---
title: "Two providers own 87% of x402. Two of the next eight are zombies. Here's what that means for any agent picking endpoints by category."
slug: x402-concentration-risk-two-providers
canonical: https://x402station.io/blog/x402-concentration-risk-two-providers
date: 2026-05-12
tags: [x402, agentic-commerce, ai-agents, payments, base, security, concentration]
---

This is issue #2 of x402station Weekly — a recurring snapshot of the x402 ecosystem. [Issue #1](https://x402station.io/blog/x402-honeypot-zone-5x-in-60-days) covered catalog growth and the $23.2M honeypot zone. This issue zooms into one specific risk surfaced by the same data: who actually runs x402.

> **Correction, 2026-05-31:** This issue used raw catalog path counts. We later found that some high-count providers return x402 challenges or 200 HTML app shells for random non-catalog paths, so raw path count can overstate effective endpoint supply. The original numbers remain below for audit history. Current `/reports/provider-concentration.json` now publishes both `raw_count` and `effective_count`, plus `wildcard_402_detected` and `spa_fallback_detected` flags.

## TL;DR

- **49,314 active endpoints** across **658 services** on Base mainnet x402.
- **Top 2 providers own 86.93% of the catalog** (`orbisapi.com` 65.32%, `lowpaymentfee.com` 21.61%). The remaining 656 providers split the leftover ~13%.
- **Top 2 are healthy** — `orbisapi.com` 24h uptime 99.4%, `lowpaymentfee.com` 100.0%. So most agents who pick from "the catalog" pay endpoints that work.
- **But two of the next eight providers are 0% healthy** — full zombie state, listed `is_active: true` with current prices, returning errors on every probe. Any agent doing a "top providers" filter without a uptime check picks them.
- Bottom line: **single-source risk + zombie risk in the long tail**. Guard surfaces both via `metadata.high_concentration` and `dead` / `zombie` warnings before signing payment.

## The shape of the catalog right now

Top 10 providers by active endpoint count:

| # | provider | endpoints | % of catalog | 24h uptime | avg latency |
|---|---|---:|---:|---:|---:|
| 1 | `orbisapi.com` | 32,214 | **65.32%** | 99.4% | 450 ms |
| 2 | `lowpaymentfee.com` | 10,659 | **21.61%** | 100.0% | 82 ms |
| 3 | Sponge (`paysponge.com`) | 510 | 1.03% | 63.6% | 667 ms |
| 4 | Freepik (`www.freepik.com`) | 345 | 0.70% | 67.5% | 654 ms |
| 5 | `x402.aurelianflo.com` | 340 | 0.69% | **0%** ⚠️ | — |
| 6 | `www.x402scan.com` | 285 | 0.58% | **0%** ⚠️ | — |
| 7 | `bridge.eruditepay.com` | 284 | 0.58% | 100.0% | 82 ms |
| 8 | `api.strale.io` | 270 | 0.55% | 82.8% | 247 ms |
| 9 | Heurist Mesh (`mesh.heurist.xyz`) | 206 | 0.42% | 79.1% | 373 ms |
| 10 | `api.agentmail.to` | 180 | 0.37% | 51.3% | 344 ms |

The cumulative shares:

- **Top 1**: 65.32% (`orbisapi.com` alone runs almost two-thirds of x402)
- **Top 2**: 86.93%
- **Top 5**: 89.35%
- **Bottom 648**: ~10.65% combined

When an agent prompt says "pick any random x402 inference endpoint" or filters "endpoints in category X under $0.01", it's overwhelmingly picking inside the same two billing namespaces. That's not a moral judgment — orbisapi and lowpaymentfee both run real services with real uptime, and high concentration is normal in early ecosystems. But it has measurable agent-side consequences worth surfacing.

## Single-source risk: what happens if the top provider has an incident

Concentration of this shape compresses operational risk. If `orbisapi.com` rate-limits, rotates an API key, deprecates an endpoint, or has a 90-minute outage, **65% of the catalog is unreachable simultaneously** for any agent that doesn't have a fallback. Not a hypothesis — at the catalog scale we observe, an outage at top-1 looks indistinguishable from an industry-wide x402 outage to a naive agent.

Naive agents don't have fallbacks. Most agent SDK examples we've reviewed (AgentKit, Lucid, Mastra, plain `@x402/fetch`) demonstrate happy-path patterns: pick an endpoint, sign, pay, parse response. There's no concentration-aware retry, no provider-diversity heuristic, no automatic switch to a different namespace on N consecutive failures.

x402station Guard surfaces this via `metadata.high_concentration: true` whenever the target endpoint's provider sits above a configurable share threshold (default 50%). An agent that reads this can:

- Cap how many calls per minute it routes through any single provider, even if cheaper.
- Pre-fetch an alternative URL via `/api/v1/alternatives` (paid, $0.005) before relying on the top-1.
- Refuse to single-source when the operation is high-value, even if the call would otherwise succeed.

```ts
import { wrapWithPreflight } from "x402station-middleware";

const safeFetch = wrapWithPreflight(x402Fetch, {
  block: ["dead", "zombie", "decoy_price_extreme", "never_paid_zombie"],
  // optional: refuse single-sourcing on high-value tasks
  onWarn: (warnings, metadata) => {
    if (metadata.high_concentration && taskValue > 1.0) {
      throw new Error("Refuse: high_concentration on $1+ task; route via /alternatives");
    }
  },
});
```

## Zombie risk: two of the next eight providers are 0% healthy

The more surprising finding is in the long tail. Of the top-10 providers by endpoint count:

- **Position #5 — `x402.aurelianflo.com`** — 340 endpoints, **0% healthy** in the last 24 hours. Every probe over the last day returned an error. Catalog still lists `is_active: true` with current prices.
- **Position #6 — `www.x402scan.com`** — 285 endpoints, **0% healthy**. Same pattern.

That's **625 endpoints (1.27% of the catalog)** in the long tail that an "endpoint-count-ordered" filter — a reasonable heuristic for "established providers" — would route directly into. An agent paying any of those signs `PAYMENT-SIGNATURE`, gets a 5xx or network error post-settlement, and loses the call.

Why these survive in the catalog: agentic.market updates from a mix of provider self-reports and aggregated paid-call outcomes. A zombie that nobody pays generates no negative signal. The catalog has no penalty for being broken if you're never tested. Independent probing (every endpoint, every 10 minutes) closes that visibility gap.

Guard's `dead` / `zombie` warnings catch both providers cleanly — refuses to sign before the wallet ever issues an authorisation. Per the [Issue #1 numbers](https://x402station.io/blog/x402-honeypot-zone-5x-in-60-days), this is part of a larger ~30+ services that 100% error over the last hour or 7-day window.

## What Guard blocks right now

Snapshot from the live catalog (refreshed on every probe pass, every 10 minutes):

- **74 endpoints** at price band ≥ $1,000 USDC (aggregate sticker $23.2M; max single endpoint $500,000).
- **~30+ services** flagged `dead` or `zombie` over the last hour or 7-day window — including the two top-10 entries called out above.
- **`metadata.high_concentration: true`** on every endpoint whose provider sits above the configurable share threshold (default 50%). Right now that surfaces for both top-2 providers (~43k endpoints, 87% of catalog).
- Any URL on the blacklist via `/api/v1/catalog/decoys` (one paid call, $0.005, refreshed every 10 min, full known-bad list).

## Install / try

```bash
npm install x402station-middleware
```

```ts
import { wrapWithPreflight } from "x402station-middleware";
const safeFetch = wrapWithPreflight(x402Fetch);  // fail-closed by default
```

Or via MCP for Claude Code / Cursor / Windsurf / Continue:

```bash
npx -y x402station-mcp
```

Service operators: [`/verified`](https://x402station.io/verified) — $1 USDC for a 30-day signed audit cert. Agents using Guard with `/api/v1/alternatives` prefer verified endpoints when routing around concentration risk or signal blocks.

## What's next

This is issue #2 of x402station Weekly. Next snapshot: **2026-05-26** — first read on the [14-day operator-outreach experiment](https://x402station.io/blog/x402-honeypot-zone-5x-in-60-days) closing 2026-05-19; whether the verified-badge cohort scales beyond the first organic operator who reached out unsolicited.

If you want the concentration-exposure number specific to your agent's catalog filter, [`hello@x402station.io`](mailto:hello@x402station.io) — happy to run the numbers.

— Team (x402station)