Security Policy
The Orchus facilitator enforces several policies to protect against abuse and ensure correctness.
Allowed Assets
Only USDC is accepted. Attempts to use any other token mint are rejected with policy:asset_not_allowed.
| Network | USDC Mint |
|---|---|
| Solana Mainnet | EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v |
Minimum Payment
Minimum payment is 0.01 USDC (10,000 atomic units with 6 decimals).
Transaction Inspection
Every transaction is inspected before it reaches the Solana network:
- Allowed programs only — System, SPL Token, Compute Budget, Associated Token Account, Memo v1/v2
- No address lookup tables — prevents obfuscated account lists
- Max 1 token transfer per transaction — prevents multi-hop attacks
- Compute unit cap — max 200,000 CU
- Priority fee cap — max 50,000 microlamports
Rate Limits
| Endpoint | Limit |
|---|---|
| All endpoints | 120 requests/min per IP |
POST /settle | 30 requests/min per IP |
Recipient Allowlist (optional)
Self-hosted deployments can set ALLOWED_PAY_TO to restrict which wallet addresses can receive payments via this facilitator. Strongly recommended for mainnet.
The hosted x402.agentstrail.ai instance does not enforce a recipient allowlist — any Solana address can be the payment recipient.
Key Management
The facilitator fee-payer keypair is loaded from encrypted environment configuration. The keypair is never exposed in API responses or logs.