The AP2 Intent Mandate, a cryptographically signed JWT, robustly proves a user's intent to authorize a specific transaction. It answers the question, "Does the user want to do this?" However, for high-stakes e-commerce, another critical question remains unanswered: "Should the merchant allow the user to do this?"
For transactions involving regulated goods, high-value items, or fraud-prone markets, a merchant needs more than just intent. They need verifiable guarantees about the user's attributes. For example: Is the user legally old enough to purchase this item? Has their bank verified they have sufficient funds for this transaction? Is this a known, trusted account? Sending raw personal data to the merchant for verification would be a privacy and security nightmare. The core problem is the lack of a standardized, privacy-preserving, and cryptographically secure way for a user's agent to provide these necessary guarantees.
The Agent Payment Protocol (AP2) solves this by introducing the Cart Mandate, which is implemented as a W3C Verifiable Credential (VC). While an Intent Mandate (JWT) is an action token, a Cart Mandate (VC) is an attestation token. It is a tamper-proof digital document, issued by a trusted entity like a bank, that makes verifiable claims about the user.
The architecture follows the standard VC model:
* Issuer: The user's bank or financial institution (e.g., did:web:bankofamerica.com). They are the source of truth for the claims.
* Holder: The user, who requests the VC from their bank and stores it in their secure digital wallet.
* Verifier: The merchant, who receives the VC and verifies its authenticity.
The workflow complements the Intent Mandate: 1. Issuance: Before checkout, the agent requests a Cart Mandate from the user's bank. The bank verifies the user's status (e.g., confirms their age and checks their account balance) and issues a signed VC containing these claims. 2. Presentation: At checkout, the agent creates a Verifiable Presentation, which is a package containing both the action-oriented Intent Mandate (JWT) and the attestation-oriented Cart Mandate (VC). 3. Verification: The merchant receives this presentation. It first verifies the VC to confirm the user meets its business requirements (e.g., is an adult with sufficient funds). If the VC is valid, it then processes the JWT to execute the payment.
+-----------+ 1. Issues VC +----------+
| Bank |<----------------| User |
| (Issuer) | | (Holder) |
+-----------+ 2. Presents VC +----+-----+
`---------------->| Agent |
| | 3. Verifies VC
v v
+-----------------+
| Merchant Server |
| (Verifier) |
+-----------------+
A Cart Mandate is a JSON-LD object that adheres to the W3C Verifiable Credential data model.
Snippet 1: The Cart Mandate VC Payload This example shows a VC issued by a bank that attests to the user's age and fund availability for a specific transaction.
json
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/security/suites/jws-2020/v1"
],
"type": ["VerifiableCredential", "Aap2CartMandate"],
"issuer": "did:web:bankofamerica.com", // The bank's Decentralized Identifier
"issuanceDate": "2026-02-20T11:30:00Z",
"credentialSubject": {
"id": "did:key:z6Mkr...", // The user's DID
"hasSufficientFundsFor": {
"type": "MonetaryAmount",
"value": "199.99",
"currency": "USD"
},
"isOfLegalAge": true
},
"proof": {
"type": "JsonWebSignature2020",
"created": "2026-02-20T11:30:01Z",
"proofPurpose": "assertionMethod",
"verificationMethod": "did:web:bankofamerica.com#key-1",
"jws": "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..signature_here"
}
}
The credentialSubject contains the guarantees. Critically, isOfLegalAge is a boolean, not the user's actual date of birth.
Snippet 2: Conceptual Python for Verifying the VC The merchant server receives the VC and verifies its integrity before trusting its contents.
```python
from py_w3c_vc import verify_credential_jws from did_resolver import resolve_did_document
async def validate_cart_mandate_guarantees(cart_mandate_vc: dict): """Verifies the signature and claims of a Cart Mandate VC.""" try: # 1. Resolve the issuer's DID to get their trusted public key issuer_did = cart_mandate_vc['issuer'] issuer_did_doc = await resolve_did_document(issuer_did)
# 2. Cryptographically verify the VC's signature using the issuer's public key
is_valid = await verify_credential_jws(
credential=cart_mandate_vc,
public_key_resolver=lambda vm: issuer_did_doc.get_verification_method(vm)
)
if not is_valid:
raise PermissionError("Cart Mandate signature is invalid or corrupt.")
# 3. If the signature is valid, the merchant can now trust the claims
claims = cart_mandate_vc['credentialSubject']
if claims.get('isOfLegalAge') != True:
raise PermissionError("User does not meet age requirements.")
# ... additional logic to check funds, etc. ...
return {"status": "success", "guarantees_met": True}
except Exception as e:
return {"status": "error", "message": str(e)}
```
Performance: Verifiable Credential verification is, by design, an extremely fast, offline cryptographic operation. The merchant does not need to make a slow, live API call to the issuing bank to confirm the guarantee. The merchant can verify the proof block independently using the bank's public key, which can be heavily cached after a one-time DID resolution.
Security & Privacy: VCs provide a revolutionary combination of security and privacy.
* Tamper-Proof Guarantee: The cryptographic proof ensures that the credential cannot be altered after it has been signed by the issuer. A user cannot change isOfLegalAge from false to true. This provides a very strong guarantee to the merchant.
* Privacy through Selective Disclosure: This is the most powerful aspect. The VC allows the user to prove a claim without revealing the underlying sensitive data. The bank can issue a credential that attests the user isOfLegalAge without ever sharing their actual date of birth with the merchant. This principle of minimal disclosure is fundamental to modern digital identity.
* Decentralized Trust: The merchant does not need a pre-existing API integration or business relationship with every bank. They only need to be able to resolve an issuer's public key and decide if they trust that issuer (e.g., "I trust credentials issued by Bank of America"). This creates a more open, scalable, and decentralized commerce ecosystem.
The Cart Mandate, implemented as a W3C Verifiable Credential, provides the missing piece of the trust puzzle in autonomous commerce. It is the standardized and secure way for merchants to receive the guarantees they need to conduct business safely.
The return on this architectural investment is a more robust and trustworthy transaction flow: * Reduced Fraud and Risk: Merchants can significantly reduce fraud and business risk by requiring cryptographically verifiable attestations about a user's identity and status. * Streamlined and Secure Compliance: It provides a simple, secure, and privacy-preserving mechanism to comply with legal regulations, such as age verification for restricted goods. * Enhanced User Trust: Users are more likely to engage in autonomous commerce when they know that their sensitive personal data is not being over-shared with every merchant they interact with.
Combining the action-oriented Intent Mandate (JWT) with the attestation-oriented Cart Mandate (VC) creates a complete, two-way trust framework that is essential for building the high-stakes, high-value autonomous commerce applications of the future.