optional ` markup_bps ` )
58+ - default x402 exposure policy (` default_invocation_mode ` )
59+ - per-job invocation and auth policies (` job_policies ` )
5860
5961<GithubFileReaderDisplay
6062 url = " https://github.com/tangle-network/blueprint/blob/main/crates/x402/src/config.rs"
6163 fromLine = { 14 }
62- toLine = { 96 }
64+ toLine = { 170 }
6365 title = " X402Config schema (includes example TOML)"
6466/>
6567
@@ -73,16 +75,58 @@ The x402 gateway needs a per-job price map in wei:
7375This is the same shape as the pricing engine job pricing config, and it is intentionally explicit. If a job is not in
7476the map, the gateway returns ` 404 ` for that job.
7577
78+ ## Invocation and Authorization Model
79+
80+ x402 job exposure is explicit and policy-driven per ` (service_id, job_index) ` .
81+
82+ Invocation modes:
83+
84+ - ` disabled ` : job cannot be invoked via x402
85+ - ` public_paid ` : payment-gated, otherwise public
86+ - ` restricted_paid ` : payment-gated plus caller authorization and on-chain parity checks
87+
88+ Restricted auth modes:
89+
90+ - ` payer_is_caller ` : settled payer is treated as caller
91+ - ` delegated_caller_signature ` : caller is asserted via signed headers
92+
93+ For restricted jobs, the gateway performs an on-chain parity check with:
94+
95+ - ` isPermittedCaller(service_id, caller) ` via ` eth_call `
96+
97+ Delegated mode headers:
98+
99+ - ` X-TANGLE-CALLER `
100+ - ` X-TANGLE-CALLER-SIG `
101+ - ` X-TANGLE-CALLER-NONCE `
102+ - ` X-TANGLE-CALLER-EXPIRY `
103+
104+ Delegated signed payload format:
105+
106+ ``` text
107+ x402-authorize:{service_id}:{job_index}:{keccak(body)_hex_no_0x}:{nonce}:{expiry_unix_secs}
108+ ```
109+
76110## HTTP Endpoints
77111
78112The gateway exposes:
79113
80114- ` GET /x402/health ` : returns ` ok ` .
115+ - ` GET /x402/stats ` : lightweight counters for accepted, denied, replay-denied, enqueue-failed, and dry-run outcomes.
81116- ` GET /x402/jobs/{service_id}/{job_index}/price ` : discovery endpoint that returns the wei price and settlement options
82- (no payment required).
117+ (no payment required). Returns ` 403 x402_disabled ` if job exists but is disabled for x402.
83118- ` POST /x402/jobs/{service_id}/{job_index} ` : paid job execution. The x402 middleware returns ` 402 ` with payment
84119 requirements if no valid payment is provided. After payment settles, the gateway returns ` 202 Accepted ` and injects a
85120 ` JobCall ` into the runner.
121+ - ` POST /x402/jobs/{service_id}/{job_index}/auth-dry-run ` : runs restricted auth + ` eth_call ` policy check without
122+ enqueueing work or settling payment.
123+
124+ ## Receipt and Replay Semantics
125+
126+ - ` 202 Accepted ` means the paid request was accepted and enqueued, not that the job has completed.
127+ - In delegated restricted mode, duplicate nonce reuse in the same caller/job scope is rejected in paid flow with
128+ ` 409 signature_replay ` .
129+ - ` auth-dry-run ` is non-mutating and does not consume delegated nonces.
86130
87131## Relationship to RFQ and the Pricing Engine
88132
@@ -98,3 +142,5 @@ At time of writing, enabling those fields requires constructing `PricingEngineSe
98142- Keep ` facilitator_url ` pinned to a trusted HTTPS endpoint.
99143- Keep conversion rates current. Stale ` rate_per_native_unit ` values create user-facing price surprises.
100144- Treat the HTTP body as untrusted input and validate it inside the job handler.
145+ - For restricted jobs, pin ` tangle_rpc_url ` and ` tangle_contract ` to stable production infrastructure.
146+ - Use ` auth-dry-run ` before enabling restricted jobs to verify caller policy parity and signature wiring.
0 commit comments