live demo · agent ↔ zero ↔ x402-mcp

every tool call, signed before it lands.

click run — we mint a fresh agent, sign a real HMAC, hit the live /api/validate endpoint, and call the public x402 simulator MCP. the response shown below is the actual JSON the MCP returned.

signed request

bearer + tool args

response

payload

agent

zero-sdk · demo

idle — click run

zero

security layer

·timestamp ±5min

·nonce freshness

·HMAC-SHA256 verify

·mint scoped JWT

mcp

xmcp-x402-sim

waiting

agent reasoning

cot · scripted

click generate keys & run to start a real round-trip.

information retrieved

mcp · pay_and_fetch

awaiting verified call
no data yet

signed payload

POST /api/validate

HMAC payload (string-to-sign)

—

signature

sha256 —

scoped jwt issued by zero

—

agent: demo-agent · expires: —

security trail

audit · pending

request received at /api/validate

timestamp delta within ±5min · ok

nonce stored · not seen in last 5min

HMAC-SHA256 match (constant-time)

JWT minted · scoped

POST /mcp tools/call pay_and_fetch

mcp running x402 dance: 402 → payload → verify → settle

mcp 200 OK

audit log entry written