API keys were built for a web of human developers signing up for plans. They carry real overhead, and an autonomous AI agent can’t request one on its own. L402 takes a different path: any client pays per request and is granted access, with no account and no key to issue, store, or rotate.
A key is a long-lived shared secret. Someone has to sign up, you have to approve and provision them, they have to store the secret safely, and both sides have to rotate it when it leaks. The key itself carries no price, so charging for usage means bolting on a separate billing system. None of that works for an agent that shows up, needs one call, and leaves.
| L402 | API keys | |
|---|---|---|
| Onboarding | None; pay and go | Sign up, get approved, receive a key |
| Per-call pricing | Native, sub-cent per call | Not built in; needs a separate billing system |
| Secret to manage | No long-lived shared secret | Store, rotate, and revoke keys |
| Works for AI agents | Yes, agents pay at runtime | Agent can't self-serve a key |
| Access scope | Earned per payment, capability-scoped | Per-key, provisioned by hand |
| Revocation | Expires with the payment or terms | Manual; a leaked key is a standing liability |
| Settlement | To your wallet, per call | Invoiced or subscribed out of band |
Keys are not the enemy. For a free tier, an internal service, or a trusted partner where you want one stable identity with its own quotas and dashboards, a key is the simplest thing that works. L402 earns its keep the moment access becomes paid, per-call, or open to clients you have never onboarded, especially AI agents. Most APIs end up using both: keys for trusted first-party access, L402 for paid and agent traffic.
Two ways in. Point the hosted gateway at an endpoint you already run and it adds the 402 paywall in front, or add the paywall in code with the bolthub Pay SDK. Either way you can charge per call and let any AI agent pay at runtime. Keep your existing keys for the routes that should stay free. New to the protocol? Read what is L402 or see how it compares to x402.
Charge for your toolsNo. L402 and API keys coexist. Keep keys for free tiers and trusted first-party clients, and add an L402 paywall on the endpoints you want to charge for or open up to agents. bolthub adds the 402 layer without touching the auth you already have.
Not really, and that is the core problem. An API key assumes a human signed up, was approved, and pasted a secret into a config. An autonomous agent can't fill in that form. With L402 the agent simply pays the 402 invoice at runtime and retries, no provisioning step required.
It is the credential, but it differs in two ways. It is earned by paying rather than provisioned out of band, and it is a macaroon, so it is capability-scoped, short-lived, and can be narrowed offline for delegation, unlike a long-lived shared secret. You are not maintaining a database of issued keys.
start selling
Self-host the SDK free, or start on the hosted platform: 1-month free trial, usage-based billing after that.