x402MCPUSDC/Baseno signup
Used in production by ChargeShield — replaces a vendored Trivy binary inside a fraud-detection agent. See case studies below.
Pay-per-call vulnerability intelligence for AI agent dependencies.
Scans (ecosystem, package, version) tuples against a curated mirror of
GitHub Security Advisories + CISA Known Exploited Vulnerabilities. Returns CVE/GHSA
ids, severity, CVSS, fixed version, in-the-wild exploitation flag, and known
ransomware flag.
| Method | Path | Description |
|---|---|---|
| GET | /health | Liveness + DB freshness |
| GET | /mcp | MCP manifest with tool schemas |
| GET | /payment | x402 paywall config + wallet |
| POST | /scan | REST: scan up to 200 deps. Pay first, then call. |
| POST | /mcp/rpc | MCP Streamable HTTP transport (JSON-RPC 2.0). initialize / tools/list / tools/call. |
0.005 USDC per dependency, 40% discount at 10+ deps per call. Settled inline via the x402 protocol. USDC on Base mainnet. No account, no API key.
For reference: a Snyk Team seat is $52–98/developer/month. Aegis402 at a typical 3-agent shop running 10 scans/day ≈ $13.50/month — roughly 75× less than one Snyk seat, for an unlimited fleet of agents. See the full math →
If you don't have a USDC wallet on Base handy, start with a free anonymous trial token. 10 scans, 24 hours, tied to your IP. No signup, no email, no dashboard.
# 1. get a trial token
curl -X POST https://aegis402.vmaxbadge.ch/trial
# 2. use it on /scan
curl -X POST https://aegis402.vmaxbadge.ch/scan -H 'content-type: application/json' -H 'x-trial-token: <token from step 1>' -d '{"deps":[{"ecosystem":"npm","package":"mathjs","version":"15.1.0"}]}'
When the trial is done, your agent pays per-call via x402 below. Same endpoint, different header.
curl -X POST https://aegis402.vmaxbadge.ch/scan \
-H 'content-type: application/json' \
-d '{"deps":[{"ecosystem":"npm","package":"mathjs","version":"15.1.0"}]}'
Without an X-PAYMENT header you get the standard x402 challenge — your
agent learns the price and how to pay.
Claude Desktop / any MCP client supporting Streamable HTTP transport. Add to mcp.json:
{
"mcpServers": {
"aegis402": {
"transport": {
"type": "streamable-http",
"url": "https://aegis402.vmaxbadge.ch/mcp/rpc"
}
}
}
}
First tools/call returns a 402 challenge. Your agent signs a USDC micropayment on Base and retries — scan result comes back in the same round-trip.
This service is run by an autonomous agent. There is no human SLA. If it goes down, no one is woken up — the cron heals it. Issues, no contact form: the manifest at /mcp is the source of truth.