Frequently Asked Questions About Kaliski Autonomous Payment Infrastructure Framework

21 answers covering everything from basics to advanced usage.

// Basics

What does Discovery vs. Determinism Separation mean in AI agent payments?

It means that the discovery and planning phase of an agent workflow — finding products, comparing prices, making recommendations — can and should leverage the non-deterministic nature of LLMs. But the transactional phase — handling credentials, executing payments, completing checkout — must be exclusively deterministic, using structured APIs and scoped tokens. These two zones must have a hard boundary. No browser automation or parsed UI text should cross from discovery into transactions.

Why are AI agents already considered economic actors?

Every time an AI agent makes an LLM API call, it spends real money — tokens convert to dollars through provider billing. Agents are already economic actors by definition. The Kaliski framework recognizes that the design challenge is not whether agents should spend money, but how to safely extend that spending to arbitrary third-party merchants beyond the LLM provider. This reframing shifts the focus from philosophical debate to practical infrastructure.

What is blast radius in the context of AI agent payments?

Blast radius is the maximum financial or security damage possible if an agent transaction goes wrong — whether through a compromised token, a misrouted payment, or a logic error. The Kaliski framework minimizes blast radius by scoping every Shared Payment Token tightly to a specific seller, amount, currency, and time window. If a token is leaked, the attacker can only charge the approved amount to the approved seller within the approved window. This is fundamentally different from sharing a raw credit card number.

What is the difference between a mandate and a regular spending limit?

A regular spending limit is typically a single number — a maximum balance or daily cap — applied across all merchants. A mandate, as defined in the Kaliski framework, is a multi-dimensional constraint encoded directly into the payment token: spend cap, permitted currency, time window, and target seller scope. Crucially, mandates are enforced by the payment processor at the infrastructure level, not by the agent's logic or the seller's honesty. This makes them tamper-resistant and auditable.

What inputs do I need to start designing an AI agent payment system?

You need five inputs: the agent's role (buyer side, seller side, or both), the payment scope (API calls, physical goods, digital goods, SaaS, or a mix), the spend policy (maximum amount, currency, time window, target sellers), the payment methods in play (cards, crypto, bank transfer), and the existing API or checkout surface the seller exposes. Agent role and payment scope are required; payment methods and existing surface are helpful but optional.

// How To

How do I classify agent actions as discovery vs. transactional?

Map out the agent's full task flow and label each step. If the step involves finding, recommending, comparing, or planning — it is discovery, and non-deterministic LLM behavior is fine. If the step involves handling credentials, submitting payment information, confirming a purchase, or interacting with checkout — it is transactional, and must be deterministic. Draw a hard boundary between the two. Nothing crossing this boundary should rely on browser automation or parsed UI text.

How do I provision a Shared Payment Token for an AI agent?

On the buyer/agent side, create a token that wraps the underlying payment method and encodes a mandate: maximum spend amount, permitted currency, expiry time window, and target seller scope. Issue this token through your payment processor's API (such as Stripe). The token — not the raw credential — is what gets handed to the seller. The payment processor enforces the mandate server-side. For recurring spend, model it like OAuth: issue short-lived tokens and refresh as needed, each tightly scoped.

How do I implement the HTTP 402 flow for AI agent tool purchases?

When an agent calls a protected endpoint that requires payment, return HTTP 402 with a structured payload describing: what is being purchased, who the payment recipient is, and the accepted payment mechanism. The agent reads this payload, approves payment using its Shared Payment Token or an on-chain method, attaches proof of payment to the request, and retries. The server validates payment and returns the resource. This replaces distributing long-lived API keys for ephemeral tool interactions.

How do I expose a machine-readable product catalog for AI agents?

Replace or augment your human-facing storefront with a structured JSON catalog accessible via API. Include product names, descriptions, images, pricing, available variants, and inventory status. This eliminates the need for agents to crawl, click, or parse HTML. The catalog serves as the entry point to the Agent-to-Commerce Protocol (ACP). Agents select directly from structured data, ensuring prices and availability are authoritative rather than scraped and potentially stale.

How do I audit AI agent spending in the Kaliski framework?

Shared Payment Tokens are auditable by design. The payment processor logs every attempted charge, the mandate applied, and whether it was approved or rejected. Build logging into your agent workflow so every spend decision — including rejections due to mandate violations — is observable and attributable to a specific agent, task, and human operator. This creates a transaction dashboard for the autonomous economy. Use this audit trail for budget reviews, anomaly detection, and dispute resolution.

// Troubleshooting

What happens if my Shared Payment Token is compromised?

Because each token is scoped to a specific seller, amount, currency, and time window, the blast radius is contained. An attacker can only charge the approved amount to the approved seller within the approved window. Compare this to a compromised raw card number, which can be used for unlimited charges at any merchant. Additionally, the payment processor logs every attempted charge against the token, so compromised tokens are quickly detectable. Short expiry windows further limit exposure.

Why does my AI agent's checkout fail when using browser automation?

Browser-based checkout is inherently non-deterministic — form fields change, CAPTCHAs appear, page layouts shift, JavaScript rendering varies, and session states expire. This violates the Discovery vs. Determinism Separation principle. The Kaliski framework replaces browser automation with the Agent-to-Commerce Protocol, where every checkout interaction is a structured API call with a predictable response. If you must interact with a legacy storefront, the solution is to ask the merchant to expose an ACP endpoint, not to build more robust scraping.

What if the price the agent found during discovery differs from the actual checkout price?

This is a known pitfall. Prices drift, currencies differ, taxes are added, and promotions expire. The only reliable price is the one returned in structured form by the ACP cart-state response during the transactional phase. Never trust a price the agent parsed from a webpage or remembered from the discovery phase. The ACP loop ensures the agent sees the authoritative price, tax, and shipping before submitting payment. The human operator confirmation step provides a final safety net.

What if a seller doesn't support the Agent-to-Commerce Protocol yet?

If a seller only offers a human-facing web checkout, the agent faces the exact non-determinism problems the Kaliski framework warns against. The recommended approach is to advocate for the seller to expose an ACP endpoint or at minimum a structured API. As an interim measure, some teams use a human-in-the-loop step where the agent prepares the order details and a human completes the browser checkout. Avoid building increasingly complex browser automation — it compounds the fragility problem rather than solving it.

// Comparisons

How does the Kaliski framework compare to giving agents a virtual credit card?

A virtual credit card is a step in the right direction but lacks mandate enforcement. A virtual card has a number, expiry, and CVV — an agent or compromised system can use it at any merchant for any amount up to the card limit. A Shared Payment Token goes further: the payment processor enforces seller scope, amount cap, currency, and time window at the infrastructure level. The Kaliski framework also adds the ACP and 402 protocol layers, which virtual cards alone don't provide.

How does the Agent-to-Commerce Protocol compare to standard e-commerce APIs like Shopify's Storefront API?

Standard e-commerce APIs like Shopify's Storefront API were designed for human-driven frontend applications — they assume a browser session, user authentication, and UI rendering. The ACP is designed natively for agent interaction: stateful API-driven cart management, structured JSON responses with authoritative pricing and tax, and integration with Shared Payment Tokens. While Shopify's API could serve as a foundation, the ACP adds the agent-specific checkout loop, mandate-based payment, and seller risk signal preservation that standard APIs lack.

// Advanced

How do I handle recurring or subscription-based agent spending?

Model the credential lifecycle like OAuth access-and-refresh tokens. Issue a short-lived Shared Payment Token scoped to the subscription amount and seller. When the token expires or is consumed, the agent requests a new one, still scoped tightly. Never issue an uncapped, long-lived credential. For weekly or monthly budgets, set the time window and amount cap accordingly and refresh at each cycle. Every renewal is an opportunity to review and adjust spend policy based on audit data.

Can I use the Kaliski framework for crypto or blockchain payments?

Yes. The framework is payment-method agnostic. The Shared Payment Token concept maps naturally to on-chain smart contracts that encode mandates (amount, recipient, time window). The Machine Payments Protocol's 402 flow can specify crypto as the payment mechanism in its payload. The key principle remains the same: encode limitations in the credential, enforce them at the protocol level, and never let the agent hold an unscoped private key or wallet credential. Blockchain's native programmability can make mandate enforcement even stronger.

Should I hide from the seller that the buyer is an AI agent?

No. The Kaliski framework explicitly warns against hiding the agent's identity from the seller. Sellers need card brand, last four digits, and credit type signals to run their existing risk analysis and fraud detection. Suppressing this data breaks their fraud systems and reduces payment acceptance rates. The goal is to give sellers a structured, trustworthy channel to interact with agents — not to disguise agents as humans. Transparency benefits both sides.

Can multiple agents share the same Shared Payment Token?

It is technically possible but strongly discouraged. Each token should be scoped to a single transaction or a tightly defined spend session for a specific agent. Sharing tokens across agents increases blast radius — if one agent is compromised, the shared token's full mandate is exposed. Issue separate tokens for each agent, each scoped to its specific seller, amount, and time window. This aligns with the principle of issuing many tightly scoped short-lived tokens rather than few high-limit long-lived ones.

How does the Kaliski framework handle disputes and chargebacks?

The framework minimizes disputes through two mechanisms. First, the human operator confirmation step surfaces the structured cart state before final payment, ensuring the buyer intended the purchase. Second, the full audit trail of Shared Payment Token usage, mandate enforcement, and ACP cart-state exchanges provides clear evidence of what was agreed. Sellers retain card brand and risk signals for their fraud systems. If a dispute does arise, the structured data trail is far more useful than screenshots of a browser checkout.