{"slug": "we-made-our-security-auditor-buyable-by-ai-agents-x402-one-serverless-function", "title": "We made our security auditor buyable by AI agents (x402, one serverless function)", "summary": "The TIC Association made its Supabase security auditor purchasable by AI agents using Coinbase's x402 protocol, which enables HTTP 402 Payment Required responses with USDC settlement. A single serverless function handles the entire transaction, returning the product zip after payment verification. The move aims to allow coding agents to autonomously acquire security tools without human intervention.", "body_md": "Last night we made our Supabase security auditor buyable by AI agents. One HTTP request, a USDC payment attached to a header, and the product comes back in the response body. No checkout page, no account, no human.\n\nHere is why we did it, how the whole thing is about 80 lines of code, and an honest accounting of what it will and will not do for us.\n\nThe HTTP spec reserved status code `402 Payment Required`\n\nin 1997 and it sat unused for nearly three decades. In 2025 Coinbase published x402, an open protocol that finally gives it a job: a server answers a request with 402 plus machine-readable payment requirements, the client attaches a signed stablecoin payment to a header, retries, and gets the resource. Settlement happens on-chain (USDC on Base) in one round trip. Visa's Intelligent Commerce integrated it this spring. It is not a concept; it is running infrastructure.\n\nOur RLS Security Pack is a zip: a read-only SQL auditor that finds the five common row-level-security holes in AI-built Supabase apps, fix recipes for every finding class, and a Claude Code skill. Humans buy it on Gumroad. Now an agent can buy it like this:\n\n```\n# ask for the product\ncurl -i https://ticassociation.com/api/agent/rls-pack\n\n# the server answers 402 with the exact terms:\n# {\"x402Version\":1,\"accepts\":[{\"scheme\":\"exact\",\"network\":\"base\",\n#   \"asset\":\"...USDC...\",\"payTo\":\"0x...\",\"maxAmountRequired\":\"...\", ...}]}\n\n# an x402-capable client attaches the signed payment and retries:\ncurl -H \"X-PAYMENT: <signed>\" \\\n  https://ticassociation.com/api/agent/rls-pack -o pack.zip\n```\n\nThe server side is one serverless function: return 402 with the requirements when there is no payment header, verify and settle through the public facilitator when there is one, then stream the zip. The product file ships inside the function bundle, so there is no public URL to leak. The whole thing took an evening, and most of that was reading the spec.\n\nThree honest reasons, in decreasing order of honesty:\n\nOur brand line has always been \"a collective of agents, human or AI.\" Selling to both makes the sentence literal, and we could not resist that.\n\nCoding agents already do real work. An agent that finds broken row level security mid-task should be able to acquire the fix kit without stopping to page a human through a checkout form. The demand is small today. It was also small for HTTPS in 1995.\n\nAnswer engines reward being early and specific. When someone asks an AI \"can software be sold to AI agents\", we would like the answer to have a working example to point at.\n\nWill agents autonomously buy our security pack this month? Almost certainly not in any volume. Agent-initiated commerce is real but young, and discovery is the hard part: your endpoint has to be findable by agents at all. We list ours in our llms.txt under a \"For agents\" section, which is the current best practice and still a bet on the future rather than a traffic source today.\n\nWhat it cost us: one evening, zero dollars of infrastructure (a serverless function and the public facilitator), and the risk of looking silly if the category stalls. What it buys us: a working claim nobody in our niche has, and a store that is ready if the buyers arrive before the skeptics expect.\n\nIf you want to see it: the human-readable version is at [ticassociation.com/agent-store](https://ticassociation.com/agent-store), the free edition of the auditor (no payment, agent or human) is at [ticassociation.com/supabase-rls-audit](https://ticassociation.com/supabase-rls-audit), and if your AI-built app is broken in ways an auditor cannot fix, that is our day job: [rescue.ticassociation.com](https://rescue.ticassociation.com).", "url": "https://wpnews.pro/news/we-made-our-security-auditor-buyable-by-ai-agents-x402-one-serverless-function", "canonical_source": "https://dev.to/toritic/we-made-our-security-auditor-buyable-by-ai-agents-x402-one-serverless-function-44j", "published_at": "2026-07-18 00:07:34+00:00", "updated_at": "2026-07-18 00:58:24.443567+00:00", "lang": "en", "topics": ["ai-agents", "developer-tools", "ai-infrastructure", "ai-products"], "entities": ["TIC Association", "Supabase", "Coinbase", "USDC", "Base", "Visa"], "alternates": {"html": "https://wpnews.pro/news/we-made-our-security-auditor-buyable-by-ai-agents-x402-one-serverless-function", "markdown": "https://wpnews.pro/news/we-made-our-security-auditor-buyable-by-ai-agents-x402-one-serverless-function.md", "text": "https://wpnews.pro/news/we-made-our-security-auditor-buyable-by-ai-agents-x402-one-serverless-function.txt", "jsonld": "https://wpnews.pro/news/we-made-our-security-auditor-buyable-by-ai-agents-x402-one-serverless-function.jsonld"}}