The guarantees the client makes, exactly what it sends and stores, and what it does not protect against.
Methodology: Payfetch · Trust Score · Token Safety
This page states what Payfetch guarantees and, just as plainly, what it does not. Payfetch is open source and the code is the final word: the README's Security and Disclosure section is the canonical version of everything here. Source and full docs: github.com/forum-labs/payfetch.
Default caps: per-call $1.00, per-day $2.00, per-host per-day $1.00, lifetime off (the wallet balance already bounds lifetime spend on-chain). All are yours to lower.
Payfetch can consult two Forum Labs checks before it pays: the Trust Score (is this endpoint reliable?) and Token Safety (is this asset a serial-rug risk?). Both call our own paid APIs, which is self-dealing we disclose here rather than bury. The default guard budget is zero, so by default the client uses only those products' free tier; any paid guard usage is opt-in and produces a receipt like any other spend. The trust check is on by default in advisory mode; the safety check is off by default.
While the trust guard is on, it makes one call per paid fetch, and that call is the client's only
outbound egress to us. It sends the target endpoint with the query string stripped, plus
a random per-install id. The query is stripped because a target URL's query can carry your own secrets.
Server-side we store a hash of the input, never the raw target, and the install id is used for aggregate
counting only, never per-install profiling or resale. The install id is a random value generated on first
run; delete your state file and it regenerates. Turn the guard off with
guards.trust.enabled: false, and Payfetch makes no external call at all: no guard result, no
network request, nothing dialed. That is the complete off switch.
A receipt records the URL, method, and host; the outcome and any deny code; the pipeline steps traversed; the selected quote and a tally of rejected quotes; guard results; approval info; the payment (payer address, nonce, validity window, settled amount, transaction reference, and whether it confirmed); the budgets at decision time; and an HTTP summary. Key material, signatures, full payment payloads, response bodies, and request header values are never stored; a response body is recorded as a SHA-256 hash plus a byte count. Query strings are stored in the receipt, because it is your own audit trail on your own disk; guard calls, by contrast, strip the query. Nothing is rewritten; corrections append new records.
Reporting is off by default and changes nothing unless you turn it on. When you report an outcome,
currently per-incident with the operator CLI (payfetch report <receiptId>, never an MCP
tool, so the agent can neither file nor suppress a report), the client reports the outcome of a completed
payment attempt (paid and delivered, or paid and not delivered), signed by your payment wallet and tied to
the on-chain settlement. This is a fact about the seller's conduct that you are reporting. It is never a
record of what you looked at, and lookups (guard checks, quotes, dry runs) are never retained per
consumer.
A report sends exactly these fields and nothing else:
| A report sends | A report never carries |
|---|---|
the endpoint {method, url} with the query stripped; the outcome, derived
from the receipt and never agent-supplied; structural checks
(settlementConfirmed, a coarse HTTP status class, contentTypeOk,
nonEmpty); the termsHash you paid under; the seller's payTo
address, already on-chain; a coarse amountBand; the UTC day; and your payment wallet
address plus an EIP-712 signature over the payload. |
the query string; request headers or bodies; the response body; the receiptId; the exact amount; the exact timestamp. The guard install id never rides the report path, so the report wallet and the guard install id are never joined. |
A settled x402 payment is already public: payer, payee, amount, and time are on the chain. What a report
adds is the outcome bit. Today the trust API verifies the signature
(recover(sig) === payer), so a stranger cannot report on your behalf, but it does not yet
prove the settlement, so reports are shown as unverified until they are settlement-matched in a later
version. On very-low-traffic endpoints a seller may be able to infer that a report came from you, since
the anonymity set is small; we mitigate with day granularity and bucketed publication, and we state the
residual here rather than hide it. We will not monetize, publish, or attempt to deanonymize reporter
wallets.
exact scheme.
Solana-settled x402, the upto scheme, and MPP are parsed and then refused with a reason
recorded in your receipts. Requires Node 22 or newer; Windows is not supported. USD is treated as USDC
at 1.00, so a depeg makes the caps wrong by the depeg factor.
Forum Labs · Payfetch ·
Trust Score · Token Safety ·
Methodology ·
GitHub ·
ops@forum-labs.com ·
@shopforumlabs
© 2026 Forum Labs. Non-custodial software. You control the wallet and the spending policy. Not financial advice.