For current endpoint counts and capability-by-capability coverage across DApp, ACP, x402, MPP, USDC Gateway, and Otto X, see Access Paths & Coverage. MPP is intentionally read-only/query-only.
First Decision
| Goal | Default Otto rail | Why |
|---|---|---|
| Read market data, token intelligence, yield opportunities, portfolios, or account state | MPP for Tempo/Stripe read-only clients, x402 for the broadest HTTP catalog, USDC Gateway for gas-free high-frequency reads | These paths do not need principal movement. |
| Execute swaps, bridges, Safe deposits/withdrawals, yield deposits, or Hyperliquid perps | x402, ACP Trade Execution, Otto X, or the DApp | Execution rails understand payment, authorization, transaction receipts, and failure handling. |
| Trade Polymarket | ACP Prediction Markets Agent | Polymarket uses its own deposit, vault, CLOB, order, and redemption flow. |
| Generate images, videos, or AI research | ACP Tools Agent or x402 Tools endpoints | ACP uses flat prepaid jobs with refunds for creative budgets; x402 is better for direct HTTP automation. |
| Operate on X Layer or use autonomous sub-wallet execution | Otto X | X Layer execution uses TEE-custodied sub-wallets, OKX DEX, principalAuth, Yield Copilot, and Yield Watch. |
| Human-guided wallet operation | DApp | Best for users who want a web interface, connected-wallet UX, and visual review. |
Rail Cheat Sheet
| Rail | Payment | Authority and custody | Use it when | Do not use it for |
|---|---|---|---|---|
| DApp | Free tier or holder-gated usage | User-connected wallet and Otto app flows | A human wants guided interaction | Fully autonomous agent loops that need machine-readable receipts |
| ACP | Virtuals ACP job payment and escrow | ACP buyer/source wallet, job escrow, Otto Safe/MPC flows depending on agent | You want marketplace discovery, escrowed jobs, reputation, or Polymarket | Lowest-latency HTTP microcalls |
| x402 | USDC on Base, Polygon, or Solana | Payment wallet for service fees; execution endpoints may use Safes or signed principal movement | You want broad HTTP access and execution from agents or apps | Stripe/Tempo-only clients |
| MPP | Tempo stablecoins or Stripe cards | Payment only; no principal movement | Paid reads and query tools | Swaps, bridges, withdrawals, deposits, perps, or any POST execution |
| USDC Gateway | Circle Gateway USDC | GatewayWallet balance pays reads | High-frequency gas-free reads | Principal-moving execution |
| Otto X | X Layer x402 payments | TEE-custodied sub-wallet per payer; auto-withdraw is the escape hatch | X Layer DEX, autonomous swaps/bridges/DeFi, Yield Copilot, Yield Watch | Users who require direct self-custody of the execution key |
Custody Map
Payment and principal are different things:- Service payment pays Otto for the job or API response.
- Principal is the asset being swapped, bridged, deposited, withdrawn, lent, or traded.
- Read-only rails may require service payment but must not move principal.
- Execution rails must identify the source wallet, destination wallet, chain, token, amount, authorization type, and recovery path before submitting a transaction.
| Pattern | Where it appears | What to know |
|---|---|---|
| User wallet / source wallet | ACP and x402 payment/funding flows | Holds payment funds and may fund Safes, vaults, or sub-wallets. |
| Safe smart account | Trade Execution Agent, yield, swaps, bridges, Hyperliquid funding | Non-custodial account used for execution and token custody during operations. |
| Prediction Markets vault | ACP Prediction Markets Agent | Dedicated Polygon vault/MPC flow used for Polymarket CLOB trading. |
| Hyperliquid account | Trade Execution Agent and Otto X resources | USDC must be deposited before perps can open; margin, leverage, TP/SL, and liquidation risk are separate from spot balances. |
| GatewayWallet | USDC Gateway API | Prefunded balance for Gateway-paid reads. |
| Otto X sub-wallet | Otto X Agentic Wallet V2 | TEE-custodied execution wallet. Use POST /auto-withdraw to sweep funds out. |
Authorization Checklist
Before moving value, users and agents should answer these questions:- What rail is paying the service fee?
- What wallet owns the principal?
- What chain and token contract are being used?
- Is this a read, a quote, a transfer, a swap, a bridge, a vault deposit, a perp order, or a market order?
- What authorization is required: wallet signature, token approval, Permit2, SIWX session, EIP-3009
principalAuth, ACP escrow/payment, or Yield Watch delegation? - What is the revocation or escape path?
- What receipt proves what happened?
| Authorization | Used for | Revocation or recovery |
|---|---|---|
| ERC-20 approval | Letting a router, Safe module, or protocol move a token | Revoke with your wallet’s allowance manager or a trusted revoke tool. |
| Permit2 | Gas-efficient token allowance flows | Revoke the Permit2 allowance if no longer needed. |
| SIWX | x402 session access to paid data after first payment | Let the session expire or reconnect with a new wallet/session. |
EIP-3009 principalAuth | Otto X one-call principal funding | Time-bounded, nonce-protected authorization; unused authorizations expire. |
| ACP job payment/escrow | ACP jobs and resources | Track job state and completion through ACP. |
| Yield Watch policy | Otto X monitoring or autonomous yield actions | Revoke with DELETE /yield-watch. |
Transaction Lifecycle
- Discover: Query supported tokens, chains, vaults, markets, portfolio, or account state first.
- Quote: Get a route, expected output, APY, liquidation context, market probability, or protocol venue.
- Authorize: Sign the service payment and the principal authorization separately when both are needed.
- Execute: Submit the job or HTTP request with the selected route and idempotency key where supported.
- Verify: Store the x402 receipt, ACP job id, tx hash, explorer link, fill id, vault position, or generated artifact URL.
- Monitor: Poll account state until the chain, bridge, vault, CLOB, or Hyperliquid account reflects the expected result.
Recovery Playbooks
| Symptom | Likely cause | First action |
|---|---|---|
| MPP client wants to swap, bridge, deposit, withdraw, or trade | Wrong rail | Route to x402, ACP Trade Execution, Otto X, or the DApp. |
HTTP call returns 402 Payment Required | Service fee not paid yet | Sign the payment and retry with the payment header. |
Otto X returns 409 funds_required | Sub-wallet lacks principal | Deposit the requested token to the returned sub-wallet and retry with the same idempotency key. |
| Swap or bridge route fails | Token unsupported, liquidity thin, route stale, or chain congested | Query supported tokens, use token contract addresses, refresh the quote, and retry with sane slippage. |
| Bridge takes longer than expected | Cross-chain settlement delay | Check the bridge explorer and wait before resubmitting. Avoid duplicate principal movement. |
| Hyperliquid order rejected | No Hyperliquid USDC, order below minimum, invalid leverage, or missing delegation/account state | Query getHyperliquidAccount, deposit USDC, and check the asset’s max leverage with getHyperliquidMarket. |
| Polymarket order rejected | Vault underfunded, market resolved, order too small, or wrong token id | Query getPolymarketAccount, getTrendingMarkets, and getMarketInfo; never invent conditionId or tokenId. |
| Yield recommendation unavailable | APY feed stale or venue not allowlisted | Retry later, choose an allowlisted venue manually, or keep funds idle. |
| Gateway read fails for balance | GatewayWallet underfunded | Top up Gateway USDC or switch to x402/MPP for the read. |
| Payment succeeded but execution failed | Execution-stage failure after fee/payment | Use returned receipt, job id, or tx hashes to inspect state. For Trade Execution swap/bridge failures, automatic refund handling applies where supported. |
Risk Boundaries
Otto automates execution; it does not remove market risk.- Slippage: Quotes can move between quote and execution. Use explicit slippage limits for swaps and bridges.
- Bridge risk: Bridges can delay, fail, or settle at a worse route than expected.
- Yield risk: APY changes; protocols carry smart-contract, liquidity, oracle, and governance risk.
- Perps risk: Leverage can liquidate collateral quickly. TP/SL orders reduce risk but do not guarantee an exit price.
- Prediction-market risk: Shares can go to zero, markets can resolve unexpectedly, and liquidity can disappear.
- Custody differences: Safe-based Trade Execution is non-custodial; Otto X uses TEE-custodied sub-wallets with
auto-withdrawas the user escape hatch. - Data freshness: Read endpoints can be stale for a few seconds or minutes depending on the upstream source.
Agent Guardrails
Autonomous agents should use these defaults unless the user explicitly overrides them:- Prefer reads before writes: portfolio, supported tokens, account state, market data, and route quote.
- Treat MPP and USDC Gateway as read-only rails.
- Require explicit user policy for maximum spend, maximum slippage, bridge destination, leverage cap, liquidation tolerance, and allowed protocols.
- Use token contract addresses when a symbol is ambiguous.
- Reuse idempotency keys when a retry is expected to continue the same operation.
- Store every receipt and tx hash in the user’s session memory.
- Stop and ask for confirmation before moving principal to a new chain, opening leverage, or depositing into a new protocol.
Remaining Documentation To Close The Loop
This page gives the operating model. The next docs that would make agent navigation truly complete are:- A generated, machine-readable rail matrix that maps every capability to DApp, ACP, x402, MPP, USDC Gateway, and Otto X. Status: live in Access Paths & Coverage.
- A universal receipts page explaining x402 receipts, ACP job ids, tx hashes, bridge ids, Hyperliquid fills, Polymarket orders, and artifact URLs.
- A dedicated permissions and revocation page with screenshots for allowances, Permit2, SIWX sessions,
principalAuth, Yield Watch, Safes, and Otto Xauto-withdraw. - A funding cookbook for each rail: payment wallet, Safe, Hyperliquid, Polymarket vault, GatewayWallet, and Otto X sub-wallet.
- Agent policy templates for conservative, balanced, and aggressive Web3 operation.