Frequently Asked Questions About Kaliski Safe Agent Payments Framework
22 answers covering everything from basics to advanced usage.
// Basics
What is the difference between discovery and determinism in AI agent payments?
Discovery is the non-deterministic phase where an LLM searches for products, compares options, and makes recommendations — tasks where flexibility is valuable. Determinism is the transaction phase where credentials, payment, and checkout must follow rigid, programmatic rules with no ambiguity. The Kaliski framework mandates a hard architectural boundary between these two phases. The agent can explore freely, but the moment it transacts, every action must be API-driven, scoped, and auditable.
What does blast radius mean in AI agent payment security?
Blast radius is the maximum possible financial damage if an agent is compromised, deceived by a spoofed merchant, or makes an error. With a raw credit card number, the blast radius equals the full credit limit. Shared Payment Tokens minimize blast radius by scoping credentials to specific sellers, capped amounts, restricted currencies, and expiry windows. The payment service provider enforces these constraints server-side, so damage is bounded regardless of what the agent or seller attempts.
Can AI agents already spend money today?
Yes. Agents already spend money through token consumption billed to subscriptions or API keys — every LLM call, every tool invocation that costs credits. The Kaliski framework recognizes that agents are already economic actors. The core challenge is not whether agents can spend, but how to enable them to spend with any business, in any currency, with any payment method, under enforceable constraints that limit risk and maintain transparency for all parties.
What is the role of HTTP 402 in AI agent payments?
HTTP 402 Payment Required is the foundation of the Machine Payments Protocol. When an agent calls a paid API endpoint without payment, the server returns 402 with a structured payload specifying cost, recipient, and payment mechanism. The agent processes this payload, approves payment using a scoped credential, and retries. This creates a direct, unambiguous association between payment and the resource being accessed — unlike subscription models where the agent's spend is disconnected from specific API calls.
What inputs do I need before designing an agent payment system?
You need five key inputs: the agent's role (buyer or seller-side), the payment methods in scope (cards, crypto, wallets), the spend controls required (amount limits, time windows, seller scoping, currency restrictions), the transaction type (API call, e-commerce checkout, subscription, recurring budget), and optionally whether the seller currently exposes a web UI or programmatic API. These inputs determine which protocols to implement and how to scope your Shared Payment Tokens.
Does the Kaliski framework work with Stripe specifically?
The framework was articulated by Steve Kaliski of Stripe and references Stripe's infrastructure for enforcing Shared Payment Token mandates server-side. However, the principles and protocols are payment-service-provider-agnostic. Any PSP that can enforce seller-scoped, amount-capped, time-limited credentials can implement the framework. The Machine Payments Protocol (HTTP 402) and Agent-to-Commerce Protocol (ACP) are architectural patterns, not Stripe-specific APIs, though Stripe is building implementations of these protocols.
// How To
How do I scope a Shared Payment Token to a specific seller?
When provisioning a Shared Payment Token, encode the mandate with the specific seller's identity (merchant ID, domain, or equivalent identifier), a maximum spend amount, the allowed currency, and a time expiry window. The payment service provider validates these parameters on every charge attempt. If a different seller or a higher amount is submitted, the transaction is automatically declined. For agents with broad budgets, create multiple seller-scoped tokens rather than one unscoped high-limit credential.
How do I handle recurring agent purchases or subscriptions with the Kaliski framework?
Use a token renewal pattern analogous to OAuth access and refresh flows. The agent requests subsequent usage permissions periodically using the same underlying credential. For subscription-style spend — such as giving an agent $25/week with a specific seller — the Shared Payment Token is renewed on a schedule with its mandate refreshed. For broader budget policies across multiple sellers, create individual seller-scoped tokens rather than a single unscoped credential to maintain blast radius control.
How do I make my e-commerce store accept payments from AI agents?
Expose your product catalog as structured JSON with images, descriptions, and pricing. Implement Agent-to-Commerce Protocol (ACP) endpoints so agent buyers can initiate and update checkouts programmatically — submitting line items, receiving cart state with taxes and fulfillment options, and paying via Shared Payment Tokens. Accept incoming tokens and surface card brand and last four digits to your existing fraud systems. You do not need to change your risk infrastructure — only your checkout interface needs a programmatic layer.
How do I add HTTP 402 payment gating to my API?
When an unauthenticated or unpaid request hits your API endpoint, return HTTP 402 Payment Required with a structured JSON payload specifying the cost, the recipient identity, and the accepted payment mechanism. The calling agent reads this payload, approves the micro-payment using a pre-provisioned Shared Payment Token, and retries the request with payment credentials included. This Machine Payments Protocol flow directly associates payment with the specific resource, eliminating ambiguity about what the agent is purchasing.
// Troubleshooting
What happens if my AI agent gets tricked by a fake merchant?
If the agent is deceived by a spoofed domain or fake merchant, the Shared Payment Token's seller scope constraint limits the damage. Since the token is scoped to a specific legitimate seller, the fake merchant cannot use it to charge — the PSP will decline the transaction because the merchant identity doesn't match the mandate. Additionally, the amount cap and time expiry provide secondary protection layers. This is why minimizing blast radius through scoped credentials is a core principle of the framework.
Why is my AI agent generating chargebacks and disputes?
The most common cause is letting the agent parse prices from web pages and relay them to the payment layer. Prices drift, taxes vary by jurisdiction, and currencies differ — the agent's parsed amount may not match the seller's actual charge. The Kaliski framework solves this by enforcing limits at the credential layer (not the parsing layer) and using structured ACP checkout where the seller returns authoritative cart state including taxes and fulfillment costs. The agent confirms the seller's amounts, not its own interpretation.
What if a seller only has a web UI and no API?
This is a high-risk scenario the Kaliski framework explicitly warns against. Without a programmatic API, the agent must use browser automation to navigate checkout, introducing non-determinism — misclicked buttons, misread prices, CAPTCHA failures, and DOM changes. If you must interact with web-only sellers, enforce strict credential-layer controls via Shared Payment Tokens with tight amount caps, and build monitoring to flag anomalies. Long-term, advocate for sellers to expose ACP-compatible programmatic endpoints.
What is the biggest mistake teams make when building AI agent payment systems?
The biggest mistake is failing to separate discovery from transaction execution. Teams often let the same LLM-driven process that finds products also handle credentials and checkout, collapsing the critical architectural boundary between non-deterministic and deterministic phases. This means the agent might hallucinate a price, misparse a checkout form, or expose credentials to the wrong endpoint. The Kaliski framework mandates a hard boundary: once the agent transitions from discovering what to buy to executing how to pay, all actions must be programmatic and deterministic.
// Comparisons
How does the Kaliski framework compare to traditional payment tokenization?
Traditional payment tokenization replaces a card number with a token to prevent PAN exposure, but typically doesn't encode spend constraints like seller scope, amount limits, or time windows. The Kaliski framework's Shared Payment Token goes further — it embeds a full mandate (seller, amount, currency, expiry) that the PSP enforces server-side. It's not just about hiding the card number; it's about making the credential itself enforce the agent's spending policy, reducing risk even if the token is intercepted or misused.
How does the Kaliski framework compare to virtual credit cards for agents?
Virtual credit cards provide a new card number with optional spend limits, but they typically lack seller-scoping and structured checkout protocols. An agent with a virtual card still faces the problems of navigating web checkout UIs, parsing prices, and potentially spending at unintended merchants. The Kaliski framework adds seller-scoped mandates enforced by the PSP, structured programmatic checkout via ACP, and the Machine Payments Protocol for API purchases — addressing the full transaction lifecycle, not just credential issuance.
How does the Kaliski framework compare to crypto smart contract payments?
Crypto smart contracts can enforce on-chain spend constraints similar to Shared Payment Token mandates. The Kaliski framework is payment-method agnostic — it supports cards, crypto, wallets, and multi-method scenarios. For crypto, transaction data lives on-chain and should be replicated into the product view for auditing. The framework's unique contribution is the full architectural separation of discovery from determinism, seller transparency requirements, and structured checkout protocols — concerns that exist regardless of whether payment is fiat or crypto.
// Advanced
Can I use the Kaliski framework for B2B procurement agents?
Yes, B2B procurement is a primary use case. The framework supports scenarios where an agent is given a budget to purchase supplies from approved vendors. Provision individual Shared Payment Tokens scoped to each approved vendor, each with its own amount cap and time window. The Agent-to-Commerce Protocol handles structured catalog browsing and checkout. Recurring budget scenarios use the token renewal pattern. Audit trails provide full accountability for procurement compliance and expense reporting.
How do I audit AI agent transactions under the Kaliski framework?
Every Shared Payment Token must be auditable — record creation timestamp, mandate parameters (seller scope, amount limit, currency, expiry), usage events, and expiration. For each transaction, capture the full ACP checkout exchange or 402 flow interaction. For blockchain-based payments, replicate on-chain transaction data into your system's product view. Audit trails are essential for dispute resolution, compliance, and verifying that the agent acted within its mandate. Build dashboards that flag transactions approaching mandate limits or anomalous patterns.
Should I expose card details to sellers when using agent payment tokens?
Yes, always. The Kaliski framework's 'Seller Remains in Control' principle requires that Shared Payment Tokens surface card brand, last four digits, and credit type to the seller. Sellers need this metadata to run their existing fraud detection and risk analysis systems. Opaque tokens that hide this information may be rejected by sellers or create undetected fraud risk. Transparency between all parties — agent, buyer, seller, and PSP — is a foundational requirement for safe agent-mediated payments.
How many Shared Payment Tokens should I create per agent?
Create one token per seller the agent needs to transact with. Never use a single high-limit unscoped credential for an agent that purchases from multiple sellers. If an agent needs to buy from five vendors, provision five seller-scoped tokens, each with its own amount cap and time window. This ensures that compromise of one seller relationship cannot affect transactions with other sellers. For recurring purchases, renew tokens on a schedule aligned with your budget cycle.
Can the Kaliski framework handle multi-currency agent payments?
Yes. Shared Payment Tokens include currency restrictions as part of their mandate. When provisioning a token, specify the allowed currency so the PSP will decline charges in other currencies. For agents operating across regions, create separate tokens with appropriate currency scoping. The Agent-to-Commerce Protocol's structured cart state includes pricing in the seller's currency, allowing the agent to confirm currency before payment submission rather than discovering a mismatch after the fact.