Agents
AI agents are the primary surface on Soren Pay. Each agent has an Ed25519 keypair bound to your workspace. The agent signs every payment intent locally; Soren Pay verifies the signature, freshness, and replay protection, then routes through our Visa issuing partner's Intelligent Commerce integration.
Three open protocols
The signed-intent envelope is the same shape across three open agentic-commerce protocols. Pick the one that matches your use case.
| Protocol | Use case | |---|---| | TAP (Trusted Agent Protocol) | First-party agents on your own workspace — identity attestation | | MPP (Machine Payments Protocol) | High-frequency M2M — light envelope, designed for automation | | ACP (Agentic Commerce Protocol) | Shopping flows — search → decide → pay |
See protocols for the wire format.
Two SDKs + raw curl
| Language | Package |
|---|---|
| TypeScript | @sorenpay/agent-sdk |
| Python | sorenpay-agent-sdk |
| curl + openssl | zero-deps |
How signing works
- SDK generates an Ed25519 keypair locally (Node
cryptoorpyca/cryptography) - SDK builds a canonical-JSON payment intent (sorted keys, no whitespace)
- SDK signs with the private key
- POST to
/api/agents/[id]/intentswith{ intent, signature, key_id } - Server verifies signature, checks
iat/exp(±5min), looks upintent_idinagent_intent_log - Routes to our Visa issuing partner for authorization
- Returns
{ ok, decision, reason, authorization_id, intent_id }
Caller-supplied publicKeyPem is the default in v0.2+. The server stores the
public key only — you keep the private key.
Replay protection
Every intent has a unique intent_id. Duplicate submission within
the dedup window returns HTTP 422 intent_id_replay. Idempotency-Key
on the request itself further protects against network-level replays.
Next
- Quickstart — TS, Python, curl
- Protocols — TAP / MPP / ACP wire format
- API reference — every route + payload
- Use case: AI agents pay for APIs — end-to-end