Correct edge cache headers (compliant)

Compliant · GET /api/x402/edge-correct-headers · Edge / CDN Controls

The 402 challenge is no-store; the paid 200 is private, no-store with Vary: PAYMENT-SIGNATURE — and it still does a real verify and settle.

Explanation

The compliant baseline for the edge tier. The 402 challenge is sent with Cache-Control: no-store so a shared cache (Cloudflare, Fastly, CloudFront, nginx, an API gateway) never stores and replays a stale nonce, quote, or price, and the paid 200 is sent with Cache-Control: private, no-store plus Vary: PAYMENT-SIGNATURE so it is never shared-cacheable and its cache key includes the payment header. It still performs a real verify and settle. Every edge quirk in this category is compared against these headers.

What to watch

curl -i: the 402 carries Cache-Control: no-store; the paid 200 is private and Vary.

Facilitator

Settled against the live Radius testnet facilitator (https://facilitator.testnet.radiustech.xyz). A valid payment runs a real /verify and /settle on-chain.

Metadata

Back to catalog