Token-auth strategies
A buyer paying with an ERC-20 needs to authorize the Boson Diamond (or a facilitator) to pull tokens. There are five ways to do this; x402 supports all of them. Picking the right one is a trade-off between buyer signature count and token support.
For the canonical reference, see Concepts → Signing → Token-auth meta-tx.
| Strategy | Sig count | Token support |
|---|---|---|
| ERC-3009 (receive-with-authorization) | 1 | USDC, EURC, some others |
| EIP-2612 (Permit) | 1 | Many modern ERCs (incl. bridged DAI on Optimism / Arbitrum) |
| DAI-style permit | 1 | Canonical Maker DAI on Ethereum mainnet and Polygon PoS |
| Permit2 (Uniswap's) | 1 | Any ERC-20, via Permit2 contract |
| Plain approve + commit | 2 | Any ERC-20 |
Decision tree
ERC-3009
The buyer signs a ReceiveWithAuthorization payload. The Diamond's executeMetaTransactionWithTokenTransferAuthorization pulls the tokens and executes the call atomically.
EIP-2612 Permit
The buyer signs a Permit payload that grants the Diamond allowance with a deadline. The Diamond consumes the permit + executes the call.
DAI-style permit
Canonical Maker DAI on Ethereum mainnet and Polygon PoS uses a non-standard permit(holder, spender, nonce, expiry, allowed, v, r, s) that predates EIP-2612. The signed value is a boolean allowed (true ⇒ MAX_UINT256 allowance, false ⇒ 0) with the nonce supplied in calldata. Boson supports this alongside EIP-2612 via the same on-chain flow (provision allowance, then safeTransferFrom).
A successful DAI permit(allowed=true) leaves the protocol with MAX_UINT256 allowance and is not auto-revoked — users who want single-shot semantics should sign a Permit2 entry instead.
Permit2
Permit2 is a separate contract (Uniswap's). It can hold authority over any ERC-20 the user has approved Permit2 for. Then the buyer signs a Permit2 envelope per use.
The Permit2 contract address is fixed per chain. See Networks → Contract addresses.
Plain approve + commit
Two transactions. The buyer:
- Calls
IERC20.approve(diamond, amount). - Calls
commitToOffer.
Two wallet confirmations. Use only when other strategies aren't available.
Configuring preferences
On the buyer client:
preferredTokenAuth: ["ERC3009", "Permit2", "Permit", "DAIPermit", "approve"]The client picks the first one the seller advertises.
Common gotchas
- Permit2 requires a one-time setup: the user must approve Permit2 itself for each token. After that, individual uses are gas-less authorizations.
- EIP-2612 doesn't work for USDC. USDC has its own non-standard permit. Use ERC-3009 instead.
- DAI's
permit(allowed=true)is not single-shot. It grantsMAX_UINT256and stays granted until the user revokes. For per-use authorization on DAI, use Permit2 instead. - The chain matters. Permit2 is deployed at the same address on most EVMs but not all. Check.