Verifiable Intent

Open specification for cryptographic agent authorization in commerce. Tamper-evident delegation chains that bind AI agent actions to human-approved scope.

Read the Spec View on GitHub

Draft v0.1

Traditional Commerce Agentic Commerce

Identity Proves identity Proves identity + delegation

Authentication proves identity — “are you the cardholder?”

Authentication proves identity and delegation — “is this agent authorized by the cardholder?”

From “who are you?” to “who are you, and who authorized this agent?”

Consent Direct authorization Delegated authority

Buyer authorizes and pays in one step — consent is captured at the moment of purchase

Buyer delegates authority before the agent acts — consent and action are separated in time

Consent becomes a durable artifact, verifiable after the fact

Scope Single transaction Many transactions

One buyer, one checkout, one atomic event — transaction scope is implicit

One delegation could mean many transactions across merchants over days or weeks

Scope must be explicit and enforceable

Visibility Buyer evaluates Agent decides

Seller presents goods — buyer evaluates and decides

Agent may present options or decide autonomously — buyer may never see the merchant

Trust shifts from the checkout UI to delegation signals

Confidence Established signals New signals needed

Merchant accepts based on established signals — card network auth, AVS, 3DS, fraud scoring

Merchant needs new signals — is this agent authorized? Within what scope? By whom?

Merchants need authorization, scope, and accountability signals

Delegation Chain

Layer 1 Identity Issuer signs credential

Layer 2 Intent User sets constraints

Layer 3 Action Agent proves scope

Key Capabilities

Layered Credentials

SD-JWT delegation chain binding issuer, user, and agent through key confirmation claims. Each layer cryptographically constrains the next.

Constraint Enforcement

8 constraint types — amount bounds, merchant allowlists, budget caps, recurrence terms — cryptographically bound and machine-verifiable.

Protocol Agnostic

Works across agent payment ecosystems. Integration mappings for AP2, ACP, and UCP. Extensible to other protocols.

Selective Disclosure

Data is private by default, revealed only to the right party at the right time.