Charge AI agents for your API.
Without handing your paywall to anyone.
One small service in front of — or beside — your existing API or MCP server. One pricing rule. Agents pay per call over the open x402 standard, settling straight to your wallet — stablecoins out of the box, any rail you choose. Receipts on your disk, no code changes, no merchant of record.
$ docker compose up -d k-squire # rules.yaml upstream: http://localhost:8080 routes: - match: { method: GET, path: /api/report } price: $0.02 - match: { mcp_tool: summarize } price: $0.005 $ curl -i localhost:3402/api/report HTTP/1.1 402 Payment Required { "accepts": [ { "scheme": "exact", "network": "base", "amount": "20000", "payTo": "0xYourWallet…", "resource": "GET /api/report" } ] } # agent pays → retries → 200 + receipt logged
Illustrative — field names track the x402 spec; assets and networks depend on your facilitator.
Zero code changes
Run it inline as a reverse proxy, or in forward-auth mode beside the Caddy/Traefik/nginx you already trust. Your app never knows payments exist.
MCP-native
MCP speaks JSON-RPC to a single endpoint — the tool name lives in the request body, where path-based paywalls can't see it. K‑Squire prices individual tool calls and pipes SSE streams through untouched.
Sovereign by default
Self-hosted, facilitator-agnostic (Coinbase, thirdweb, or your own), peer-to-peer settlement straight to your wallet. No middleman in your money path.
Two ways to deploy
Inline proxy
for MCP servers & metered pricingdocker compose up. K‑Squire fronts your service,
reads pricing rules, and passes everything unpaid straight through.
The only mode that can price MCP tools — and, later, meter responses
per token or per byte.
$ docker compose up # rules.yaml routes: - match: { mcp_tool: summarize } price: $0.005
Forward-auth
for your existing proxyKeep Caddy, Traefik, or nginx exactly where it is. It asks K‑Squire to authorize each request; K‑Squire answers pass or 402-with-terms. Decision path, not data path — three lines of config:
example.com {
forward_auth k-squire:3402 {
uri /authz
copy_headers X-Payment-Response
}
reverse_proxy backend:8080
}
Caddyfile shown; Traefik ForwardAuth works the same way. Path/method pricing in this mode — MCP tool pricing needs inline.
Agents hit your endpoint, get an HTTP 402 quote, pay, and retry — automatically. You get the revenue and an auditable receipt log.
Who it's for
API operators
Want agent revenue without a platform standing between you and your money.
MCP server authors
Monetize tools in minutes. Price per individual tool call.
Sovereignty-minded teams
Can't or won't route traffic through a third-party edge — compliance, data-sovereignty, crypto-native, or self-hosters on principle.
How it compares
Compared to Cloudflare's Monetization Gateway and per-route x402 SDKs:
| Cloudflare Gateway | x402 SDKs | K‑Squire | |
|---|---|---|---|
| Code changes | none | required | none |
| Self-hostable | no | yes | yes |
| MCP tool-level pricing | no | no | yes |
| Works beside your existing proxy | no | n/a | yes (forward-auth) |
| Metered pricing (per-token/byte) | no | no | roadmap (inline mode) |
| Merchant of record | Cloudflare | you | you |
| Facilitator choice | theirs | any | any |
FAQ
Why not just use Cloudflare's Monetization Gateway?
If you're happy behind Cloudflare with Cloudflare as merchant of record, use it — it's good. K‑Squire is for everyone else: self-hosted infra, MCP servers, compliance constraints, or principle.
Why not just use an x402 SDK?
SDKs mean touching your codebase per route and per app. K‑Squire is one proxy for all of them, with receipts, webhooks, and a dashboard included.
So your beta project becomes my single point of failure?
No — that's what forward-auth mode is for: your battle-tested proxy
keeps handling bytes and TLS while K‑Squire only answers
paid/not-paid. Running inline instead? There's a fail_open
flag — if the payment layer is unreachable, traffic passes free and gets
logged. Your call, per route.
What does this add to latency?
On free routes: effectively nothing — requests pass straight through (deploy as a sidecar and it's microseconds, not a network hop). On paid requests, the real cost is the facilitator verification round-trip — and that's inherent to x402 in every architecture, SDK or proxy alike. We just refuse to add more on top.
What about streaming?
SSE passes through untouched — MCP requires it, so it was never optional. v1 is HTTP/1.1 + SSE; WebSockets and gRPC aren't supported yet, and we'd rather say so here than surprise you in prod.
How does a 402 work mid-MCP-session?
Both channels: the HTTP-level 402 for transports that surface it, and an in-band JSON-RPC error carrying the same payment terms for clients that don't. x402-aware clients use whichever they understand.
Do I have to touch crypto?
You set prices in dollars. Buyers pay in stablecoins today — that's what agent wallets hold — or any rail your facilitator supports; it lands in a wallet you control. Off-ramping is your choice; we'll document the easy paths.
Is this custodial?
No. Settlement is peer-to-peer to your wallet. K‑Squire never holds funds.
What chains?
Whatever your facilitator supports — Base and Solana out of the box via existing facilitators. Exotic rails, including fully sovereign proof-of-work settlement on Kaspa, are available for those who want zero intermediaries.
Get early access
Self-hosted or hosted — tell us what you'd paywall and we'll bring you in. Design partners get free setup help.
Self-hosted is free and open source. Hosted starts around $29/mo when the beta opens — design partners get it free.