Agent-to-agent payments are settling into a clean decomposition. The protocol owns the state transition. A receipt layer owns the evidence. A trust layer reads the receipts. The field lists now circulating for a machine-readable "payment required" state — network, asset, amount cap, recipient, expiry, idempotency key, proof-header shape, denial reason — are the right instinct.
They standardize what is present. They leave open what is provable.
A spend cap that is present on the wire is not a spend cap a downstream verifier can prove was the one the mandate authorized. An intermediary forwards a well-formed challenge whose cap, recipient, or expiry no longer matches the authority that issued it. The receipt looks valid. The drift goes uncaught. That is scope-widening — a different failure than replay: replay reuses a valid authorization, scope-widening mutates one in transit.
The fix is a binding, not another field.
A content-addressed reference — call it guardrail_ref — ties amount_cap + recipient + expiry to the authorizing mandate and travels into the post-payment receipt. The verifier evaluates the action against the authority that actually permitted it, not against a number an intermediary asserted. The cap value stays implementation-local. The binding to the mandate is the one thing that has to be machine-checkable at the boundary.
This is where conformance testing earns its keep. Three vectors define the boundary: a forwarded cap that diverges from its mandate, a recipient or expiry broadened in transit, and a double-spend chained across agent calls. Wire-level adversarial suites for x402 and L402 already catalog dozens of payment-protocol attacks. The authority-binding layer above them is still silent.
Top comments (0)