The security layer your agent needs — x402 payment middleware
Project description
DoorNo.402
DoorNo.402 is security middleware for x402 payment requests. It intercepts every 402 response before your agent pays, validates it against known attack patterns, and blocks anything suspicious before a single transaction is signed.
The problem
x402 lets servers charge AI agents for resources over HTTP. The spec has no trust model. Any server can lie about the price, inject instructions into the description field to hijack the agent's LLM, redirect payment to an unknown wallet, or drain the wallet through rapid micro-payments. Without a security layer, your agent pays whatever it is told.
Install
pip install doorno402
npm install doorno402
Quickstart — Python
from doorno402 import protect, PaymentBlockedError
from x402.clients.httpx import x402HttpxClient
from eth_account import Account
account = Account.from_key(private_key)
client = protect(x402HttpxClient(account=account))
resp = await client.get("https://api.example.com/data")
# raises PaymentBlockedError if the 402 payload is malicious
Quickstart — TypeScript
import { protect, PaymentBlockedError } from "doorno402";
const safeFetch = protect(fetch);
const resp = await safeFetch("https://api.example.com/data");
// throws PaymentBlockedError if the 402 payload is malicious
What it catches
| # | Vulnerability | Attack | Status |
|---|---|---|---|
| 01 | Price Inflation | Server claims $0.01, charges $5 | Covered |
| 02 | Unknown Recipient | No ENS, zero trust score | Covered |
| 03 | Redirect Hijack | Payment redirected to attacker | Covered |
| 04 | Prompt Injection | LLM override in description | Covered |
| 05 | Budget Drain | Rapid micro-payments | Covered |
| 06 | TLS Downgrade | Payment over HTTP | Covered |
| 07 | Fake Delivery | Empty response after payment | Covered |
Configuration
protect() accepts three optional parameters:
daily_budget(float) — max USD per day, blocks when exceededmainnet_rpc_url(str) — Ethereum RPC for ENS trust lookupsraise_on_block(bool) — raisePaymentBlockedErrorvs return 403
How it works
DoorNo.402 registers an event hook on your HTTP client. When a server returns a 402 Payment Required response, the hook fires before the payment SDK processes it. The intercepted payload is run through a 7-stage validation pipeline: price inflation check, ENS trust scoring, redirect detection, prompt injection scan, budget enforcement, TLS verification, and delivery validation. If all stages pass, the response is forwarded to the payment SDK for execution. If any stage fails, the response status is mutated to 403 Forbidden and the payment is never signed. When raise_on_block is enabled, a PaymentBlockedError is raised instead.
KeeperHub integration
DoorNo.402 validates. KeeperHub executes. Together they form a complete secure payment pipeline for autonomous agents.
import { interceptAndForward } from "doorno402/mcp";
const safeClient = interceptAndForward(keeperHubClient, {
dailyBudget: 5.0,
});
await agent.run(safeClient);
When DoorNo.402 approves a payment, forward the validated details to KeeperHub's Direct Execution API for guaranteed on-chain execution with retry logic and audit trail.
Live demo
The repository includes 7 deployed Vercel servers — 6 malicious, 1 honest. Each server targets a different vulnerability from the table above. The CLI runs an autonomous research agent across all 7 servers and produces a results table showing what was blocked and how much was saved.
| Site | Vulnerability | URL |
|---|---|---|
| CryptoInsider | Price Inflation | cryptoinsider-nine.vercel.app |
| ChainPulse | Prompt Injection | chainpulse-chi.vercel.app |
| BlockBrief | Budget Drain | blockbrief-rho.vercel.app |
| NodeTimes | Unknown Recipient | nodetimes.vercel.app |
| Web3Daily | TLS Downgrade | web3daily-alpha.vercel.app |
| ComboAttack | All vulnerabilities | combo-dusky.vercel.app |
| ChainWatch | Honest server | chainwatch-tan.vercel.app |
Run the CLI:
cd demo/cli
pip install -r requirements.txt
python run.py
The CLI prompts for a research topic and runs the agent autonomously across all 7 servers.
Project structure
sdk/python/ Python SDK
sdk/ts/ TypeScript SDK
demo/cli/ Interactive CLI with research agent
demo/servers/ 6 malicious + 1 honest Express servers
demo/agent/ Standalone agent scripts
demo/landing/ Landing page source
skills/ Agent skill prompt for doorno402
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file doorno402-0.3.1.tar.gz.
File metadata
- Download URL: doorno402-0.3.1.tar.gz
- Upload date:
- Size: 14.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0a5a317bd1b184b5d7393bdbe5b5fd1e1ff74d679421990d96299f81f58f1297
|
|
| MD5 |
2ab0fe599394d3e5a191195dd54ff2c9
|
|
| BLAKE2b-256 |
493a0621775b4ddb4ca69e7393e9836239b7ec5750967240fb2946213a0f3944
|
File details
Details for the file doorno402-0.3.1-py3-none-any.whl.
File metadata
- Download URL: doorno402-0.3.1-py3-none-any.whl
- Upload date:
- Size: 14.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f6393a7bea56569bd940e77e8491fef14cd02f6b7968d3c83fe2dabc083cb0f7
|
|
| MD5 |
69e73b7c2736395736f4a56892e8ef3e
|
|
| BLAKE2b-256 |
1251a6665ced0a1facdde0b4708fb0706b7be54b7b71330eca7fbe00c2da8617
|
