Why is HTTP 402 the future of anti-spam?

HTTP 402 Payment Required enables pay-per-request APIs with bearer cash tokens. Unlike CAPTCHAs, rate limiting, or accounts, it works equally on humans and AI agents. The cost is negligible for legitimate use and prohibitive at spam scale. Harmoniis provides the SDK to implement it on any platform.

How does HTTP 402 work for anti-spam?

When a request lacks payment, the server returns HTTP 402 with pricing info. The client attaches a bearer cash token (Webcash or Bitcoin) and retries. The server validates the single-use token and processes the request. No accounts, no CAPTCHAs, no rate limits needed.

Why HTTP 402 Payment Required is the future of anti-spam

HTTP 402 was included in the HTTP/1.1 specification in 1997 with the note "reserved for future use." Nearly 30 years later, the agentic internet is the future it was reserved for.

The history of HTTP 402

The HTTP status code 402 Payment Required was defined alongside 401 Unauthorized in RFC 2616. While 401 found immediate use for authentication, 402 was left unimplemented — there was no practical micropayment infrastructure to support it.

Several attempts were made:

W3C Micropayments (1999): Too complex, no adoption
PayPal micropayments (2000s): Account-based, not bearer
Bitcoin (2009): Transaction fees too high for micropayments
Lightning Network (2018): Viable but requires channels and invoices

What was missing: a bearer cash system that works natively with HTTP. Pay-per-request with no accounts, no channels, no invoices. Just attach a token and send.

Webcash completes HTTP 402

Webcash is bearer e-cash generated through Proof of Work or purchased with Bitcoin. A Webcash token is a string:

e0.01000000:secret:a1b2c3d4e5f6...

This token can be attached to any HTTP request:

POST /api/endpoint
X-Webcash: e0.01000000:secret:a1b2c3d4e5f6...

The server validates the token (single-use, cryptographically verified), consumes it, and processes the request. If no token is present, the server returns:

HTTP/1.1 402 Payment Required
X-Payment-Amount: 0.01
X-Payment-Currency: webcash

This is HTTP 402 as originally envisioned: a standard, machine-readable payment gate.

Why 402 beats every other anti-spam approach

vs. CAPTCHAs

CAPTCHAs assume that humans and bots have different capabilities. AI agents have erased this difference. Vision models solve image CAPTCHAs. Audio models solve audio CAPTCHAs. Behavioral analysis models mimic human mouse movements. CAPTCHAs now primarily serve as friction for legitimate users.

HTTP 402 does not care whether the requester is human or bot. It cares whether they paid.

vs. Rate limiting

Rate limiting assumes that attackers make more requests than legitimate users. In the agentic internet, legitimate agents also make high volumes of requests. Rate limiting cannot distinguish "agent processing 10,000 orders" from "agent sending 10,000 spam messages."

HTTP 402 scales naturally: more requests = more payment. Legitimate high-volume users pay more but are never blocked.

vs. Account-based access

Account systems assume that creating an identity has meaningful friction. For AI agents, creating an account is an API call. Email verification takes seconds. Phone verification costs cents.

HTTP 402 requires no accounts. The payment itself is the credential.

vs. IP-based blocking

IP reputation assumes that attackers use identifiable infrastructure. Cloud functions, residential proxies, and distributed compute make IP reputation meaningless.

HTTP 402 is IP-independent. The token is validated regardless of source.

The economics

The key insight: spam is a business. It exists because the cost of sending is near zero and the revenue per message is small but positive. If you increase the cost of sending above the revenue per message, spam stops.

Scenario	Cost per message	Messages per day	Daily cost
Legitimate agent	0.001w	1,000	1w (~$0.01)
Moderate spammer	0.001w	100,000	100w (~$1.00)
Heavy spammer	0.001w	10,000,000	10,000w (~$100)
Spam army	0.001w	1,000,000,000	1,000,000w (~$10,000)

The cost is negligible for legitimate use and prohibitive at spam scale. This is the fundamental property that makes economic anti-spam work.

Adoption path

HTTP 402 does not require coordination or standards bodies. Any server can implement it today:

Add a payment validation middleware
Return 402 when payment is missing
Accept Webcash or Bitcoin bearer tokens
Process the request when payment is valid

The Harmoniis SDK provides this middleware for 15 platforms. Install it and add anti-spam to any service in minutes.

cargo add harmoniis-sdk           # Rust
# Other platforms: add harmoniis-sdk via your
# platform's package manager (SPM, Gradle,
# NuGet, vcpkg, CMake). See /developers

HTTP 402 was reserved for a future where machines pay for machine access. That future is now. The Harmoniis SDK makes it practical.

See the developer guide for integration.