View a markdown version of this page

How AI traffic monetization works - AWS WAF, AWS Firewall Manager, AWS Shield Advanced, and AWS Shield network security director
Supported resource types

Introducing a new console experience for AWS WAF

You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see Working with the console.

How AI traffic monetization works

AI traffic monetization uses the x402 open protocol for machine-to-machine payments. The following describes the request lifecycle for a monetized resource:

  1. Request – A client (typically an AI agent) sends a request to a AWS WAF protected resource on your CloudFront distribution.

  2. Rule evaluation – AWS WAF evaluates the request against your rules in priority order. If a rule with a Monetize action matches and the request does not include a valid payment authorization, AWS WAF returns an HTTP 402 Payment Required response. For more details, see Rule actions.

  3. Payment Required Challenge – AWS WAF returns an HTTP 402 response (the "Payment Required Challenge"). The response includes payment instructions containing:

    1. Content price (per request) in USDC

    2. Accepted payment networks (Base, Solana)

    3. Publisher wallet address (payTo)

    4. Maximum timeout

    5. Payment scheme

  4. Payment authorization – The client signs a payment authorization using their wallet's private key or a server wallet API. The client resubmits the original request with a payment-signature header containing the signed authorization.

  5. Verification – AWS WAF verifies the payment credentials, confirming transfer of sufficient funds and valid authorization. This occurs synchronously in the request path. If the verification fails, the client is served a 402 and the content is not served.

  6. Content fetch – On successful verification, the request for content is allowed.

  7. Settlement – If content fetch is successful (2xx status code), the payment is settled on the blockchain via Coinbase Developer Platform's x402 facilitator service. Settlement occurs synchronously – content is served after confirmed payment. If the payment settlement fails, the client is served a 402 and the content is not served.

  8. Response – The content is served to the client with a payment-response header containing settlement confirmation details.

Key behaviors:

  • No payment for failed origins – If origin returns 4xx or 5xx, settlement is skipped and the client is not charged.

  • Idempotency – The x402 protocol supports a payment-identifier extension that allows clients to retry requests without double-payment for up to 15 minutes, as long as the extension is used by the client.

  • Replay protection – Payment authorizations are single-use. Reusing a payment header without a valid payment-identifier results in a new 402 response.

For more details about the x402 open payment protocol, see x402 documentation.

Supported resource types

AI traffic monetization protects resources on Amazon CloudFront distributions. You can monetize any path or content zone served through CloudFront, including:

  • Web pages and articles

  • API endpoints

  • Data feeds

  • Media assets

  • Structured datasets