Tessera
Try the demo
[PX1]Private x402 · Phase 1 · live demo

Even the server can’t read what it just sent you.

Your browser asks Tessera a question. Before the server replies, it puts the answer in a box that only your browser can open — then throws away the key. The box arrives, your browser unlocks it, and you see the answer. Anyone watching the network sees only a locked box.

Hit Start the demo below to watch it happen. Toggle to Developer view if you want to see the cryptographic envelope on the wire.

Your browser
(the agent)
open lock
locked box
Tessera server
(the API)
Ready

Click Start the demo above. Your browser will ask the Tessera server for some account data, but before the server replies, it’ll lock the answer in a box only your browser can open. Even the server won’t be able to read what it just sent you.

[01]

What just happened.

01

Your browser made a lock

A one-of-a-kind lock + secret-key pair, generated right inside this tab. The open lock can travel anywhere. The secret to opening it never leaves your browser.

02

The server used your lock

The server prepared the answer to your request, put it inside a box, snapped your lock shut on it, and threw away every copy of how to open that lock. Even the server can't read what it just sealed.

03

Only your browser can open it

The locked box came back over the wire. Your browser is the only place in the world with the secret key. It opens the box, hands you the readable answer, and the rest of your code carries on like nothing fancy happened.

This is the first of four layers we’re building. The others hide where the payment went, how much was paid, and who paid it — with a final layer that restricts privacy access to wallets credentialed by their Tessera Score, so it stays out of the wrong hands. Full plan in docs/private-x402.md ↗.

[02] · For developers

Two lines to add this to your agent.

agent.tstypescript
import { wrapFetchWithPayment } from "@x402/fetch";
import { wrapFetchWithEncryption } from "@tessera/sdk";
import { privateKeyToAccount } from "viem/accounts";

const account = privateKeyToAccount(process.env.AGENT_PK as `0x${string}`);

// Compose: payment outer, encryption inner.
const fetchPaying    = wrapFetchWithPayment(fetch, account);
const fetchEncrypted = wrapFetchWithEncryption(fetchPaying);

// Same call as before — payment + encryption both invisible.
const res = await fetchEncrypted(
  "https://www.tesseracredit.com/api/x402/score/0xd8dA6BF2..."
);
const { score, tier } = await res.json();   // already decrypted

Backwards-compatible. If a server doesn’t support encryption, the wrapper returns the cleartext response untouched. Pass { requireEncryption: true } if you need a hard privacy guarantee — the wrapper throws when a 2xx response comes back cleartext.