ApiToll

Give your agent a wallet.

The only setup step for using ApiToll or any x402 API. A wallet with a few dollars of USDC on Base. Three minutes, one time.

Two paths below: the dev path (create your own key, you custody it) and the managed path (Coinbase CDP custodies, your agent uses API credentials). Both are valid.

Path A

Self-custodied key.

Best for local development, a single agent you run, and situations where you are comfortable with a private key in a secret store.

  1. Create a new wallet.

    // Node (requires: npm i viem)
import { generatePrivateKey, privateKeyToAccount } from "viem/accounts";
const key = generatePrivateKey();
const acct = privateKeyToAccount(key);
console.log("address:", acct.address);
console.log("private key:", key);  // write to your secret store, never commit

    You now have an address like 0xC2f7…917f and a 32-byte private key. Store the key anywhere you'd store a database password. .env, Vault, AWS Secrets Manager, 1Password.

  2. Fund it on Base mainnet.

    Buy USDC on any major exchange (Coinbase, Kraken, Binance) and withdraw to your new address on the Base network. Do not use Ethereum mainnet. Bridging is painful. Coinbase supports Base withdrawals natively with a $0 fee if you have an account. A $5 top-up gets you 2,500 BIN lookups' worth of budget.

  3. Point your agent at the key.

    Set WALLET_KEY=0x… in your agent's environment. The x402 SDK reads it, signs EIP-3009 authorizations on your behalf, and never sends the key over the network.

  4. Test with a cheap endpoint.

    Call https://apitoll.io/v1/bin/431940 using @x402/axios (snippet here). You should see HTTP 200 with BIN data, a settlement receipt in the x-payment-response header, and your USDC balance drop by 0.002.

Path B

Coinbase CDP managed wallet.

Best for agents running in production, multiple agents with different budgets, teams that don't want to custody keys. Coinbase holds the key, you hold API credentials, your agent calls the x402 client through the CDP SDK.

  1. Sign up at Coinbase Developer Platform.

    Create a project at docs.cdp.coinbase.com, generate an API key and secret. No transaction. Account creation is free.

  2. Create a wallet via the CDP SDK.

    The SDK gives you a wallet address. You never touch the private key.

  3. Fund the wallet.

    Transfer USDC on Base from your Coinbase exchange account to the CDP-managed wallet. Internal transfer, near-instant.

  4. Wrap your HTTP client with the CDP x402 client.

    One import, one factory call. CDP handles signing transparently.

Either path gets you to the same outcome: your agent can pay x402 endpoints autonomously.

Development

Testnet.

For experiments, use Base Sepolia. Create a dev wallet the same way, then grab testnet USDC from Circle's testnet faucet (free, rate-limited). Point your x402 client at the Sepolia USDC contract address and network eip155:84532. ApiToll runs on Sepolia today. Every test call costs fake money; every lookup returns real data.

Security

Notes.

  • Budget the wallet. Don't fund your agent with more than you're willing to see drained by a bug or a runaway loop. Treat it like a prepaid card.
  • Set max-price caps. Every x402 SDK lets you reject 402 quotes above a threshold. Set it. Our BIN endpoint costs $0.002. Refuse anything above $0.01 and you're safe from a hostile quote.
  • Rotate periodically. New wallet, transfer remaining balance, discard old key. No password reset, because there's no password.
  • Don't commit keys. We shouldn't have to say this. Use a secret manager.

Why USDC on Base

The default rail.

Base is Coinbase's L2. EVM-compatible, sub-second settlement, fees under $0.001. USDC on Base is issued natively by Circle, not a bridged version. The x402 spec supports other assets and chains, but Base plus USDC is where the agent-commerce ecosystem actually lives today. If that changes, ApiToll will support the new networks. We quote whatever the facilitator supports, your wallet picks.

FAQ

Common concerns.

Can my agent be scammed into paying someone it shouldn't?

The 402 challenge tells your client the payTo address, asset, amount, and expiry. A well-configured client verifies all four before signing. Our SDKs have defaults that reject anything off-spec. See the agent primer for the exact checks.

What happens if the call fails after payment?

The facilitator only settles after the server confirms the request succeeded. If we return 500, we don't charge you. If we return the data and then the network flakes after, the tx still happens and the response is lost. Contact [email protected] with the tx hash and we'll issue a manual refund or credit.

Gas?

You never pay gas. EIP-3009 is a gasless authorization. The facilitator pays gas, the fee is baked into our $0.002 price.