APEX: Agent Payment Execution with Policy for Autonomous Agent API Access

from arxiv, 13 pages, 4 figures, 8 tables. Includes implementation details, experimental evaluation with statistical analysis, and reproducible results. Code and data available upon request

Autonomous agents are moving beyond simple retrieval tasks to become economic actors that invoke APIs, sequence workflows, and make real-time decisions. As this shift accelerates, API providers need request-level monetization with programmatic spend governance. The HTTP 402 protocol addresses this by treating payment as a first-class protocol event, but most implementations rely on cryptocurrency rails. In many deployment contexts, especially countries with strong real-time fiat systems like UPI, this assumption is misaligned with regulatory and infrastructure realities. We present APEX, an implementation-complete research system that adapts HTTP 402-style payment gating to UPI-like fiat workflows while preserving policy-governed spend control, tokenized access verification, and replay resistance. We implement a challenge-settle-consume lifecycle with HMAC-signed short-lived tokens, idempotent settlement handling, and policy-aware payment approval. The system uses FastAPI, SQLite, and Python standard libraries, making it transparent, inspectable, and reproducible. We evaluate APEX across three baselines and six scenarios using sample sizes 2-4x larger than initial experiments (N=20-40 per scenario). Results show that policy enforcement reduces total spending by 27.3% while maintaining 52.8% success rate for legitimate requests. Security mechanisms achieve 100% block rate for both replay attacks and invalid tokens with low latency overhead (19.6ms average). Multiple trial runs show low variance across scenarios, demonstrating high reproducibility with 95% confidence intervals. The primary contribution is a controlled agent-payment infrastructure and reference architecture that demonstrates how agentic access monetization can be adapted to fiat systems without discarding security and policy guarantees.

翻译：自主智能体正从简单的检索任务转向承担经济行为者角色，能够调用API、编排工作流并做出实时决策。随着这一转变加速，API提供商需要具备可编程支出治理能力的请求级货币化方案。HTTP 402协议通过将支付视为一级协议事件来解决这一问题，但多数实现依赖加密货币基础设施。在许多部署场景中，尤其是采用UPI等强实时法币系统的国家，这一假设与监管及基础设施现实存在错位。我们提出APEX——一个完整实现的研究系统，将HTTP 402风格的支付门控适配至类似UPI的法币工作流，同时保留策略管控的支出控制、令牌化访问验证及重放抵抗能力。我们实现了包含HMAC签名短生命周期令牌、幂等结算处理及策略感知支付审批的挑战-结算-消费生命周期。系统采用FastAPI、SQLite及Python标准库构建，具备透明性、可检查性与可复现性。我们在三个基线及六个场景下评估APEX，样本量较初始实验扩大2-4倍（每场景N=20-40）。结果表明，策略执行使总支出降低27.3%，同时合法请求成功率达52.8%。安全机制对重放攻击与无效令牌均实现100%拦截率，延迟开销低至平均19.6毫秒。多次试验运行显示各场景方差较小，95%置信区间下呈现高可复现性。主要贡献在于构建了一个受控的智能体支付基础设施与参考架构，证明无需牺牲安全性与策略保障即可将智能体访问货币化方案适配至法币系统。