Agent payments
prxy.monster exposes a dedicated Machine Payments Protocol route for agents that can handle HTTP 402 Payment Required.
Managed MPP discovery, 402 challenges, paid retries, settlement, managed inference, and Payment-Receipt headers are live. ATXP MCP, native x402, and Tempo are separate blocked or planned rails until their readiness objects mark production_live.
Why MPP exists
Autonomous agents sometimes need to purchase one machine-readable resource without creating an account, choosing a subscription, or going through a human checkout. MPP gives that flow a predictable shape:
- Agent requests the resource.
- prxy.monster returns a
402payment challenge. - The agent wallet pays or asks its operator to approve.
- The agent retries with
Authorization: Payment .... - When payment settles, prxy.monster returns the result and a
Payment-Receiptheader.
For prxy.monster, the paid MPP resource is one optimized PRXY pipeline execution: MCP tool pruning, cache lookup, context compression/preservation, pattern injection, cost guarding, optional upstream model call, and an itemized receipt.
Billing model
MPP and API-key traffic are different products.
| Flow | Who has a prxy account? | Who has the provider key? | What pays prxy? | Does the price include upstream inference? |
|---|---|---|---|---|
| API-key BYOK | Human/team | Human/team | Subscription + metered overage | No. Provider bills you directly. |
| Managed MPP | Agent may have no account | prxy.monster managed route | HTTP 402 payment | Yes. Direct calls are $0.50; funded sessions provide an effective $0.05 per call. |
| Merchant MPP | Merchant/customer | Merchant/customer | Planned merchant endpoint | Planned. Not GA. |
Regular API-key routes such as /v1/messages and /v1/chat/completions are not MPP-payable. They require Authorization: Bearer <prxy_key>.
Discovery
Wallet-aware agents discover paid routes from either surface:
GET https://api.prxy.monster/.well-known/mpp
GET https://api.prxy.monster/openapi.jsonCurrent discovery advertises the dedicated agent route plus funded sessions:
{
"spec_version": "0.1",
"realm": "api.prxy.monster",
"payment_methods": [
{
"method": "stripe",
"wallet_provider": "stripe-link",
"currency": "usd",
"status": "production_live"
}
],
"routes": [
{
"path": "/v1/agent/messages",
"method": "POST",
"price_usd_per_call": 0.5,
"category": "llm-generation"
}
],
"capabilities": {
"idempotency": true,
"refunds": false,
"receipts": "header",
"content_digest": "rfc-9530 sha-256",
"ledger_public": true
}
}Use /v1/agent/quote for a machine-readable quote and /v1/agent/sessions to fund a short agent session at the published effective per-call price.
Agent route
POST https://api.prxy.monster/v1/agent/messagesThe request body uses the Anthropic-compatible Messages shape.
| Request | Current response |
|---|---|
No Authorization: Payment ... header | 402 payment-required with WWW-Authenticate: Payment ... |
Malformed or unverified Authorization: Payment ... header | 402 verification-failed with a fresh challenge |
| Valid settled payment | 200 with model output and Payment-Receipt |
402 challenge
request
curl -i https://api.prxy.monster/v1/agent/messages \
-H "Content-Type: application/json" \
-d '{
"model": "bedrock/us.amazon.nova-micro-v1:0",
"max_tokens": 256,
"messages": [{ "role": "user", "content": "Say hi" }]
}'request in the header is base64url JSON for the inner Stripe request object. The digest binds the challenge to the original request body.
Paid retry
When the wallet has a Shared Payment Token, retry with an MPP credential in Authorization: Payment:
curl -i https://api.prxy.monster/v1/agent/messages \
-H "Authorization: Payment <base64url-mpp-credential>" \
-H "Content-Type: application/json" \
-d '{ "...": "same request body as the challenge" }'If the credential is malformed, expired, already consumed, or rejected by the wallet/payment provider, the route fails closed:
{
"type": "https://paymentauth.org/problems/verification-failed",
"title": "Payment Verification Failed",
"status": 402,
"detail": "Payment verification failed. Retry with a fresh challenge and a valid Shared Payment Token."
}Receipts
Successful settled calls include:
Payment-Receipt: <base64url-json>Decoded shape:
{
"method": "stripe",
"reference": "ch_...",
"externalId": "optional",
"status": "success",
"timestamp": "2026-05-03T21:55:00.000Z"
}Successful managed-MPP calls emit the same canonical receipt schema as BYOK calls, plus settlement metadata. Refunds are not currently supported; the refund policy is planned for production MPP payments.
Error cases
| Status | Problem type | Meaning |
|---|---|---|
| 402 | payment-required | Missing Authorization: Payment header. |
| 402 | malformed-credential | Payment header does not parse. |
| 402 | invalid-challenge | Challenge is unknown, expired, or already consumed. |
| 402 | verification-failed | SPT verification or settlement failed. |
| 404 | not_found | MPP discovery disabled on that instance or route not mounted. |
Idempotency
Challenges are persisted with a five-minute TTL and intended to be single-use. Clients should retry the same request body against the same challenge id and let the gateway consume it exactly once.
Test mode
No public test credential is honored by the current /v1/agent/messages route. Use discovery and the 402 challenge response for integration work until a test settlement path is explicitly advertised.
Why a separate route?
MPP wallets and API-key clients use different auth shapes. Keeping /v1/agent/messages separate from /v1/messages prevents wallet retries from colliding with bearer-token auth and keeps production API-key traffic boring.