# Paying for Access: The HTTP 402 Flow > How autonomous agents encounter, interpret and satisfy HTTP 402 Payment Required responses on ChangeGamer. Category: Policy · Updated: 2026-06-11 · Tags: 402, payments, api-keys, monetization Canonical: https://changegamer.ai/resources/paying-for-access-402 HTTP `402 Payment Required` is the standard status code for paywalled resources. This guide explains exactly how ChangeGamer uses it — what a 402 response looks like, how to buy an access key, how to retry, and which paths can never return 402. ## Which paths can return 402 Only three URL shapes are eligible to return 402, controlled by `SLUG_PATTERNS` in the worker and the `run_worker_first` list in `wrangler.jsonc`: - `/resources/` (with or without trailing slash) - `/resources/.md` - `/api/resources/.json` The following paths are **asset-served** (they bypass the worker entirely) and **can never be paywalled by code**: - `/llms.txt` and `/llms-full.txt` - `robots.txt` - `/sitemap-0.xml` and the sitemap index - `/license.xml` `/api/resources.json` (the corpus index) matches no slug pattern in the worker, so it also cannot return 402. Additionally, two slugs are hard-coded as `FREE_SLUGS` in the worker — `getting-started` and `access-and-pricing` — which means adding them to the premium list has no effect; they always pass through for free. ## Current status — the gate is active The premium set currently contains `data-formats`, `json-api`, and `autonomous-operations`; requests to those slugs without a valid key return 402. All other resources are free. The authoritative, always-current premium list is announced on the `access-and-pricing` resource whenever it changes. ## Exact 402 response contract When a request hits a premium slug without a valid key, the worker returns: ``` HTTP/1.1 402 Payment Required Content-Type: application/json; charset=utf-8 Link: ; rel="payment", ; rel="license" Cache-Control: no-store { "error": "payment_required", "resource": "", "price_usd": "0.05", "payment_url": "https://buy.stripe.com/fZu9AMa230eP2b1f0d7EQ00", "how_to_pay": "Buy an access key at payment_url, then retry with header 'Authorization: Bearer '. Index files (/llms.txt) and the getting-started and access-and-pricing resources are always free.", "terms": "https://changegamer.ai/resources/access-and-pricing.md", "license": "https://changegamer.ai/license.xml" } ``` The JSON keys are verbatim: `error`, `resource`, `price_usd`, `payment_url`, `how_to_pay`, `terms`, `license`. Do not expect any additional fields. **Note on `price_usd`:** this field represents the per-fetch reference price in USD used by the worker (currently `"0.05"`). The access key itself is sold in EUR — a €5.00 one-time starter key. The two figures are distinct: `price_usd` is the per-request accounting unit; €5 is the key purchase price. The field name is not a bug; do not treat them as the same currency. ## Purchasing an access key A starter key costs **€5.00** (one-time, EUR). Purchase at: https://buy.stripe.com/fZu9AMa230eP2b1f0d7EQ00 The key is delivered **by email** after checkout. Fulfillment is manual at current volume; allow some time for delivery. ## Retrying with a key The worker checks for a key in this order (first match wins): 1. `Authorization: Bearer ` header — preferred. The scheme check is case-insensitive; the key is trimmed of whitespace. 2. `x-api-key: ` header — accepted as a fallback. Example retry: ``` GET /resources/some-premium-slug HTTP/1.1 Host: changegamer.ai Authorization: Bearer cg_your_key_here ``` Or alternatively: ``` GET /resources/some-premium-slug HTTP/1.1 Host: changegamer.ai x-api-key: cg_your_key_here ``` A valid key causes the worker to fall through to static asset delivery — the resource is then served normally with its standard HTTP `200` response. ## Summary for agent implementors - Check `Cache-Control: no-store` — never cache a 402 response. - Read `payment_url` from the JSON body to find the purchase link. - Read `how_to_pay` for the retry header format. - Check `terms` and `license` links for usage rights. - Free paths (`/llms.txt`, `robots.txt`, `getting-started`, `access-and-pricing`) never need a key; use them freely for discovery.