Native Profile Boundary
Status: active alpha boundary for the shipped package surface.
The current native Kaspa x402 surface ships two profiles:
exactwithkaspa-exact-v1for fixed-price one-shot transfers;batch-settlementwithkaspa-escrow-v1for repeated or variable-cost requests backed by a funded escrow/channel.
Both profiles are represented in schemas, vectors, examples, public specs, runtime packages, and the live proof harness. Other x402 schemes are outside the shipped compatibility contract until they can be expressed with native Kaspa validation and covered by the same level of schemas, vectors, tests, and live evidence.
Absent Upstream Schemes
Upstream x402 currently defines four schemes: exact, upto, batch-settlement, and auth-capture. This binding ships the first and third. The other two are absent for reviewable reasons, not oversight, and both share one technical constraint: UTXO-style script supports only lower-bound time locks, because a once-valid transaction must not become invalid. A settlement-expiry upper bound therefore cannot be a hard spend-path invalidation; it can only be expressed as a race in which a refund branch becomes spendable at the deadline and a late-settling counterparty can be beaten by the client's refund. Upstream batch-settlement already accepts this escape-hatch model for its timed withdrawal delay, which is why the shipped escrow profile is unaffected by the constraint.
upto
Kaspa covenants can enforce every fund-safety property of a one-shot capped authorization on-chain: server signature, client authorization digest, charge cap, single-use outpoint binding, payout and refund output hashes, and a bounded fee reserve. Only the expiry bound degrades to the refund race described above. Upstream upto, however, currently defines its time-bound requirement only through hard contract-enforced deadlines. Shipping a race-based expiry under that scheme name would overstate the guarantee, so the profile remains archived research until upstream clarifies whether a client-refundable expiry satisfies upto's time-bound requirement. If it does, the archived covenant and its consensus-validated artifacts are a viable basis for reintroduction.
auth-capture
auth-capture maps naturally to Kaspa: the authorization is a funded covenant output — a real on-chain hold, stronger than an allowance-style hold — and capture is a bounded claim, with the same expiry-by-refund-race caveat as upto. It is absent for priority rather than feasibility: upstream currently has a single EVM binding and little adoption pressure, and any new profile must clear the full readiness bar below before it can ship.
Boundary Rules
- Public schemas accept only
exactandbatch-settlement. - Payment payloads accept only
exact-transfer,deposit-voucher,voucher,claim, andrefund. - Kaspa requirements extras accept only
kaspa-exact-v1andkaspa-escrow-v1. - Covenant helpers expose only the escrow template and batch claim/refund transaction builders.
- Client, server, facilitator, and CLI packages must not advertise or accept unsupported schemes.
- The boundary is enforced at different points on the two sides of the wire: servers emit only strict Kaspa envelopes, while clients parse incoming
PaymentRequiredenvelopes leniently, skip entries for other schemes, networks, or assets during offer selection, and pay only entries that validate as Kaspa requirements. A client fails an offer only when no supported Kaspa entry remains, so mixed multi-rail envelopes from upstream x402 servers stay consumable. - Documentation and examples must frame
kaspa:mainnetas a reserved profile name, not a readiness claim.
Readiness Expectations
New native profiles require all of the following before they can be shipped:
- a scheme-specific spec under
spec/; - JSON schema coverage for requirements, payloads, and settlement responses;
- positive and negative conformance vectors;
- SDK and server implementation coverage;
- package tests for client, server, facilitator, and CLI behavior;
- transaction-v1 vectors when the profile builds covenant transactions;
- live
kaspa:testnet-10evidence throughscripts/proof-live-testnet.mjs; - explicit mainnet readiness gates and audit scope updates.
Until those conditions are met, unsupported schemes should fail schema validation or offer selection rather than being represented as partial runtime features.
Source: /docs/native-profile-boundary.md