PROTOCOL · LAYER 2 · AP2
Every payment is bound to
a signed mandate.
AP2 (Agent Payments Protocol) is the open mandate format that turns "the agent decided to pay" into "the principal authorized this exact spend, here's the cryptographic proof." AgentWallet ships first-class support for IntentMandate, CartMandate and PaymentMandate — anchored on Base for replay-safe audit.
Three mandate types
Intent → Cart → Payment.
INTENT
IntentMandate
What the agent MAY do. Signed by the Principal. Vendors, caps, time-bound, geographies. The widest grant.
CART
CartMandate
What the agent IS ABOUT TO BUY. Signed by the Agent, references an IntentMandate. Itemized cart, total, expected merchant.
PAYMENT
PaymentMandate
What the agent IS PAYING NOW. Signed by the Agent (and Principal if above threshold). One mandate per settlement.
Schema
An IntentMandate, on the wire.
{
"type": "IntentMandate",
"version": "ap2/1",
"id": "im_01J9X4G8K9Q3P2N1B7H5R6T8X4",
"principal_id": "prn_01J9X3F2K4Z7T9V1Q5N3M8B2H7",
"agent_id": "ag_01J9X3F2K4Z7T9V1Q5N3M8B2H7",
"scope": {
"vendors": ["meta.com","google.com","tiktok.com"],
"categories":["digital_advertising"],
"geographies":["US","CA","GB","DE"]
},
"limits": {
"per_call_max_usd": 500,
"per_day_max_usd": 10000,
"per_month_max_usd": 200000
},
"validity": {
"from": "2026-05-01T00:00:00Z",
"to": "2026-08-01T00:00:00Z"
},
"signature": {
"alg": "webauthn-es256",
"cred": "cred_01J9X4G8K9Q3P2N1B7H5R6T8X4",
"value": "0xabc…f01"
},
"anchor_tx": "base://0x91e…b22"
}Verification
Anyone can verify, no API call required.
Public anchor on Base
Every mandate's hash is anchored on-chain on Base. Counterparties verify against the anchor without trusting AgentWallet.
WebAuthn signatures
Mandates are signed with the principal's WebAuthn ES256 key. Standard COSE format, replayable in any browser.
Mandate chains
PaymentMandate references CartMandate references IntentMandate. The chain is replayable end-to-end.
Revocable + expiring
Principals can revoke; mandates auto-expire on `validity.to`. Revocations are anchored too — no quiet kill.