The number is the tell. On June 25, 2026, the identity company Proof launched x401, an open protocol that lets any website or API demand proof of the human authority behind an AI agent before it acts. The name is a deliberate rhyme with x402, the HTTP-402 payments protocol that let agents settle transactions machine-to-machine. Circle, which co-contributed x402, drew the line cleanly: "x402 answers how an agent pays. x401 answers who authorized the action."
Read that ordering again. The agent economy built and shipped the payment rail first, and is standardizing the authority rail second. For months, the plumbing existed for an agent to complete a purchase before any protocol existed to bind that purchase back to a consenting human. Commerce before consent. x401 is, in part, the industry quietly admitting it skipped a step.
What x401 actually does#
The mechanism reuses the oldest handshake on the web. When an agent hits a protected resource, the server replies with a PROOF-REQUIRED header — a small payload naming which credentials it accepts, which challenge to answer, and which issuers it trusts. The agent decodes it, fetches a matching presentation from its wallet, and retries. If you have ever seen a 401 Unauthorized prompt for a username and password, you have seen the shape of this. x401 swaps the password for a Verifiable Credential.
There is a nice bit of engineering honesty buried here: the PROOF-REQUIRED header, not the status code, is the real carrier. A server can attach it to a 401, but it can also ride on a 200 OK when the response is still useful without proof, or on any 4xx when the operation truly cannot proceed. The "401" in the name is more branding than protocol — a claim on HTTP's reserved auth semantics rather than a strict dependence on the status line. Which fits the pattern: the agentic web is being assembled by finally cashing HTTP's oldest unwritten checks. 402 Payment Required was reserved in 1997 and sat unused for nearly three decades. 401 has been there the whole time. Both are being conscripted at once.
The reframing that matters#
Here is the part worth slowing down for. The credential x401 asks for does not merely identify the agent. It names a human as the principal and encodes an approved scope, and it does so with selective disclosure and zero-knowledge proofs — so an agent can prove its owner is over 18 without surrendering a birthday, or a US resident without handing over an address.
That is a different question than the one the identity industry has been answering. Bot-detection and schemes like web-bot-auth answer "is this traffic a legitimate, identified agent?" Useful, but insufficient. The question that actually governs whether an agent should be allowed to spend money, sign a document, or publish on your behalf is narrower and harder: "did a specific human with standing delegate this action, at this scope?"
x401 moves the unit of trust from the agent to the authorization behind it — from identity to provenance of authority.
Authentication tells a service who is knocking. x401 tells it who stands behind what the agent just did. In a world where, as Proof CEO Pat Kinsel put it, "AI is making actions and content effortless to generate," that provenance is the scarce thing. The signature that matters is not the model's; it is the human's, carried inside a scoped credential the model cannot forge.
The skeptic's column#
None of this is settled. x401 is an open protocol, and its contributor list is genuinely heavy — Circle, OpenAI, Google, and Okta are named, and Proof joined the FIDO Alliance as a sponsor member in May 2026. But "open protocol published by one vendor" is a proposal until multiple independent issuers mint credentials and multiple independent verifiers honor them. The identity layer for agents is already crowded: MCP's OAuth work, web-bot-auth, Google's AP2 and Verifiable Intent. Standards win by adoption, not by press release, and this field has more candidates than converts.
There is also a maturity gap the naming inadvertently advertises. Its older sibling x402 has been in the wild long enough to accumulate a literature of exploits — there is already an academic paper cataloguing five distinct attacks on the payment protocol. A challenge-response scheme that hands a wallet-held credential to any server presenting a PROOF-REQUIRED header is a new and interesting attack surface: phished proof requirements, over-broad scopes, issuer spoofing, replay. The zero-knowledge machinery is the right instinct; it does not make the surface disappear.
Why it still matters#
Strip the branding and x401 is an admission that the agent stack has been running with a missing primitive. We taught agents to pay before we taught services to check who authorized the payment — and the correction, when it came, took the form of a credential that names a human and travels with the request. Whether x401 specifically wins is almost secondary. The shape it defines — authority as a scoped, privacy-preserving, verifiable claim bound to an action rather than to a login — is the piece the agentic web was building without. The order it arrived in tells you how the last year of agent infrastructure was actually prioritized: the money moved first, and the accountability is catching up.



