πŸš€ Now in Phase 3A - Production Ready with Advanced Features
archive
Intent Mandates

Intent Mandates

Intent Mandates are tamper-proof digital contracts that solve the "who clicks buy?" problem in agent-driven commerce. They allow users to pre-authorize AI agents to make purchases on their behalf with specific constraints and conditions.

Overview

An Intent Mandate is a cryptographically signed authorization that:

  • Grants permission for an agent to execute specific commerce actions
  • Defines constraints like price limits, quantity caps, and expiration times
  • Ensures accountability through immutable audit trails
  • Prevents tampering via digital signatures

Protocol Specification

Intent Mandates follow the AP2 (Agent Purchase Protocol v2) standard, which extends OAuth 2.0 with commerce-specific scopes and constraints.

Mandate Structure

{
  "mandate_id": "mnd_unique_identifier",
  "user_id": "usr_abc123",
  "agent_id": "agt_xyz789",
  "type": "purchase_intent",
  "constraints": {
    "max_price": 100.00,
    "currency": "USD",
    "max_quantity": 5,
    "expires_at": "2026-02-01T00:00:00Z"
  },
  "signature": "base64_encoded_signature",
  "issued_at": "2026-01-25T12:00:00Z"
}

Sample Mandates

1. Cart Mandate

Authorizes an agent to add items to a user's cart with price and quantity limits.

{
  "mandate_id": "mnd_cart_20260125_001",
  "user_id": "usr_alice_2026",
  "agent_id": "agt_shopping_assistant",
  "type": "cart_modification",
  "scope": "cart:add",
  "constraints": {
    "max_price_per_item": 50.00,
    "max_total_value": 200.00,
    "max_items": 10,
    "allowed_categories": ["electronics", "home-goods"],
    "expires_at": "2026-01-26T23:59:59Z"
  },
  "metadata": {
    "purpose": "Weekly shopping automation",
    "user_note": "Focus on sustainable brands"
  },
  "signature": "SHA256:a1b2c3d4e5f6...",
  "issued_at": "2026-01-25T08:00:00Z",
  "issuer": "usr_alice_2026",
  "algorithm": "RS256"
}

Usage Example:

// Agent uses the mandate to add items
const response = await fetch('https://abbababa.com/api/v1/cart/add', {
  method: 'POST',
  headers: {
    'X-API-Key': 'aba_agent_key',
    'X-Mandate-Token': 'mnd_cart_20260125_001',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    product_id: 'prod_12345',
    quantity: 2,
    price: 45.00
  })
});

2. Checkout Intent Mandate

Authorizes an agent to complete a purchase transaction with strict price and merchant constraints.

{
  "mandate_id": "mnd_checkout_20260125_002",
  "user_id": "usr_bob_enterprise",
  "agent_id": "agt_procurement_bot",
  "type": "checkout_intent",
  "scope": "purchase:execute",
  "constraints": {
    "max_total": 1000.00,
    "currency": "USD",
    "allowed_merchants": ["merchant_verified_001", "merchant_verified_002"],
    "require_2fa": true,
    "max_attempts": 3,
    "expires_at": "2026-01-25T18:00:00Z"
  },
  "payment_method": {
    "type": "agent_wallet",
    "wallet_id": "wallet_bob_primary",
    "backup_method": "stripe_pm_xyz"
  },
  "approval_workflow": {
    "threshold": 500.00,
    "notify_user": true,
    "require_confirmation_above": 750.00
  },
  "signature": "SHA256:f6e5d4c3b2a1...",
  "issued_at": "2026-01-25T12:00:00Z",
  "issuer": "usr_bob_enterprise",
  "algorithm": "ES256"
}

Usage Example:

import requests
 
# Agent executes checkout with mandate
response = requests.post(
    'https://abbababa.com/api/v1/purchase/execute',
    headers={
        'X-API-Key': 'aba_agent_key',
        'X-Mandate-Token': 'mnd_checkout_20260125_002',
        'Content-Type': 'application/json'
    },
    json={
        'cart_id': 'cart_abc123',
        'merchant_id': 'merchant_verified_001',
        'total': 850.00,
        'currency': 'USD',
        'confirm': True  # Required for amounts > $750
    }
)
 
if response.status_code == 200:
    print(f"Purchase successful: {response.json()['order_id']}")
elif response.status_code == 402:
    print("User confirmation required (threshold exceeded)")

3. Price-Lock Mandate

Authorizes an agent to monitor prices and auto-purchase when conditions are met.

{
  "mandate_id": "mnd_pricelock_20260125_003",
  "user_id": "usr_charlie_deals",
  "agent_id": "agt_deal_hunter",
  "type": "conditional_purchase",
  "scope": "purchase:conditional",
  "trigger_conditions": {
    "product_id": "prod_laptop_xyz",
    "price_threshold": 899.00,
    "operator": "less_than_or_equal",
    "stock_requirement": "in_stock"
  },
  "constraints": {
    "max_price": 899.00,
    "quantity": 1,
    "currency": "USD",
    "expires_at": "2026-02-15T23:59:59Z"
  },
  "execution_rules": {
    "auto_execute": true,
    "notify_before_purchase": true,
    "notification_delay_seconds": 300,
    "cancel_if_price_increases": true
  },
  "payment_method": {
    "type": "stripe",
    "payment_method_id": "pm_charlie_card_001"
  },
  "signature": "SHA256:9a8b7c6d5e4f...",
  "issued_at": "2026-01-25T10:00:00Z",
  "issuer": "usr_charlie_deals",
  "algorithm": "RS256"
}

Usage Example:

// Agent monitors price and executes when condition is met
const checkAndExecute = async () => {
  const priceCheck = await fetch(
    'https://abbababa.com/api/v1/products/prod_laptop_xyz/price'
  );
  const { current_price, in_stock } = await priceCheck.json();
 
  if (current_price <= 899.00 && in_stock) {
    // Notify user (5-minute delay)
    await fetch('https://abbababa.com/api/v1/notifications/send', {
      method: 'POST',
      headers: {
        'X-API-Key': 'aba_agent_key',
        'X-Mandate-Token': 'mnd_pricelock_20260125_003'
      },
      body: JSON.stringify({
        message: `Price dropped to $${current_price}! Purchasing in 5 minutes...`,
        user_id: 'usr_charlie_deals'
      })
    });
 
    // Wait for notification delay
    await new Promise(resolve => setTimeout(resolve, 300000));
 
    // Execute purchase
    const purchase = await fetch('https://abbababa.com/api/v1/purchase/execute', {
      method: 'POST',
      headers: {
        'X-API-Key': 'aba_agent_key',
        'X-Mandate-Token': 'mnd_pricelock_20260125_003'
      },
      body: JSON.stringify({
        product_id: 'prod_laptop_xyz',
        quantity: 1,
        price: current_price
      })
    });
 
    return purchase.json();
  }
};

Security Considerations

Signature Verification

All mandates must be cryptographically signed using RS256 or ES256 algorithms:

const jwt = require('jsonwebtoken');
 
// Create a mandate
const mandate = {
  mandate_id: 'mnd_example',
  user_id: 'usr_123',
  agent_id: 'agt_456',
  type: 'purchase_intent',
  constraints: { max_price: 100.00 }
};
 
// Sign with user's private key
const token = jwt.sign(mandate, userPrivateKey, { algorithm: 'RS256' });
 
// Verify on server
const verified = jwt.verify(token, userPublicKey);

Revocation

Users can revoke mandates at any time:

curl -X DELETE https://abbababa.com/api/v1/mandates/mnd_cart_20260125_001 \\
  -H "Authorization: Bearer user_token"

Audit Trail

All mandate usage is logged immutably:

{
  "mandate_id": "mnd_cart_20260125_001",
  "action": "cart:add",
  "timestamp": "2026-01-25T14:30:00Z",
  "agent_id": "agt_shopping_assistant",
  "result": "success",
  "details": {
    "product_id": "prod_12345",
    "price": 45.00,
    "quantity": 2
  }
}

Best Practices

  1. Principle of Least Privilege: Grant only the minimum necessary permissions
  2. Short Expiration Times: Use the shortest practical expiration window
  3. Price Buffers: Set max_price slightly above expected to account for fluctuations
  4. Notification Hooks: Always notify users before executing high-value transactions
  5. Revocation Strategy: Implement easy mandate revocation in your UX

API Reference

  • Create Mandate: POST /api/v1/mandates
  • List Mandates: GET /api/v1/mandates
  • Revoke Mandate: DELETE /api/v1/mandates/{mandate_id}
  • Audit Log: GET /api/v1/mandates/{mandate_id}/audit

For complete API documentation, see Agent API Reference.

API ChangelogThe Last Satisfying Click: Why We're Building the Final Human-to-Machine Interface