Trusting the Facilitator
The one trusted piece in a trustless exchange, and how to keep it honest

Otomat's promise is that a machine can pay another machine directly, with the payment settling in the open on Solana. Most of that exchange requires no trust at all. The transaction is signed by the payer and no one else. The amount, the recipient, and the asset are all fixed in the signed bytes; they cannot be altered after the fact. The chain is the final judge of whether the money moved. In a well-built x402 flow, almost every part is trustless by construction.
Almost. There is one piece that is not, and pretending otherwise would be dishonest. That piece is the facilitator. This is the story of exactly what it is trusted to do, what it cannot do no matter what, and how a good design shrinks the trust down to something you can actually hold accountable.
What a facilitator is
In the x402 flow, the resource server does not talk to the blockchain directly. It hands the payment off to a facilitator, which does two jobs.
First, verify. The facilitator takes the payer's signed transaction and checks it against the price the server demanded: the right amount, the right recipient, the right asset, a valid signature, a not-yet-expired transaction, and an instruction sequence that matches the scheme exactly. If anything is off, it says so and the exchange stops before any money moves.
Second, settle. Once verified, the facilitator adds its own signature as the fee payer and broadcasts the transaction to Solana. It waits for confirmation and reports back whether the payment landed, with the on-chain signature as the receipt.
Verify, then settle. The facilitator is the part of the rail that touches the chain so the server does not have to. Every server that speaks x402 leans on some facilitator to do this. The question is not whether to trust one — it is how little you can get away with trusting.
What it genuinely cannot do
Before worrying about the trust, it helps to be precise about the walls that already exist, because they are higher than people assume.
It cannot forge a payment. The transaction is signed by the payer's key, which the facilitator never holds. It cannot manufacture a payment the payer did not authorize, because it cannot produce that signature. The most it can do with a valid payment is submit it or refuse to.
It cannot change the amount or the recipient. Those are inside the signed bytes. Altering them invalidates the signature, and the chain rejects it. The facilitator cannot skim a payment or redirect it; it can only pass along exactly what the payer signed.
It cannot make the chain lie. Settlement either happens on Solana or it does not, and anyone can look. The facilitator's report is checkable against the ledger. If it claims a payment settled, the on-chain signature it returns either exists and matches or it does not.
So the facilitator is not a custodian and not an authority over the money. It never holds the payer's funds and never holds the payer's key. Its power is narrower than that, and pinning down exactly where it lies is the whole point.
Where the trust actually sits
Given those walls, what is left to trust? Two things, mainly.
Availability. The facilitator is in the path. If it goes down or refuses to serve, the exchange stalls — not because it can steal, but because it can withhold. A payer with a perfectly valid payment gets no response if the facilitator will not process it. This is a liveness problem, not a safety one: your money is never at risk, but the service can be denied.
Honest settlement. The subtle case is a facilitator that verifies a payment, returns a 200 to the server so the server hands over the resource, and then never actually settles on chain — or settles a different, smaller amount. The payer got what it paid for; the server is the one shorted. The facilitator sits between "the server believes it was paid" and "the payment is really on chain," and a dishonest one can try to live in that gap.
Notice what this is not. It is not a risk to the payer's funds, which are only ever moved by the payer's own signature. It is a risk to the server's revenue and to the integrity of the settlement record. That is a real risk, and it is the one worth designing against.
No API key, and why that is deliberate
A facilitator requires no authentication from the servers that use it. There is no API key, no account, no login between a resource server and its facilitator. This looks careless until you see the reason: it is what lets many independent servers share one facilitator without anyone managing a roster of credentials, and it is what keeps the rail open rather than gated behind whoever issues the keys.
The tradeoff is that abuse cannot be controlled by revoking a key, because there are no keys. It has to be controlled some other way — by rate-limiting on the payer and the caller's address, by the economics below — rather than by a gatekeeper. Openness is a design choice here, not an oversight, and it pushes the accountability problem onto the mechanism instead of onto a login screen.
Turning "trust me" into "trust the collateral"
The honest-settlement risk is the one that matters, and the answer is not to ask nicely. It is to make dishonesty cost more than it can ever pay.
Otomat's settlement program lets a facilitator post a bond on chain — collateral, locked in a program account, that stands behind its promise to settle honestly. If a facilitator can be proven to have shortchanged a settlement — taken a 200 for a payment it did not actually land — that proof lets the bond be slashed. The collateral is taken and the injured party is made whole from it.
This changes the shape of the trust entirely. You are no longer trusting a facilitator because it says it is honest, or because it has a reputation, or because a company name sits behind it. You are trusting it because it has posted more collateral than it could gain by cheating, and because cheating is provable on chain and the collateral is slashable when it is. "Trust me" becomes "trust the collateral," and collateral does not have feelings, incentives, or a bad quarter. It is either there or it is not, and the chain says which.
A staked token backs those bonds, which is the concrete reason Otomat has a token at all. It is not a yield claim or a burn story. It is the collateral layer under the one part of the rail that would otherwise ask for faith.
The honest bottom line
A payment rail that tells you it is fully trustless is either lying or leaving something out. The useful thing is not to pretend the trusted piece away, but to name it exactly, show how narrow it is, and back it with something colder than a promise.
The facilitator can withhold, and it can try to lie about settlement. It cannot touch the payer's funds, forge a payment, or fool the chain. And where it could lie, a bond it would lose by lying stands in the way. That is the whole trust model, stated plainly — which is the only way a payment rail should ever state it.
In the Automat, you trusted the wall because the mechanism was simple enough to understand and the coin was small enough that being wrong once cost you a nickel. Otomat keeps that spirit. The trusted part is small, it is named, and it is bonded. Look at it directly, and decide for yourself.