Kaliski Safe Agent Payments Framework

Design and evaluate payment infrastructure that allows AI agents to transact safely with businesses by enforcing determinism at the credential, payment, and checkout layers.

// TL;DR

The Kaliski Safe Agent Payments Framework is a design methodology for building payment infrastructure that lets AI agents safely spend money on behalf of humans. It separates non-deterministic discovery (finding products via LLMs) from deterministic transaction layers (credentials, checkout, payment), enforces spend controls through scoped Shared Payment Tokens, and defines protocols like the Machine Payments Protocol (HTTP 402) and Agent-to-Commerce Protocol (ACP) for structured, programmatic purchases. Use it when architecting systems where AI agents buy goods, call paid APIs, or manage budgets — or when your business needs to safely accept payments from autonomous agents.

// When should you use the Kaliski Safe Agent Payments Framework?

Use this skill when architecting, auditing, or building systems where AI agents need to spend money, manage credentials, or complete purchases on behalf of humans — or when a business wants to safely accept payments from autonomous agents.

// What inputs do you need before designing an agent payment system?

  • agent_rolerequired
    Is the agent acting as a buyer (spending money) or is the system a seller (receiving money from agents)?
  • payment_methodsrequired
    What payment methods are in scope — cards, crypto, wallets, or multi-method?
  • spend_controls_neededrequired
    What constraints must be enforced — amount limits, time windows, seller scoping, currency restrictions?
  • transaction_typerequired
    Is this an API call purchase, e-commerce checkout, subscription, or recurring budget scenario?
  • current_integration
    Does the seller currently expose only a web UI, or do they have programmatic APIs?

// What are the core principles behind safe AI agent payments?

Discovery vs. Determinism Isolation

Discovery and exploration benefit from non-determinism — LLMs excel at recommending products, businesses, or code. But credentials, payments, and checkout require determinism. These two phases must be architecturally separated: the non-deterministic planner finds what to buy; the deterministic layer handles how to transact.

Minimize the Blast Radius

Every credential shared with an agent or seller must be scoped to the smallest possible surface area — specific seller, specific amount, specific time window. If the agent is duped by a fake domain or miscalculates an amount, the enforced limits cap the damage.

Seller Remains in Control

Sellers must retain the relationship they expected to have with a customer. Agent-mediated payments must still surface the card brand, last four digits, credit type, and other signals so sellers can run their existing risk analysis. Nothing should be hidden from the seller.

Robots Prefer Code

Web UIs are for humans; APIs are for robots. Exposing only a web UI to agents increases the likelihood of non-deterministic interactions with your business. Every seller should make their products agent-friendly via structured, programmatic interfaces to maximise deterministic flows.

Agents Are Already Economic Actors

Agents already spend money — through token consumption billed to subscriptions or API keys. The core challenge is not whether agents can spend, but how to enable spend with any business, in any currency, with any payment method, under enforceable constraints.

// How do you apply the Kaliski Safe Agent Payments Framework step by step?

  1. 1

    Classify the transaction layer

    Determine which of the four risk vectors apply: Wrong Place (unverified merchant/domain), Wrong Thing (incorrect product selected), Wrong Amount (price drift, currency mismatch, tax miscalculation), Wrong Credential (card number exposed or misrouted). Each vector requires a different mitigation.

  2. 2

    Separate the non-deterministic planner from the deterministic transaction layer

    Allow LLM-driven discovery (search, recommendations, web crawling) to remain non-deterministic. Once the agent transitions to transacting, enforce a hard boundary: all credential, payment, and checkout actions must be API-driven and programmatic. Never let the robot 'stumble around a checkout page'.

  3. 3

    Provision a Shared Payment Token

    Instead of passing a raw card number, the agent-side system provisions a Shared Payment Token — a credential that encodes a mandate (smart contract) with: a specific seller scope, a maximum spend amount, a currency restriction, and a time expiry window. This token is granted to the seller, not the underlying card. Stripe (or equivalent PSP) enforces the mandate server-side, so even if the seller attempts to charge more than mandated, the transaction is declined.

  4. 4

    Expose card metadata to the seller for risk analysis

    When sharing a Shared Payment Token, always surface the card brand, last four digits, and credit type to the seller. Do not obscure this. The seller must be able to run their existing risk systems on this data — transparency is required for safe acceptance.

  5. 5

    Implement the Machine Payments Protocol (402 flow) for API-based purchases

    For tool calls that require payment, use HTTP 402 status codes to signal that payment is required. The 402 response returns an encoded payload describing what is being purchased, who the recipient is, and the payment mechanism. The agent then approves payment and retries. This associates payment directly with the resource being requested, eliminating ambiguity about what is being purchased.

  6. 6

    Implement the Agent-to-Commerce Protocol (ACP) for e-commerce checkout

    For product-based purchases, replace browser-based checkout with a structured, programmatic back-and-forth: the seller exposes a product catalog as JSON (with images, descriptions, pricing); the agent initiates a checkout with line items and quantity; the seller responds with the full cart state (line items, base prices, applicable taxes, fulfillment options). Every update (change payment method, change shipping) triggers another structured exchange. Payment is submitted via Shared Payment Token or equivalent. This eliminates the risk of the agent incorrectly relaying cart details, minimising disputes and chargebacks.

  7. 7

    Handle recurring budgets and subscriptions with scoped token renewal

    For recurring or subscription-style spend (e.g., giving an agent $25/week with a specific seller), use a token renewal pattern analogous to OAuth access and refresh flows — the agent requests subsequent usage permissions on a periodic basis using the same underlying credential. For broader budget policies, create multiple seller-scoped tokens rather than one high-limit unscoped credential.

  8. 8

    Audit and verify the full transaction trail

    Every Shared Payment Token must be auditable — creation timestamp, mandate parameters, usage, and expiry. For blockchain-based payment methods, transaction data lives on-chain and should be replicated into your system's product view. Audit trails are essential for dispute resolution and for verifying that the agent acted within its mandate.

// What are real-world examples of the Kaliski framework in action?

A SaaS product ships an AI shopping agent that buys office supplies on behalf of employees.

The agent uses discovery (LLM-driven search) to find the right products non-deterministically. Once a product is selected, it transitions to the deterministic layer: provisions a Shared Payment Token scoped to the target supplier, capped at the approved budget, expiring in 7 days. The supplier receives the token plus card metadata for risk checks. ACP-style structured checkout confirms line items, taxes, and shipping before payment is submitted. The employee's actual card number is never shared.

A developer builds an AI agent that calls third-party data enrichment APIs as tools.

The data API returns HTTP 402 when called without payment. The 402 payload specifies the cost (e.g., $0.01), the recipient, and the payment mechanism. The agent reads the Machine Payments Protocol payload, approves the micro-payment using a pre-provisioned credential, and retries the request. The Shared Payment Token used has a per-call or daily cap to limit blast radius if the agent loops unexpectedly.

An e-commerce business wants to accept orders from AI agents sent by its B2B customers.

The business exposes its product catalog as structured JSON (agent-friendly, not just a web UI). It implements ACP endpoints so agent buyers can initiate and update checkouts programmatically. Incoming Shared Payment Tokens surface card brand and last four digits so the business's existing fraud systems remain operational. The business does not need to change its risk infrastructure — only its checkout interface.

// What mistakes should you avoid when building agent payment systems?

  • Passing raw card numbers to agents or sellers — this removes all spend controls and exposes the full credit limit as the blast radius.
  • Letting an agent browse and interact with a checkout UI as a human would — this is slow, finicky, hard to observe, and introduces non-determinism into a layer that requires determinism.
  • Trusting the agent's parsed price from a webpage as the authoritative amount — prices drift, taxes vary, currencies differ; always enforce limits at the credential layer, not at the parsing layer.
  • Hiding payment token details from the seller — sellers need card brand, last four, and credit type to run their existing risk analysis. Opaque tokens may be rejected or create undetected fraud risk.
  • Using a single high-limit unscoped credential for an agent — always scope to individual sellers. If broad budgets are needed, create multiple seller-scoped tokens rather than one unscoped one.
  • Failing to separate discovery from transaction — allowing the non-deterministic planner to also handle credentials and checkout collapses the critical architectural boundary.
  • Exposing only a web UI to agent buyers — this forces agents into non-deterministic browser automation, increasing error rates and risk surface. Build agent-friendly APIs.

// What are the key terms and definitions in agent payment infrastructure?

Shared Payment Token
A credential provisioned by the agent-side system that encodes a mandate (analogous to a smart contract) specifying: the permitted seller, maximum spend amount, allowed currency, and expiry window. It is granted to the seller instead of a raw card number, and the PSP enforces its constraints server-side.
Machine Payments Protocol
A protocol built on HTTP 402 status codes that allows API endpoints (tools) to signal that payment is required, return a structured payload describing what is being purchased and how to pay, and accept a credential in the retry request — associating payment directly with the resource being accessed.
Agent-to-Commerce Protocol (ACP)
A standard set of APIs and objects that enables structured, programmatic checkout between an agent, a seller, and their payment service provider. Covers product catalog expression (JSON), checkout initiation, cart state relay (line items, taxes, fulfillment options), and payment submission — replacing browser-based checkout entirely.
Discovery vs. Determinism Isolation
The architectural principle that discovery and exploration (finding products, recommendations, web crawling) should remain non-deterministic (LLM-driven), while credentials, payments, and checkout must be exclusively deterministic (API-driven, programmatic, enforced).
Blast Radius
The maximum possible financial damage if an agent is compromised, deceived, or makes an error. Minimised by scoping Shared Payment Tokens to specific sellers, amounts, and time windows.
Wrong Place / Wrong Thing / Wrong Amount / Wrong Credential
The four core risk vectors in agent-mediated payments: transacting with an unverified or spoofed merchant; purchasing the incorrect product; spending an incorrect amount due to price drift or parsing errors; and exposing or misrouting payment credentials.
402 Flow
The HTTP 402 'Payment Required' response pattern used in the Machine Payments Protocol to gate access to a tool or API endpoint behind a micropayment, returning a structured payload that specifies cost, recipient, and payment mechanism.
Mandate
The encoded set of spend constraints attached to a Shared Payment Token — covering seller scope, amount limit, currency, and time expiry. Enforced by the PSP, not by trust in the seller or agent.

// FREQUENTLY ASKED QUESTIONS

What is the Kaliski Safe Agent Payments Framework?

The Kaliski Safe Agent Payments Framework is a methodology for designing payment infrastructure that allows AI agents to transact safely with businesses. It enforces determinism at the credential, payment, and checkout layers by separating LLM-driven discovery from programmatic transaction execution, using scoped Shared Payment Tokens to limit blast radius, and defining structured protocols (Machine Payments Protocol and Agent-to-Commerce Protocol) so agents never need to navigate human checkout UIs.

What is a Shared Payment Token in agent payments?

A Shared Payment Token is a scoped credential provisioned by the agent-side system that encodes a mandate specifying the permitted seller, maximum spend amount, allowed currency, and expiry window. It replaces raw card numbers, and the payment service provider enforces its constraints server-side. Even if a seller attempts to charge more than the mandate allows, the transaction is automatically declined, minimizing the blast radius of any agent error or compromise.

How do I set up safe payments for an AI agent?

Start by classifying the four risk vectors — wrong place, wrong thing, wrong amount, wrong credential. Then architecturally separate your LLM-driven discovery layer from the deterministic transaction layer. Provision Shared Payment Tokens scoped to specific sellers, amounts, currencies, and time windows. Implement the Machine Payments Protocol (HTTP 402) for API-based purchases or the Agent-to-Commerce Protocol for e-commerce checkout. Always expose card metadata to sellers and maintain a full audit trail.

How do I implement the Machine Payments Protocol with HTTP 402?

When an agent calls a paid API endpoint without payment, the server returns HTTP 402 with a structured payload describing the cost, recipient, and payment mechanism. The agent reads this payload, approves the micro-payment using a pre-provisioned Shared Payment Token with per-call or daily caps, and retries the request with payment credentials attached. This directly associates payment with the specific resource being accessed, eliminating ambiguity about what is being purchased.

How does the Kaliski framework compare to just giving an AI agent a credit card number?

Passing a raw card number to an agent exposes the full credit limit as the blast radius — any compromise or error could drain the entire card. The Kaliski framework replaces this with Shared Payment Tokens scoped to specific sellers, amounts, and time windows. The PSP enforces these constraints server-side, so even a compromised agent can only cause limited, bounded financial damage. The framework also structures checkout programmatically to prevent parsing errors and disputes.

When should I use the Kaliski Safe Agent Payments Framework?

Use this framework whenever AI agents need to spend money, manage credentials, or complete purchases on behalf of humans. Common scenarios include AI shopping agents, agents calling paid third-party APIs, autonomous procurement systems, and businesses wanting to accept orders from agent buyers. It is also essential when auditing existing agent payment flows for security gaps, or when designing new agent-to-commerce infrastructure from scratch.

What results can I expect from implementing the Kaliski agent payments framework?

You can expect significantly reduced blast radius from agent errors or compromises, fewer chargebacks and disputes due to structured programmatic checkout, and maintained seller trust because card metadata remains visible for risk analysis. Agents operate faster and more reliably when interacting with APIs instead of browser UIs. Audit trails provide clear accountability for every transaction, and scoped credentials ensure that even worst-case failures are financially bounded.

What is the Agent-to-Commerce Protocol?

The Agent-to-Commerce Protocol (ACP) is a set of APIs and objects that enable structured, programmatic checkout between an agent, a seller, and their payment service provider. The seller exposes a product catalog as JSON, the agent initiates checkout with line items, and the seller returns full cart state including taxes and fulfillment options. Every cart update triggers a structured exchange, replacing browser-based checkout entirely and eliminating non-deterministic interactions.

What are the four risk vectors in AI agent payments?

The four risk vectors are Wrong Place (transacting with an unverified or spoofed merchant), Wrong Thing (purchasing the incorrect product), Wrong Amount (spending an incorrect amount due to price drift, currency mismatch, or tax miscalculation), and Wrong Credential (card number exposed or misrouted). Each requires a different mitigation strategy, and the Kaliski framework addresses all four through scoped tokens, structured checkout, and deterministic transaction layers.

Why shouldn't AI agents use web checkout pages?

Web checkout UIs are designed for humans, not machines. When agents navigate checkout pages via browser automation, interactions become non-deterministic — the agent may misparse prices, fail on CAPTCHAs, miss tax calculations, or interact with spoofed pages. This increases error rates, dispute rates, and security risk. The Kaliski framework mandates that sellers expose programmatic APIs for agent checkout, keeping the transaction layer fully deterministic and auditable.

// GET THIS SKILL — FREE

Use this skill in your AI

Every skill on SkillForge is free. Drop your email and copy this skill straight into Claude, ChatGPT, or any LLM.

We'll email you when new skills drop. Unsubscribe anytime.