Kaliski Autonomous Payment Infrastructure Framework
Design safe, deterministic payment flows that allow AI agents to transact with real businesses while minimising credential risk, overspend, and fraud surface area.
// TL;DR
The Kaliski Autonomous Payment Infrastructure Framework is a design system for building safe, deterministic payment flows that let AI agents spend money on behalf of humans. It separates non-deterministic discovery (product search, recommendations) from deterministic transactions (credentials, checkout, payment) and uses scoped Shared Payment Tokens, the Machine Payments Protocol (HTTP 402), and the Agent-to-Commerce Protocol (ACP) to minimize credential risk, overspend, and fraud. Use it whenever you're building an AI agent that purchases goods, API calls, or services — or when you're a merchant accepting payments from autonomous agents.
// When should you use the Kaliski Autonomous Payment Infrastructure Framework?
Use this skill whenever you are building a product, API, or agent workflow that involves AI agents spending money, purchasing API calls, or completing e-commerce checkouts on behalf of a human operator. Also applies when designing a merchant-side system that needs to safely accept payments from autonomous agents.
// What inputs do you need before designing an AI agent payment flow?
- Agent rolerequired
Is the system acting as the agent/buyer side, the seller/merchant side, or both? - Payment scoperequired
What is the agent buying — API calls, physical/digital goods, SaaS subscriptions, or a mix? - Spend policyrequired
Maximum amount, currency, time window, and target seller(s) the agent is permitted to transact with. - Payment methods in play
Cards, crypto, bank transfer, or other methods the agent has access to. - Existing API/checkout surface
What programmatic interfaces (REST APIs, webhooks, MCP endpoints) the seller already exposes.
// What are the core principles of safe autonomous payment infrastructure?
Discovery vs. Determinism Separation
Discovery and exploration benefit from non-determinism — LLMs are perfect for finding, recommending, and planning. Credentials, payments, and checkout require determinism — not just benefit from it, but require it. Never let non-deterministic browsing behaviour touch the transactional layer.
Agents as Economic Actors
Agents are already spending money (tokens convert to dollars through LLM provider subscriptions). The design challenge is extending that spend to arbitrary merchants safely, not debating whether agents should spend at all.
Minimised Blast Radius
Every credential shared with a seller must encode a mandate — a smart-contract-style set of limitations (amount cap, currency, time window, seller scope) enforced by a trusted third party (the payment processor), not by trusting the seller to self-limit.
Seller Remains in Control
Agent-native payment flows must still supply sellers with the signals they need for risk analysis (card brand, last four digits, credit type, etc.). The goal is not to hide the agent from the seller but to give the seller a structured, trustworthy channel to interact with agents.
Robots Prefer Code
Web UIs and browser-operated checkouts increase the likelihood of non-determinism interacting with your business. Every seller should expose agent-friendly, API-driven interfaces so agents can operate in purely programmatic back-and-forth rather than scraping or clicking.
// How do you apply the Kaliski payment framework step by step?
- 1
Classify every agent action as Discovery or Transactional
Map out the agent's full task flow. Label each step: is it finding/recommending (non-deterministic OK) or credentialing/paying/checking out (must be deterministic)? Draw a hard boundary between the two zones. Nothing that crosses the boundary should rely on browser automation or parsed UI text.
- 2
Provision a Shared Payment Token for each intended transaction
On the buyer/agent side, create a Shared Payment Token that wraps the underlying payment credential (card, wallet, etc.) and encodes: (a) maximum spend amount, (b) permitted currency, (c) expiry time window, (d) target seller scope. This token — not the raw credential — is what gets handed to the seller. The payment processor enforces the mandate; you do not rely on seller honesty.
- 3
Implement the Machine Payments Protocol (402 flow) for API/tool-call purchases
If the agent is purchasing access to a tool or protected endpoint rather than a physical/digital product: the server returns HTTP 402 with an encoded payload describing what is being purchased, who the recipient is, and the payment mechanism. The agent reads this payload, approves payment using its Shared Payment Token or on-chain method, and retries the request. Never pass raw API keys for ephemeral tool interactions.
- 4
Expose a machine-readable product catalog on the seller side
Replace or augment the human-facing storefront with a structured JSON catalog (products, descriptions, images, pricing). This eliminates the need for the agent to crawl, click, or parse HTML — it selects directly from structured data. This is the entry point to the Agent-to-Commerce Protocol (ACP).
- 5
Implement the Agent-to-Commerce Protocol (ACP) checkout loop
The ACP defines a stateful, API-driven back-and-forth between agent and seller PSP. Each agent action (add item, change quantity, select shipping, apply payment method) triggers a seller response returning the full current cart state in structured form: line items, base prices, applicable tax, fulfillment options. The agent never infers cart state from a UI; it reads it from the structured response. Continue loop until agent confirms and payment is submitted via Shared Payment Token.
- 6
Relay cart state back to the human operator before final payment
Because an agent acts as a proxy between buyer and seller, there is a risk of incorrectly relaying purchase details. Before executing final payment, surface the structured cart state (items, amounts, taxes, shipping) to the human operator for confirmation where the purchase value or complexity warrants it. This minimises disputes and chargebacks.
- 7
Audit the transaction trail
Shared Payment Tokens are auditable by design — the payment processor logs each attempted charge, the mandate applied, and whether it was approved or rejected. Build logging into the agent workflow so every spend decision (including rejections due to mandate violation) is observable and attributable. This is the equivalent of a dashboard for the autonomous economy.
- 8
Design recurring or budget-based policies using token refresh flows
For ongoing agent spend (e.g. weekly budgets, subscription-style access), model the credential lifecycle similarly to an OAuth access-and-refresh flow: the agent requests subsequent usage tokens as needed, each still scoped to a seller and amount. Do not issue an uncapped, long-lived credential — issue many tightly scoped short-lived ones.
// What are real-world examples of AI agents making payments safely?
A SaaS company wants its AI assistant to autonomously reorder cloud infrastructure credits from a third-party vendor whenever usage drops below a threshold.
Classify the threshold-monitoring and vendor-selection steps as Discovery (non-deterministic OK). When the agent decides to purchase, provision a Shared Payment Token capped at the approved monthly budget, scoped to the specific vendor's seller ID, with a 30-day expiry. The vendor's API returns a 402 if the agent hits a protected provisioning endpoint without payment; the agent resolves this via the Machine Payments Protocol, approves the penny-level or credit-level charge, and retries. The SaaS company audits every token usage in the payment processor dashboard.
An e-commerce brand wants to let AI shopping agents from any platform purchase books or merchandise from its online store without the agent scraping the checkout UI.
Expose a JSON product catalog via the Agent-to-Commerce Protocol (ACP). When an agent initiates a checkout, enter the ACP loop: agent sends buyer info, line items, and quantity; seller responds with structured cart state including tax and shipping options. Agent selects shipping, seller updates state. Agent submits a Shared Payment Token (scoped to this seller, capped at stated cart total). Payment processor enforces the mandate, charges only the approved amount, and passes card brand and last-four to the seller for their existing risk systems. Human buyer receives the final cart summary before payment fires.
// What mistakes should you avoid when building AI agent payment systems?
- Passing a raw card number or full payment credential to a seller — the seller can charge any amount; the mandate is unenforceable.
- Letting the agent operate a browser-based checkout form — form-filling and UI-clicking is slow, finicky, hard to observe, and produces non-deterministic outcomes in the transactional layer where determinism is required.
- Trusting the price the agent parsed from a webpage — prices drift, currencies differ, taxes are added; the only reliable price is the one returned in structured form by the ACP cart-state response.
- Issuing a single high-limit, long-lived credential instead of many tightly scoped short-lived Shared Payment Tokens — a compromised or misrouted token becomes a large blast radius.
- Hiding the agent's identity from the seller — sellers need card brand, last four, and credit type to run their existing risk analysis; suppressing this data breaks their fraud systems and reduces acceptance rates.
- Mixing discovery and transactional logic in the same non-deterministic loop — LLM-driven browsing is appropriate for finding products, never for executing payment.
// What are the key terms in the Kaliski Autonomous Payment Infrastructure Framework?
- Shared Payment Token
- A payment credential issued by the agent side that wraps an underlying payment method (card, wallet, etc.) and encodes a mandate — spend cap, permitted currency, time window, and target seller scope — enforced by the payment processor, not by the seller.
- Machine Payments Protocol
- A protocol (co-developed with Tempo) enabling HTTP-based tool calls to signal the need for payment by returning an HTTP 402 status code with an encoded payload describing what is being purchased, who the recipient is, and the payment mechanism; the agent resolves the 402 and retries.
- Agent-to-Commerce Protocol (ACP)
- A standard set of APIs and objects (co-developed with OpenAI) that define a stateful, structured back-and-forth between an agent, a seller, and their payment service provider — covering product catalog expression, cart creation, quantity updates, shipping selection, and checkout — replacing browser-based UI interaction with deterministic API calls.
- Discovery vs. Determinism Separation
- The architectural principle that the discovery/planning phase of an agent (finding products, making recommendations) can and should be non-deterministic, while the credentials/payments/checkout phase must be exclusively deterministic.
- Blast Radius
- The maximum financial or security damage possible if an agent transaction goes wrong — minimised by scoping every Shared Payment Token tightly to seller, amount, currency, and time.
- Mandate
- The encoded set of spend limitations (amount, currency, time, seller) attached to a Shared Payment Token, functioning like a smart contract enforced by the payment processor.
- 402 Flow
- The Machine Payments Protocol interaction pattern: agent calls a protected endpoint, receives HTTP 402 with payment instructions, approves payment, retries request, receives the resource.
- Robots Prefer Code
- Kaliski's shorthand for the principle that agents should interact with seller systems via APIs and structured data (the right-hand side), not via dashboards or browser UIs built for humans (the left-hand side).
- Agents as Economic Actors
- The observation that AI agents are already spending money (tokens convert to dollars through LLM provider billing) and the design challenge is safely extending that spend to arbitrary third-party merchants.
// FREQUENTLY ASKED QUESTIONS
What is the Kaliski Autonomous Payment Infrastructure Framework?
It is a design framework for building safe payment flows that let AI agents transact with real businesses on behalf of human operators. Developed from principles presented by Steve Kaliski of Stripe, it separates non-deterministic discovery from deterministic payment execution, uses scoped Shared Payment Tokens enforced by payment processors, and defines structured protocols (ACP and Machine Payments Protocol) so agents never touch raw credentials or browser-based checkout UIs.
What is a Shared Payment Token in AI agent payments?
A Shared Payment Token is a payment credential that wraps an underlying payment method (card, wallet) and encodes a mandate — a spend cap, permitted currency, time window, and target seller scope. The payment processor enforces these limits, not the seller. This minimizes blast radius if a token is compromised, because the attacker can only charge the scoped amount to the scoped seller within the scoped time window.
How do I build a payment system for AI agents?
Start by classifying every agent action as discovery (non-deterministic, LLM-driven) or transactional (must be deterministic). Provision Shared Payment Tokens with spend caps and seller scope for each transaction. Expose a machine-readable product catalog. Implement the Agent-to-Commerce Protocol for structured checkout loops. Relay final cart state to the human operator for confirmation. Audit every transaction via the payment processor's logs. Use short-lived, tightly scoped tokens instead of long-lived credentials.
How do I let AI agents buy things from my online store?
Expose a JSON product catalog via the Agent-to-Commerce Protocol (ACP) instead of requiring agents to scrape your website. Implement a stateful API-driven checkout loop where the agent sends line items and quantities, your system responds with structured cart state including tax and shipping, and the agent submits a Shared Payment Token. Your existing risk systems still receive card brand and last-four data for fraud analysis. This replaces fragile browser automation with deterministic API calls.
How does the Kaliski framework compare to just letting agents use browser automation for checkout?
Browser automation is non-deterministic — form-filling and UI-clicking is slow, fragile, hard to observe, and produces unreliable outcomes in the transactional layer. The Kaliski framework replaces this with deterministic, API-driven protocols (ACP and Machine Payments Protocol). Agents interact via structured JSON, not parsed HTML. Prices come from the seller's API response, not scraped text. Credentials are scoped tokens, not raw card numbers pasted into form fields. The result is faster, safer, auditable transactions with far fewer failure modes.
When should I use the Kaliski Autonomous Payment Infrastructure Framework?
Use it whenever you are building an AI agent that spends money — purchasing API calls, ordering physical or digital goods, subscribing to SaaS services, or reordering inventory. Also use it when you are a merchant or platform that needs to accept payments from autonomous agents. It applies on both the buyer/agent side (token provisioning, spend policies) and the seller side (structured catalogs, ACP checkout loops).
What is the Machine Payments Protocol and HTTP 402 flow?
The Machine Payments Protocol uses the HTTP 402 status code to signal that a protected endpoint requires payment before granting access. When an agent calls the endpoint, the server returns 402 with a payload describing what is being purchased, who the recipient is, and the payment mechanism. The agent approves payment using its Shared Payment Token or on-chain method, then retries the request. This replaces API key distribution for ephemeral tool interactions with a pay-per-call model.
What results can I expect from implementing the Kaliski payment framework?
You can expect reduced credential risk because tokens are scoped and short-lived, lower fraud and chargeback rates because cart state is relayed to humans before payment fires, higher payment acceptance rates because sellers still receive card brand and risk signals, faster and more reliable checkout because agents use structured APIs instead of browser automation, and full auditability of every agent spend decision including mandate violations. Merchants gain a new sales channel without compromising their existing risk infrastructure.
What is the Agent-to-Commerce Protocol (ACP)?
The Agent-to-Commerce Protocol is a standard set of APIs co-developed with OpenAI that defines a stateful, structured back-and-forth between an agent, a seller, and their payment service provider. It covers product catalog expression, cart creation, quantity updates, shipping selection, and checkout — replacing browser-based UI interaction with deterministic API calls. Each agent action triggers a seller response returning the full current cart state in structured JSON.
How do I prevent my AI agent from overspending?
Provision Shared Payment Tokens with explicit mandates: a maximum spend amount, permitted currency, expiry time window, and target seller scope. The payment processor enforces these limits at the infrastructure level — the agent cannot exceed them even if its logic fails. For ongoing budgets, model the credential lifecycle like OAuth: issue many tightly scoped short-lived tokens rather than one high-limit long-lived credential. Audit every token usage and mandate violation in the processor dashboard.