# Who Authorized This? The Gray Area of x402

*Author: David Christopher*
*Published: Apr 24, 2026*
*Source: https://www.bankless.com/fr/read/who-au*

---

This week, Coinbase launched [agentic.market](http://agentic.market/), a storefront surfacing x402 endpoints to make the ecosystem's offerings more discoverable. 

Browse it and you'll find live, metered access to a wide range of services, from onchain tools to mainstream APIs. Some endpoints are offered directly by the original provider. Others come through third parties: companies wrapping existing APIs in x402 (and/or MPP) and packaging them as agent-ready toolkits, accessible through a single connection for a small fee.

That second arrangement complicates things. Among these third-party-originated endpoints featured on Agentic Market are services for Wolfram Alpha, Google Flights, and Amadeus, a widely-used travel data platform. I focus on these three because none of the platforms have themselves announced an x402 integration, and their terms of service make it unlikely they've authorized a third party to build one on their behalf.

Every endpoint featured on Agentic Market is either **first-party **(the original provider offering their own API directly), **third-party authorized** (a reseller with explicit permission, usually through a formal certification or partnership program), or **third-party unauthorized** (a company reselling API access it pays for without permission to do so). 

Across the marketplace and the entire x402 ecosystem overall, there's no way to immediately tell which is which, with many third-party wrappers seemingly falling into that last bucket.

> Introducing Agentic(dot)Market, the homepage of the agent economy.- Monitor agentic commerce trends- Discover services for your agent to buy- Sell your services to agentsThousands of services. Zero API keys. Powered by x402. [https://t.co/dgrNV73MAJ](https://t.co/dgrNV73MAJ) [pic.twitter.com/0QU9Bpb3kG](https://t.co/0QU9Bpb3kG)— nick.base.eth 🛡 (@Nick_Prince12) [April 20, 2026](https://twitter.com/Nick_Prince12/status/2046268042326290472?ref_src=twsrc%5Etfw)

### **What the Contracts Say**
As I mentioned, these three providers' terms make unauthorized third-party arrangements appear likely, and in some cases rule out authorized third parties entirely.

**Wolfram Alpha** [explicitly prohibits "resellers and aggregators,"](https://products.wolframalpha.com/api/termsofuse?utm_source=chatgpt.com) bans scraping or data mining by any means, and bars selling or sublicensing the service without permission. The terms don't appear to leave room for an authorized third-party path at all. And when looking at the endpoint's [Quick Start guide](https://agentic.market/?service=products-wolframalpha-com), it's clear this is not a first-party integration.

![](https://storage.ghost.io/c/e4/b7/e4b77544-5a37-4f0b-8824-8440aa348476/content/images/2026/04/data-src-image-0bec2cca-e1a0-437e-ae92-1c4ef77ac22a.png)*API Prohibitions in [Wolfram Alpha's Terms of Use](https://products.wolframalpha.com/api/termsofuse)*
**Amadeus**'s [Master Subscription Services Agreement](https://www.amadeus-hospitality.com/legal/mssa/eng/?utm_source=chatgpt.com) grants customers access strictly for internal business purposes and prohibits any attempt to "rent, lease, distribute, sell, resell, assign, or otherwise transfer" their access rights. Any third-party connection requires certification by Amadeus, documented in a formal Service Order, meaning that's the only route to third-party authorized status, and whether any current endpoint meets it isn't visible from the outside.

[![](https://storage.ghost.io/c/e4/b7/e4b77544-5a37-4f0b-8824-8440aa348476/content/images/2026/04/data-src-image-fccded75-21ec-4239-800d-56d52f6aaf66.png)](https://www.amadeus-hospitality.com/legal/mssa/eng)*Restrictions in [Amadeus's Master Subscription Services Agreement](https://www.amadeus-hospitality.com/legal/mssa/eng/)*
**Google** is the sharpest case. Google Flights has no public API, and Google protects its data aggressively. 

On Agentic Market, a [third-party wrapper](https://agentic.market/?chart=buyers-sellers&service=www-google-com) is packaging access to Google Flights data [sourced via SerpApi](https://stabletravel.dev/llms.txt) - [a company Google is *actively* suing](https://www.searchenginejournal.com/google-files-dmca-suit-targeting-serpapis-serp-scraping/563847/?utm_source=chatgpt.com) for scraping Search results and reselling access to them. Google's complaint alleges SerpApi built tools to bypass access controls, sends "hundreds of millions" of artificial requests per day to scrape, and resells copyrighted content embedded in Search.

So, Google is suing SerpApi for reselling copyrighted content and bypassing their access controls. At the same time, SerpApi is having its service wrapped by an agentic toolkit provider who’s providing it to agents and collecting fees for that provision. Food for thought.

[![](https://storage.ghost.io/c/e4/b7/e4b77544-5a37-4f0b-8824-8440aa348476/content/images/2026/04/data-src-image-8ec499d5-dc05-43cd-a1ff-89700bdb7cf2.png)](https://stabletravel.dev/llms.txt)*[Details for SerpApi access via StableTravel endpoint](https://stabletravel.dev/llms.txt)*

### **What Compliance Looks Like**
It doesn't take a legal expert to see these dynamics are "tricky." The good news is that a cleaner model already exists.

MPP, the agentic payments protocol Tempo launched alongside its mainnet, shipped with 100+ compatible services on day one. Providers that integrated MPP directly - Parallel, Stripe Climate, Browser Base, and others - are [marked with a green circle](https://mpp.dev/services) on their card, showcasing first-party status.

[![](https://storage.ghost.io/c/e4/b7/e4b77544-5a37-4f0b-8824-8440aa348476/content/images/2026/04/data-src-image-b6560096-0188-4165-b075-99cb6a023b74.png)](https://mpp.dev/services)[Two(ish) weeks ago](https://x.com/ExaAILabs/status/2041562072027427265?s=20), Exa, a popular AI research tool, announced native x402 support across its search and contents endpoints - going first-party, partnering with Coinbase, and citing x402's governance under the Linux Foundation as a reason for choosing it over a proprietary route.

> We're excited to partner with [@coinbase](https://twitter.com/coinbase?ref_src=twsrc%5Etfw) to enable agents to natively pay for web search, via x402!x402 is an open protocol that enables agents to pay via HTTP, governed by the Linux Foundation. When an Exa API request is made without an API key, Exa now returns a 402 status… [pic.twitter.com/lWvioY7TVG](https://t.co/lWvioY7TVG)— Exa (@ExaAILabs) [April 7, 2026](https://twitter.com/ExaAILabs/status/2041562072027427265?ref_src=twsrc%5Etfw)

### **The Inevitable Outcome**
Right now, whether a given endpoint is first-party, third-party authorized, or third-party unauthorized isn't visible from the outside. That's a solvable problem, and MPP's service directory - which makes the provenance of each integration legible - is a step in that direction.

Unauthorized scraping already strains providers in ways they can measure: server load, bandwidth costs, traffic they never agreed to serve. A third party wrapping that scraped data in x402 and collecting fees for it adds insult to injury. The provider bears the cost and sees none of the revenue.

If that's how this plays out at scale, it poisons the well for x402 broadly - turning potential native integrators into adversaries instead of participants. That revenue belongs to the providers. Native integration is how they claim it, and how x402 earns the legitimacy it needs to grow.
---

*This article is brought to you by [MetaMask](https://www.bankless.com/fr/sponsor/metamask-1776260643?ref=read/who-au)*