Skip to main content
brokerCapability does three things in one transaction. Once the binding holds, the order is tamper-proof; this page is what happens next, and why the steps are in this order.

The three steps

  1. Settlement. The broker recomputes the orderHash and calls transferWithAuthorization(consumer, broker, amount, validAfter, validBefore, orderHash, v, r, s). The token pulls amount from the consumer to the broker, verifying the consumer’s signature over the order hash.
  2. Grant. The broker calls adapter.grant(consumer, params). The adapter enforces the scarce capability on-chain and returns a receipt, or it reverts if it cannot grant (sold out, no lane control).
  3. Payout. The fee is amount * feeBps / 10000. The provider (payee) receives amount - fee; the relayer (msg.sender) receives fee.
uint256 fee = (order.amount * order.feeBps) / 10_000;
uint256 providerAmount = order.amount - fee;
// payee gets providerAmount; msg.sender gets fee

Why this order

Payout happens after the grant. This is checks-effects-interactions: the provider is paid only once the capability has provably been granted. The whole function is nonReentrant, so a malicious adapter cannot re-enter mid-settlement. The broker holds no funds across the call; every token it pulls in is forwarded within the same transaction.

Atomic, or nothing moved

If the grant reverts, the settlement reverts with it. The EIP-3009 transfer is undone, the token nonce is not consumed, no funds move, and no Brokered event is emitted. A consumer is never charged for a capability they did not receive, and they can safely retry or let the authorization expire. There is no half-paid state to reconcile.

The relay is permissionless

The relayer is whoever transmitted the transaction (msg.sender). It fronts the gas and earns the predefined feeBps. There is no allowlist and no operator approval: the broker deliberately keeps no list of permitted relayers or adapters, because the consumer already signed the exact adapter into the order. The fee makes relaying a market, not a gate. On success the broker emits: 
event Brokered(
    bytes32 indexed orderHash,
    address indexed consumer,
    address indexed adapter,
    address relayer,
    uint256 amount,
    uint256 fee,
    bytes   receipt
);

Next