View a markdown version of this page

How AI traffic monetization works - Amazon WAF, Amazon Firewall Manager, Amazon Shield Advanced, and Amazon Shield network security director
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Introducing a new console experience for Amazon WAF

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see Working with the console.

How AI traffic monetization works

AI traffic monetization uses the x402 open protocol for machine-to-machine payments. The following describes the request lifecycle for a monetized resource:

  1. Request – A client (typically an AI agent) sends a request to a Amazon WAF protected resource on your CloudFront distribution.

  2. Rule evaluation – Amazon WAF evaluates the request against your rules in priority order. If a rule with a Monetize action matches and the request does not include a valid payment authorization, Amazon WAF returns an HTTP 402 Payment Required response. For more details, see Rule actions.

  3. Payment Required Challenge – Amazon WAF returns an HTTP 402 response (the "Payment Required Challenge"). The response includes payment instructions containing:

    1. Content price (per request) in USDC

    2. Accepted payment networks (Base, Solana)

    3. Publisher wallet address (payTo)

    4. Maximum timeout

    5. Payment scheme

  4. Payment authorization – The client signs a payment authorization using their wallet's private key or a server wallet API. The client resubmits the original request with a payment-signature header containing the signed authorization.

  5. Verification – Amazon WAF verifies the payment credentials, confirming transfer of sufficient funds and valid authorization. This occurs synchronously in the request path. If the verification fails, the client is served a 402 and the content is not served.

  6. Content fetch – On successful verification, the request for content is allowed.

  7. Settlement – If content fetch is successful (2xx status code), the payment is settled on the blockchain via Coinbase Developer Platform's x402 facilitator service. Settlement occurs synchronously – content is served after confirmed payment. If the payment settlement fails, the client is served a 402 and the content is not served.

  8. Response – The content is served to the client with a payment-response header containing settlement confirmation details.

Key behaviors:

  • No payment for failed origins – If origin returns 4xx or 5xx, settlement is skipped and the client is not charged.

  • Idempotency – The x402 protocol supports a payment-identifier extension that allows clients to retry requests without double-payment for up to 15 minutes, as long as the extension is used by the client.

  • Replay protection – Payment authorizations are single-use. Reusing a payment header without a valid payment-identifier results in a new 402 response.

For more details about the x402 open payment protocol, see x402 documentation.

Supported resource types

AI traffic monetization protects resources on Amazon CloudFront distributions. You can monetize any path or content zone served through CloudFront, including:

  • Web pages and articles

  • API endpoints

  • Data feeds

  • Media assets

  • Structured datasets