Browse an x402 bazaar, decode
402 Payment Requiredchallenges, and pay-per-call paid APIs and MCP tools with USDC — without leaving your editor.
Install: code --install-extension threews.vscode-x402 · VS Code Marketplace · Open VSX (Cursor / VSCodium / Windsurf)
- Never leave your editor. Paste a URL, see exactly what a call costs, pay, and get the response + on-chain receipt inline — no browser, no Postman, no hand-rolled 402 handling.
- Safe by default. Your wallet key lives in the OS keychain (never a
.envyou'll commit), and a per-call spending cap means an agent loop can't drain you. - Works on any x402 endpoint, zero setup. Inspect and pay any compliant URL with no account, no API key, and no bazaar host required. Provider-neutral by design.
- Both sides of the market. Discover paid APIs and MCP tools in the bazaar sidebar, and
scaffolda working paid endpoint of your own in one command.
x402 is a payment protocol for developers and agents. A server answers a
request with 402 Payment Required and a machine-readable challenge; the caller
signs a USDC authorization and retries the same request with proof of payment;
the server does the work and returns a settlement receipt. No accounts, no API
keys, no subscriptions — just per-call settlement on-chain.
This extension brings that whole loop into VS Code, where the people wiring up and calling paid endpoints actually work. Paste a URL and see what it costs. Click Pay & call and get the response plus the on-chain receipt inline. Browse a marketplace of paid APIs and MCP tools in the sidebar. Scaffold your own paid endpoint in one command.
It has no dependency on any specific provider. Point it at any compliant x402 endpoint, or at any bazaar that serves the discovery API. Discovery is optional — inspecting and paying a single endpoint URL needs zero configuration.
- Inspect any endpoint — paste a URL and decode its 402 challenge: every
accepted network, asset, payment scheme, price (converted to USD), and
payToaddress, with the one requirement your wallet can satisfy flagged. Read-only, no signing, no configuration. - Pay & call — make a real paid request from a panel. The exact USD amount is shown and confirmed before any key touches the request; a per-call spending cap blocks anything above your limit. The response body and on-chain settlement receipt (transaction hash) render inline.
- Bazaar sidebar — set a discovery host and the x402 Bazaar view lists paid HTTP APIs and MCP tools. Filter by type, max price, and tag; full-text search; click any service to open its detail panel and pay.
- Secure wallet — your EVM private key lives only in VS Code SecretStorage
(the OS keychain), never in
settings.jsonand never on disk in plaintext. A status-bar item shows the derived address. - Scaffold a paid endpoint — generate a self-contained, framework-agnostic Node handler that answers an unpaid request with a 402 challenge and runs your work only after payment verifies.
From the Marketplace — open the Extensions view (Ctrl/Cmd +
Shift + X), search for x402, and install
threews.vscode-x402. Or run from the Command Palette:
ext install threews.vscode-x402
From a .vsix — download a release .vsix (or build one with
npx @vscode/vsce package) and install it:
code --install-extension vscode-x402-0.1.0.vsixOr in the editor: Extensions view → … menu → Install from VSIX….
After install, the x402 Bazaar icon appears in the activity bar.
Every command is available from the Command Palette (Ctrl/Cmd +
Shift + P), prefixed with x402:. Bazaar-scoped commands
also appear as icons on the sidebar title bar and in the service context menu.
| Command Title | Command ID | What it does |
|---|---|---|
| x402: Inspect Endpoint (decode 402 challenge) | x402.inspect |
Prompts for a URL, does an unpaid request, and writes the decoded 402 challenge (networks, assets, prices in USD, payTo) to the x402 output channel. No wallet, no host, no signing. |
| x402: Pay & Call Endpoint | x402.pay |
Prompts for a URL (or acts on the selected bazaar service) and opens the service detail panel where you set the method/body and pay. |
| x402: Open Service Details | x402.openService |
Opens the detail webview for a bazaar service. Fired automatically when you click a service in the sidebar. |
| x402: Scaffold a Paid Endpoint | x402.scaffoldEndpoint |
Generates api/x402/<slug>.js in the open workspace — a standalone Node handler that returns a 402 challenge and runs your work only after payment verifies. |
| x402: Set Wallet Key | x402.setWalletKey |
Prompts for an EVM private key (0x + 64 hex), validates that it derives an address, and stores it in the OS keychain (SecretStorage). |
| x402: Clear Wallet Key | x402.clearWalletKey |
Deletes the stored wallet key from SecretStorage. |
| x402: Set Bazaar Discovery Host | x402.setBazaarUrl |
Prompts for the origin that serves the bazaar discovery API and saves it to x402.bazaarUrl. Leave blank to disable discovery. |
| x402: Refresh Bazaar | x402.refresh |
Re-fetches the service list from the configured bazaar host. |
| x402: Search Bazaar | x402.search |
Prompts for keywords and full-text searches the bazaar (empty query lists everything). |
| x402: Set Bazaar Filters | x402.setFilters |
Sets the default bazaar filters — type (http / mcp), max price (USDC atomics), and tag — and refreshes. |
Configure these under Settings → Extensions → x402, or edit settings.json
directly. Every payment-related setting works whether or not a bazaar host is
configured.
| Setting | Type | Default | Description |
|---|---|---|---|
x402.bazaarUrl |
string |
"" |
Origin that hosts the bazaar discovery API (serves /api/bazaar/list and /api/bazaar/search). Optional — leave blank to disable discovery. Inspecting or paying a specific endpoint URL needs no host. |
x402.maxPaymentUsd |
number |
0.1 |
Spending cap per request, in USD. Any payment above this is refused before signing (you're prompted to raise the cap for that call). |
x402.confirmEachPayment |
boolean |
true |
Show a modal confirmation with the exact USD amount before signing each payment. |
x402.network |
string |
"eip155:8453" |
Preferred CAIP-2 network when an endpoint accepts several. Default is Base mainnet. |
x402.filters |
object |
{ "type": "http" } |
Default bazaar filters. Supported keys: type (http / mcp), network, maxPrice (USDC atomics), asset, extension, tag, sort. |
No bazaar, no wallet, no account — this is read-only.
- Run x402: Inspect Endpoint (decode 402 challenge) from the Command Palette.
- Paste the endpoint URL, e.g.
https://your-api.example.com/x402/summarize. - The x402 output channel opens and prints the decoded challenge — one line
per accepted requirement showing network, scheme, USD price, and asset, with
← payable by this walletflagging the one your configured network/asset can satisfy. If nothing is payable (e.g. a Solana-only service), it says so.
- Run x402: Set Wallet Key once and paste a funded EVM private key
(
0x+ 64 hex). It is stored in the OS keychain — see Security. The status bar shows the derived address. - Run x402: Pay & Call Endpoint, paste the URL (or click a service in the bazaar sidebar). The service detail panel opens.
- Choose the method (
GET/POST) and, for POST or MCP calls, edit the JSON request body. Click Pay & call. - The extension pre-checks the 402 to learn the real price, then shows a modal:
"Pay $X from 0xabc…1234 to call …?" (controlled by
x402.confirmEachPayment). If the price is abovex402.maxPaymentUsd, you're asked to Raise cap & pay instead. - On confirm, it signs a USDC EIP-3009 authorization, retries with the
X-PAYMENTproof, and renders the response body plus the settlement receipt (status, amount paid, paying address, and transaction hash) in the panel.
- Run x402: Set Bazaar Discovery Host and enter an origin that serves
/api/bazaar/listand/api/bazaar/search(this writesx402.bazaarUrl). - The x402 Bazaar sidebar lists services — each row shows the price, type, and networks. Hover for a full Markdown tooltip.
- Use the title-bar icons: Search (full-text), Set Filters (type / max price / tag), and Refresh.
- Click any service to open its detail panel, then pay as in (b). The inline Pay action on a service row jumps straight there.
- Open a workspace folder.
- Run x402: Scaffold a Paid Endpoint.
- Enter a slug (e.g.
summarize), a price per call in USD (e.g.0.01), and a description shown in the 402 challenge. - The extension writes
api/x402/<slug>.jsand opens it. It's a standalone Node handler: an unpaid request gets a402challenge; once anX-PAYMENTheader verifies through your facilitator,run()executes. - Set
X402_RESOURCE_URL,X402_PAY_TO, andX402_FACILITATOR_VERIFY_URL(env), then replace therun()echo with your real service logic.
A full walkthrough of each flow lives in docs/usage.md.
The payment client is vendored and zero-dependency —
src/vendor/x402-fetch.js — so the extension pulls
in no payment SDK at runtime. It:
- Sends your request unpaid. If the server answers anything but
402, that response is returned as-is (free endpoints just work). - Parses the 402 challenge and selects the requirement matching your preferred
network (
x402.network) and a USDC EIP-3009 asset your EVM key can sign. - Signs a USDC-on-Base
transferWithAuthorization(EIP-3009 / EIP-712) and retries the request with theX-PAYMENTheader. - The merchant settles on-chain and returns the work plus a settlement receipt,
which the panel decodes from the
x-payment-responseheader.
The secp256k1 / keccak256 / EIP-712 stack is pure JavaScript and depends only on
Web Crypto (crypto.subtle), present in Node ≥ 18 and modern browsers.
Solana-only services appear in the bazaar but are flagged as not payable by this
EVM signer.
- The private key lives only in VS Code SecretStorage (your OS keychain —
Keychain on macOS, Credential Manager on Windows, libsecret on Linux). It is
never written to
settings.json, never logged, never persisted to disk in plaintext. Run x402: Clear Wallet Key to remove it. - Spending cap.
x402.maxPaymentUsd(default$0.10) is checked before signing; anything above it requires explicit consent for that call. - Per-payment confirmation. With
x402.confirmEachPaymenton (default), a modal shows the exact amount and paying address before any signature. - Use a dedicated, low-balance wallet funded only with what you intend to spend on calls. Treat it like petty cash, not a vault.
- VS Code
^1.85.0or newer. - A funded EVM wallet (USDC on Base mainnet by default) to pay endpoints. Inspecting and browsing need no wallet.
- Node.js ≥ 18 to run a scaffolded endpoint (it relies on global
fetchand Web Crypto). The extension itself bundles everything it needs. - A bazaar discovery host only if you want the sidebar marketplace; inspect and pay work against any bare URL without one.
"No bazaar discovery host is set."
You opened the sidebar without configuring x402.bazaarUrl. That's expected —
the extension ships pointing nowhere. Run x402: Set Bazaar Discovery Host, or
skip it entirely and use Inspect / Pay & Call with a bare URL.
"This endpoint requires payment but offers no requirement this wallet can satisfy." The 402 challenge has no USDC EIP-3009 accept on an EVM network this signer supports (often a Solana-only service). The EVM signer can't pay it; use a wallet and network the endpoint accepts.
"Expected a 0x-prefixed 32-byte (64 hex char) EVM private key."
The key must be exactly 0x followed by 64 hexadecimal characters. Export it in
that raw hex form, not as a seed phrase or keystore JSON.
A call costs more than my cap.
x402.maxPaymentUsd blocked it. The extension prompts Raise cap & pay for
that single call, or raise the default in settings.
The payment went through but I got a 402 back.
The merchant didn't accept the settlement — usually a price or recipient
mismatch, or the facilitator rejected the proof. Re-inspect the endpoint to
confirm the current price and payTo, and that your wallet has enough USDC.
Where do I get a bazaar host / how do I publish a service to one?
Discovery is an open API contract (/api/bazaar/list, /api/bazaar/search).
Point x402.bazaarUrl at any host that implements it. To publish a paid
service, scaffold an endpoint (above) and register its resource URL with your
bazaar of choice.
Does this lock me into a provider? No. The extension speaks the open x402 protocol against any compliant endpoint or bazaar. The payment client is vendored, with no third-party SDK at runtime.
npm install
npm run build # bundle to dist/extension.js
npm run watch # rebuild on changePress F5 in VS Code to launch an Extension Development Host with the
extension loaded. See CONTRIBUTING.md for the layout and how
to package a .vsix.
@three-ws/x402-fetch— the standalone, zero-dependencyfetchwrapper this extension vendors.- x402 protocol — the open spec for
HTTP
402-based pay-per-call.
Proprietary — Copyright (c) 2026 nirholas. All Rights Reserved. Unauthorized use, copying, modification, or distribution is prohibited. See LICENSE.