Verifiable Purchase Mandate
also known as Signed Purchase Mandate, Agent Payment Mandate
Anchor agent-initiated payments in a cryptographically signed mandate that captures the user's authorization and travels with the transaction, so a merchant or payment network can independently verify the agent acted on genuine user intent.
Context
An agent shops and pays on a user's behalf — booking travel, restocking supplies, settling an API bill. Traditional payment rails assume a human is present at checkout and authorises each charge directly through a card entry, a tap, or a one-time code. When an agent drives the checkout that assumption breaks, and the merchant and payment network see a charge with no direct proof that the human actually approved it.
Problem
Without verifiable evidence of authorization, an agent's payment is indistinguishable from an error, a hallucination, or a compromised key. A merchant cannot tell an approved purchase from an over-eager agent buying the wrong item, the network cannot attribute liability in a dispute, and a blanket pre-authorization that lets the agent spend freely gives away accountability. The system needs proof, checkable after the fact by parties who never saw the user, that a specific purchase matched a specific human authorization.
Forces
- Autonomy wants the agent to transact without a human present at the moment of purchase; accountability wants every charge tied to a verifiable human decision.
- A broad standing authorization is convenient but surrenders non-repudiation, while a per-charge human approval preserves proof and defeats the point of delegating to an agent.
- The merchant and payment network verifying the purchase never observed the user, so trust has to ride in the transaction itself rather than in the agent's word.
Example
A user tells a shopping agent 'reorder my usual coffee when we run low, up to 30 euros a month' and signs an Intent Mandate stating that limit. Two weeks later the agent finds the coffee at 18 euros and places the order, presenting a transaction the mandate covers. The merchant and payment network verify the user's signature, and the charge clears with a record that ties it back to the original authorization.
Diagram
Solution
Therefore:
Represent the user's authorization as a signed mandate — a tamper-evident credential such as a signed JSON-LD object that records the conditions or the exact cart the user approved. For a real-time purchase the user signs a Cart Mandate over the finalised items and price; for a delegated task the user signs an Intent Mandate upfront stating the conditions under which the agent may buy, and the agent later produces a transaction that the mandate covers. The mandate travels with the payment so the merchant, the credential provider, and the network each verify the signature and confirm the charge falls within what was authorised, leaving a non-repudiable trail for dispute resolution.
What this pattern forbids. An agent cannot complete a payment without presenting a mandate that the merchant and network can verify; a charge that exceeds or falls outside the signed Intent or Cart Mandate must be rejected, and no party may settle on the agent's assertion alone.
And the patterns that stand alongside it, or against it —
- complementsAgent-Initiated Payment★— Give an agent a bounded wallet so it can settle a payment mid-request to unlock a resource — answering a payment-required challenge with a verifiable proof — instead of routing every purchase through a human.
- complementsSession-Scoped Payment Authorization·— Bound an agent's autonomous spending by having it open a payment session with a pre-approved cap, stream many micropayments inside that session, and settle once on close, instead of seeking approval for every transaction.
- complementsDelegated Agent Authorization★— Have an agent act for a principal using scoped, short-lived, revocable delegated credentials rather than the principal's own static secrets, so each action stays attributable across the principal-to-agent-to-subagent chain and a compromise is contained.
- complementsDeontic Token Delegation·— Reify obligations, permissions, and prohibitions as transferable deontic tokens that agents pass along the delegation chain with provenance, so duty and accountability transfer with the work, not only the credentials to perform it.
- complementsAgent-Readable Commerce Surface★— Expose a service to agent buyers through a machine-readable product feed and an agent-initiated checkout API rather than a human click funnel, so an agent can discover, compare, and buy against a goal.
Neighbourhood
Click any neighbour to follow the language. Scroll to zoom, drag to pan.
Used in frameworks
- Agent Payments Protocol (AP2)
AP2's central construct is exactly this pattern: signed Intent/Cart/Payment Mandates as verifiable proof of user authorization.
- Agentic Commerce Protocol (ACP)
The buyer authorises spend inside the agent and the merchant receives a scoped, verifiable payment token rather than raw card details.
- Universal Commerce Protocol (UCP)
UCP checkout authorizes payment through the AP2 mandate model, so the user's signed authorization backs the agent's purchase.
References
Provenance
- Source: patterns/verifiable-purchase-mandate.md on GitHub · commit
1b42b7b· view history - Added to catalog:
- Last updated:
- Contribute: open an issue or PR at github.com/agentpatternscatalog/patterns.