Agent payment standards are converging on a signature. Prove the agent was authorized, sign the mandate, attach it to the call. The wire is covered.
The wire being covered is not the same as the boundary being provable. That gap is where agent payments will actually fail.
Work through it with three properties a conformance test has to survive. These were argued out in the open this week with John Frandsen of open-banking.io, in the comments of a prior post, and they sharpened the preprint enough to name here.
First: authorization has a clock
A mandate captured at T0 does not bind an intent that forms at T0 plus delta if the authorization state changed in between. A revoked consent. An expired SCA. A lowered daily limit.
So the binding is not "mandate authorizes execution." It is "mandate authorizes execution, and the mandate is still live at execution time."
The safe rule is revocation-dominant: a revoked mandate blocks regardless of how fresh the intent looks. A stale intent must never retroactively authorize what a revoked mandate would deny. A conformance test that replays a mandate without checking that the authority still considered it live at execution time is testing a snapshot, not the runtime contract.
Second: the verifier cannot be the verified
If the party generating the receipt can also forge the attestation chain, the receipt proves nothing.
This pattern exists across enterprise systems. In PSD2, the RTS Article 5 dynamic-linking requirement puts the binding under the ASPSP's signature, an authority the payment initiator cannot mint.
The invariant generalizes: a check earns its keep only when it is built from a projection the scrutinized party cannot also write to. That is separation of duties, and for agent payments it is not optional. Any system where the receipt is written by the same pen it is checking has an audit trail that is testimony, not evidence.
Third: integrity is not the property you want
Real payment chains mutate the object legitimately. Currency conversion. Fee deduction. Routing across intermediaries with legitimate reasons to touch the payment.
So the binding is not "the bytes did not change." It is "the bytes changed only in fields the mandate pre-authorized." Integrity with authorized mutation.
The verifier that enforces it must stay semantically opaque. It checks the mutation against the mandate's declared envelope, which fields, which bounds, which legs. It never interprets the payment itself, because the moment it understands the payment it re-couples to the thing it audits, and the separation property is gone.
The line
Standardize the binding, not just the cap.
A signature on the wire tells you an agent was authorized once. A binding tells you the execution still matches a live mandate, attested by a party that cannot forge it, mutated only where the mandate allowed. Those are different claims, and only the second one survives an adversary.
Credit where it is due: the temporal-liveness case and the verifier-independence framing are John Frandsen's (open-banking.io), argued out in the comments of the prior post. The preprint v2 is on Zenodo (DOI 10.5281/zenodo.21262985).
Top comments (0)