We made our security auditor buyable by AI agents (x402, one serverless function) The TIC Association made its Supabase security auditor purchasable by AI agents using Coinbase's x402 protocol, which enables HTTP 402 Payment Required responses with USDC settlement. A single serverless function handles the entire transaction, returning the product zip after payment verification. The move aims to allow coding agents to autonomously acquire security tools without human intervention. Last night we made our Supabase security auditor buyable by AI agents. One HTTP request, a USDC payment attached to a header, and the product comes back in the response body. No checkout page, no account, no human. Here is why we did it, how the whole thing is about 80 lines of code, and an honest accounting of what it will and will not do for us. The HTTP spec reserved status code 402 Payment Required in 1997 and it sat unused for nearly three decades. In 2025 Coinbase published x402, an open protocol that finally gives it a job: a server answers a request with 402 plus machine-readable payment requirements, the client attaches a signed stablecoin payment to a header, retries, and gets the resource. Settlement happens on-chain USDC on Base in one round trip. Visa's Intelligent Commerce integrated it this spring. It is not a concept; it is running infrastructure. Our RLS Security Pack is a zip: a read-only SQL auditor that finds the five common row-level-security holes in AI-built Supabase apps, fix recipes for every finding class, and a Claude Code skill. Humans buy it on Gumroad. Now an agent can buy it like this: ask for the product curl -i https://ticassociation.com/api/agent/rls-pack the server answers 402 with the exact terms: {"x402Version":1,"accepts": {"scheme":"exact","network":"base", "asset":"...USDC...","payTo":"0x...","maxAmountRequired":"...", ...} } an x402-capable client attaches the signed payment and retries: curl -H "X-PAYMENT: