A Programmable Data Commerce Layer for the Agentic Web.
{ proof > permission }
Programmable, trustless data unlocks that autonomous agents can buy and use.
Team: Coleman Irby, Tony Riemer
Description: A Programmable Data Commerce Layer for the Agentic Web.
Stack:
Arbitrum Sepolia + Stylus
Lit Protocol
x402
IPFS/Pinata
ERC-8004/Agent0 SDK
Subgraph
LangChain
Ollama
Repositories:
A more feature rich document that describes the architecture, how it works, future work, and so on is available on hackmd: https://hackmd.io/@Y5vcBYL4SyeRG_CqQq0DoQ/Hk0lPGbOZx (also a better formatted description of our progreses during participation). Each repo readme includes all relevant information to build, test, and use each component.
Agentic AI has gone from speculative research to "every enterprise has an AI mandate" in the span of 18 months or less. Agents need data, but today, they can't safely do this. Every payment solution for agents, including x402, has a problem: they still have a server deciding whether to release what you paid for. Standard APIs require exposing secrets to agents, and even x402 still requires trust in a server to deliver content. Sellers can can misprice, withhold, or go offline. Buyers can invalidate settlement after verification. There is no cryptographic guarantee that you get what you pay for. Agentic commerce requires trustlessness if it wants to eliminate humans-in-the-loop.
Fangorn fixes this by encrypting data against public, on-chain, verifiable conditions, like payment, token ownership, or time. We call this 'intent-bound data'. Buyers obtain ciphertexts before paying, verify conditions onchain (Arbitrum Sepolia), then decrypt locally. Once conditions are met, decryption is cryptographically inevitable.
x402f extends x402 into a trustless agent payment rail powered by Fangorn. Agents discover data sources via ERC-8004 agent cards, purchase autonomously, and decrypt without key management. Buyers cannot invalidate settlement. Prices are dynamic and verifiable. Content delivery is unstoppable.
The Fangorn Agent uses LangChain tools that allow it to discover agents and agent cards from the ERC-8004 identity registry, decode datasources from agent cards, and interact with the x402f protocol as a client. It is comprised of two pieces: an LLM and a Model Context Protocol (MCP) client. The agent is lightweight and able to run on consumer-grade hardwarE. Its tool usage is facilitated through [LangChain](https://www.langchain.com/).
The core idea behind Fangorn is simple: instead of a private key, we can encrypt against a public condition. Payment, token ownership, DAO membership, time, any predicate expressible on-chain. This leads to what we call intent-bound data: ciphertexts that unlock only when conditions are satisfied with no trusted third-parties.
This is accomplished with threshold encryption and TEE-based execution through Lit Protocol.
Fangorn also makes data sources discoverable using a datasource registry contract (Arbitrum Stylus) and the ERC-8004 identity and reputation registries. Data providers register ERC-8004 compliant agent cards, enabling agents to evaluate an integrate new data sources without API integrations. Agents can query these cards to find data sources and interact via standardized A2A protocols.
Github: https://github.com/fangorn-network/fangorn
NPM Package: https://www.npmjs.com/package/fangorn-sdk
x402f inverts the trust model of x402 by applying 'intent bound data' to the protocol. The server role is reduced to payment facilitation, never controlling content release. Unlike x402, x402f only requires a single resource server, though anyone can run their own.
For buyers: you fetch the ciphertext before paying for it. ecryption happens locally after settlement. Data cannot be withheld, and pricing can be verified against on-chain state. It is currently optimized for static data, not a live API.
For sellers: no infrastructure is required. Prices can be dynamically configured on-chain without touching server configs or impacting existing clients.
Github: https://github.com/fangorn-network/x402f
Property | x402 | Token Gating | Fangorn |
|---|---|---|---|
Trustless delivery | ✗ | ✗ | ✓ |
Proof-based access | ✗ | partial | ✓ |
Agent-native discovery | ✗ | ✗ | ✓ |
Serverless for seller | ✗ | ✗ | ✓ |
Verifiable provenance | ✗ | ✗ | ✓ |
For the Fangorn agent specifics, refer to the hackmd.
Fangorn is a programmable data access protocol. It is not:
encrypted storage
token gated data apis
web3 data marketplaces
a file sharing platform
Though it could be used as a basis to build the access control layer for all of them. The distinction is important: Fangorn dictates when and to whom data becomes available. What gets built on top is a different concern.
Fangorn is a primitive, so the surface area is massive. Here, we present a limited set of potential use cases and applications:
Agentic data markets
Agents can discovery, purchase, publish and consume data from other agents without human intermediaries or API integrations. A financial agent could buy real-time market sentiments from a data agent, infer a result, and then sell that output. A logistics agent could purchase route optimization data on demand. Since provenance is tracked on chain, poisoned data sources become traceable, introducing meaningful accountability for prompt injection attacks.
Agent-to-agent access control
By extending x402f even further, we can repurpose the same payment rails to operate based on proof instead. This means that agents can make data conditionally available to other agents based on verifiable conditions like identity or membership, enabling alternative economic integrations beyond 'pay per use'. For example, an authorized agent can consume from a weather datasource by virtue of it's onchain agentid, while unauthorized agents are cryptographically locked out.
Regulated-data access control for agents acting on behalf of humans
There is a lot of data on the web that requires strict compliance in order to access it. Things like age-gated or OFAC compliant content. The problem with agentic commerce is that there's no human in the loop, but there are humans at either end. So, if you consider the scenario where an agent needs access to regulated content, then it's legally gray area: the agent can't have an age, it can't be OFAC-compliant, it's just software, so if it gains access then who is at fault if it makes it into the wrong hands? The end user could pass their entire identity to the agent, but this is extremely irresponsible and dangerous, as the agent can use it for unexpected purposes, else expose your sensitive information. By applying intent-bound data, however, we can build compliant access control for agents, wherein an end user supplies a zkp of their age or nationality (e.g. using https://zkpassport.id/).
Private computation authorization: You can encrypted sensitive data with Fangorn and then authorize an agent to execute a function over it via a Lit action. The AI receives results computed on the plaintext within a TEE. For example, agents could determine blood type compatibility between individuals without exposing the blood type. Similar services have been presented by Phala and other TEE-based networks.
Streamlined datasource integrations for new features in enterprise clients
Today, large enterprises operate with 100+ dbs, 50+ apis, 10+ clients, and so on. As the complexity expands so does the cost of integrating new features that cut across the stack. However, using x402f, where we introduce a way for clients to discover datasources and consume from them without making any software changes, we can consider a paradigm shift. Instead of integrating a new API into a client, the new API just needs to publish a data card. That means for new features in client apps, integration is cheap and easy. It doesn't require new api integrations or coordination across teams, orgs, or enterprises. It would just work.