Ran a no-payment external pass against the public x402/discovery surface. I did not send payment headers, signatures, wallet material, or any paid/retry call.
Repro:
curl -i https://api.voidly.ai/v1/pay/x402/discovery \
-H 'Origin: https://voidly.ai'
curl -i -X OPTIONS https://api.voidly.ai/v1/pay/x402/quote \
-H 'Origin: https://voidly.ai' \
-H 'Access-Control-Request-Method: POST' \
-H 'Access-Control-Request-Headers: x-payment-proof, x-payment-signature, content-type'
curl -i https://voidly.ai/pay/x402
What looks good:
GET /v1/pay/x402/discovery is public, browser-readable from https://voidly.ai, and declares the facilitator plus quote/verify/cancel/get_quote endpoints.- The main pay manifest is also browser-readable and carries the Stage 2/Base/USDC vault context.
OPTIONS /v1/pay/x402/quote returns 204, so the browser path is close.
Patch notes:
P2 discovery docs link currently points to https://voidly.ai/pay/x402, which returns 404. The discovery document advertises this URL as docs, so agents/crawlers following the manifest hit a dead reference.P2 the x402 preflight response allows Content-Type, Authorization, X-Admin-Key, X-API-Key, X-Voidly-Signature, X-Agent-Key, X-Agent-Mail-Key, but not the proof headers documented in adapters/x402/README.md: x-payment-proof and x-payment-signature. It also does not allow the common X-PAYMENT/X-Payment header used by other x402 clients. If this hosted path is meant to be browser-facing, fetch clients will fail before the retry/proof step. If it is server-to-server only, documenting that boundary in the discovery docs would avoid false expectations.
Not tested: no X-PAYMENT, no x-payment-proof, no signatures, no wallet keys, no faucet/deposit, no paid calls.
Ran a no-payment external pass against the public x402/discovery surface. I did not send payment headers, signatures, wallet material, or any paid/retry call.
Repro:
What looks good:
GET /v1/pay/x402/discoveryis public, browser-readable fromhttps://voidly.ai, and declares the facilitator plus quote/verify/cancel/get_quote endpoints.OPTIONS /v1/pay/x402/quotereturns204, so the browser path is close.Patch notes:
P2discovery docs link currently points tohttps://voidly.ai/pay/x402, which returns404. The discovery document advertises this URL asdocs, so agents/crawlers following the manifest hit a dead reference.P2the x402 preflight response allowsContent-Type, Authorization, X-Admin-Key, X-API-Key, X-Voidly-Signature, X-Agent-Key, X-Agent-Mail-Key, but not the proof headers documented inadapters/x402/README.md:x-payment-proofandx-payment-signature. It also does not allow the commonX-PAYMENT/X-Paymentheader used by other x402 clients. If this hosted path is meant to be browser-facing, fetch clients will fail before the retry/proof step. If it is server-to-server only, documenting that boundary in the discovery docs would avoid false expectations.Not tested: no
X-PAYMENT, nox-payment-proof, no signatures, no wallet keys, no faucet/deposit, no paid calls.