Lazaretto · blog

Pay-per-call verification: how an agent scans a package without an account

2026-07-14

Traditional security tools assume a human with a dashboard and a subscription. An autonomous agent has neither. It needs to verify one artifact, right now, and pay for exactly that.

The x402 flow

A request to the scan endpoint without payment returns HTTP 402 with the price and payment requirements. The agent pays in USDC on Base and retries; the scan runs and settles only on a successful result. No account, no stored card, no key.

curl -s -X POST https://lazaretto.dev/v1/scan \
  -H 'content-type: application/json' \
  -d '{"target":{"type":"github_repo","ref":"owner/repo"},"depth":"full"}'
# 402 + requirements -> pay -> retry -> report

Free where it should be

A known-bad hash lookup is free and needs no payment — it is the fast, cheap first check. The paid full scan adds deterministic behavioral analysis with evidence. High-volume callers can hold prepaid credits so one settlement covers many scans.

The machine contract is at /openapi.json; the payment option is advertised on the agent card.


Lazaretto is the pre-install checkpoint agents call themselves. Try it · pricing.