pay402

Pay402 is a browser extension that enables micropayments for online content. Instead of $15/month subscriptions, readers pay small amounts (like $0.50) only for articles they actually want to read.

The Problem: Credit cards can't handle micropayments—a $0.50 transaction costs $0.31 in fees, making pay-per-article impossible. This forces publishers into subscription models and blocks casual readers from accessing content they'd happily pay a small amount for.

Our Solution: Pay402 uses Yellow Network state channels and PYUSD stablecoin to enable instant, near-zero-fee micropayments. The browser extension automatically detects paywalls, handles one-click payments, and unlocks content in under 1 second.

How it works for readers:

1. Browse normally and hit a paywall
2. Extension detects it and shows an unlock button
3. Click to pay $0.50 with PYUSD (or whatever publisher sets)
4. Content unlocks instantly
5. No accounts, no subscriptions, just pay-as-you-go

How it works for publishers: Add 3 meta tags to your HTML (price, wallet address) and implement a simple /pay402/unlock API endpoint to verify payments and serve content.

Why it matters:

• Readers pay only for what they read ($5 for 10 articles vs $15/month subscription)
• Publishers reach casual readers who would never subscribe
• Direct payments with 0.2% fees instead of 30% platform fees
• Works across any website using the Pay402 standard

This is a fully functional system with real Yellow Network integration, live PYUSD payments on Sepolia testnet, automatic paywall detection, and a complete payment verification backend.

Architecture: Pay402 is a monorepo with 4 packages:

• Extension (Chrome Manifest V3, React + TypeScript + Vite) - content scripts for paywall detection, background service worker for payments, popup dashboard
• Server (Express.js + TypeScript) - verifies payment receipts and serves unlocked content
• SDK (TypeScript) - wrapper around Yellow Network's Nitrolite SDK for state channel payments
• Demo Site (vanilla HTML/JS) - example paywalled content for testing

Partner Technologies:

Yellow Network - The core payment layer. We integrated their Nitrolite SDK for state channel payments. This was the hardest part—minimal documentation meant reverse-engineering the WebSocket protocol to communicate with ClearNode (wss://clearnet-sandbox.yellow.com/ws). State channels give us sub-second settlement and ~$0.001 fees per payment. We wrote custom wrappers for session management, channel opening/closing, and payment submission.

PYUSD - PayPal's stablecoin on Sepolia testnet (0xCaC524BcA292aaade2DF8A05cC58F0a65B1B3bB9). This gives users stable USD pricing—no crypto volatility. $0.50 means 50 cents, always.

ZeroDev - Account abstraction via ERC-4337 smart accounts with session keys. This lets users make payments without manually approving every transaction or managing gas fees. The extension creates session keys that can spend small amounts automatically, making the UX feel like one-click payments.

Privy - Embedded wallet SDK for easy wallet connection and authentication in the browser extension.

Notable hacks:

1. Paywall Detection - Built a generic detector using DOM inspection (looks for blur filters, overlay elements with data-paywall, meta tags with pricing). Works across different paywall styles without site-specific code.

2. Extension Message Passing - Chrome Manifest V3 made communication tricky. Content scripts detect paywalls, send messages to the service worker which handles payments, then posts results back to content scripts to unlock the DOM. Had to carefully manage async message passing and race conditions.

3. Session Key Security - Storing session keys in a browser extension is risky. We use Chrome's encrypted storage API and isolate keys from content scripts (only the service worker can access them). Session keys have spending limits and expiration.

4. Cryptographic Receipt Verification - Unlike other micropayment demos that use client-side-only verification, Pay402 implements production-grade security:

   • Nonce-based Replay Protection: Every receipt gets a unique nonce tracked server-side. Used receipts can't be replayed to unlock content multiple times.
   • EIP-712 Signed Receipts: Receipts are cryptographically signed with EIP-712 typed data, providing unforgeable proof of payment (implementation ready for production signature verification).
   • Server-Side Validation: Backend verifies amount, domain, timestamp, and nonce before unlocking content. Can't be bypassed with DevTools.
   • On-Chain Verification Ready: Infrastructure in place to verify txHash on-chain for additional security layer.

The trickiest part was making Yellow Network's state channels and all other aspects work in a browser extension context—most examples assume a Node.js server. We had to handle wallet connection, network switching to Sepolia, and WebSocket management all within the extension's service worker constraints.

Security Architecture:

• ✅ Nonce Tracking: Prevents receipt replay attacks
• ✅ Server-Side Verification: Publishers control unlock logic, not just client meta tags
• ✅ EIP-712 Signatures: Cryptographic proof of payment (framework ready for full implementation)
• ✅ Receipt Expiry: 1-hour validity window prevents stale receipt abuse
• ✅ Amount Validation: Backend ensures payment matches article price
• ✅ Domain Binding: Receipts tied to specific domains, can't be reused elsewhere