{"id":49798938,"url":"https://github.com/agent-intent/verifiable-intent","last_synced_at":"2026-05-29T04:00:30.865Z","repository":{"id":349662961,"uuid":"1173370009","full_name":"agent-intent/verifiable-intent","owner":"agent-intent","description":"Open specification for cryptographic agent authorization in commerce","archived":false,"fork":false,"pushed_at":"2026-04-20T19:08:33.000Z","size":312,"stargazers_count":47,"open_issues_count":21,"forks_count":11,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-04-20T20:35:25.181Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/agent-intent.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-05T09:41:38.000Z","updated_at":"2026-04-20T19:06:47.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/agent-intent/verifiable-intent","commit_stats":null,"previous_names":["agent-intent/verifiable-intent"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/agent-intent/verifiable-intent","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agent-intent%2Fverifiable-intent","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agent-intent%2Fverifiable-intent/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agent-intent%2Fverifiable-intent/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agent-intent%2Fverifiable-intent/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/agent-intent","download_url":"https://codeload.github.com/agent-intent/verifiable-intent/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agent-intent%2Fverifiable-intent/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33635961,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-29T02:00:06.066Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-12T13:00:30.583Z","updated_at":"2026-05-29T04:00:30.858Z","avatar_url":"https://github.com/agent-intent.png","language":"Python","funding_links":[],"categories":["Agent Identity \u0026 Credentials"],"sub_categories":[],"readme":"# Verifiable Intent (VI)\n\n**Open specification for cryptographic agent authorization in commerce.**\n\nVisit **[verifiableintent.dev](https://verifiableintent.dev)** for full documentation.\n\n**Status**: Draft (v0.1). Maintained by Mastercard; open to multi-stakeholder contribution. See [CONTRIBUTING.md](CONTRIBUTING.md).\n\nVerifiable Intent defines a layered SD-JWT credential format that creates a\ntamper-evident chain providing cryptographic evidence that an AI agent's actions\nwere within the scope delegated by a human user.\n\n## The Problem\n\nWhen a human delegates a purchase to an AI agent, no party in the transaction\ncan verify that the agent's actions actually reflect the user's wishes. The\nagent might select the wrong product, overspend, or transact with an\nunapproved merchant. Today's payment infrastructure assumes human presence at\nthe point of transaction — AI agents break that assumption, and without a\nmechanism to bind agent actions to user intent, every stakeholder carries\nunquantifiable risk:\n\n| Stakeholder | Risk |\n|-------------|------|\n| **User** | Agent overspends, selects wrong products, or transacts with untrusted merchants |\n| **Merchant** | Increased chargebacks from unauthorized agent transactions; no proof that agent was authorized |\n| **Payment Network** | Dispute liability is ambiguous — who authorized the transaction? |\n| **Credential Provider** | Credential misuse by agents operating outside user-granted scope |\n| **Agent Platform** | Liability for agent actions without provable authorization chain |\n\n## What VI Does\n\nVI creates a cryptographic delegation chain from credential provider to user\nto agent using SD-JWT credentials. Each layer binds the next through key\nconfirmation claims ([RFC 7800](https://www.rfc-editor.org/rfc/rfc7800)),\nand selective disclosure ensures each party sees only the claims relevant to\nits role. User-defined constraints (amount range, allowed line items, approved\nmerchants) are cryptographically bound. Machine-enforceable constraints (amount,\npayee, merchant) are verified at execution time; descriptive fields (product\nname, brand, color, size) provide informational context.\n\n**In scope:** Layered SD-JWT credential format, delegation chain (credential\nprovider → user → agent), constraint vocabulary for purchase transactions,\nselective disclosure policies per role, verification procedures, checkout-payment\nintegrity binding (cryptographic proof that the payment mandate references the\nsame checkout the user approved).\n\n**Out of scope:** Transport protocols, key management/provisioning, credential\nprovider enrollment, agent platform APIs, dispute resolution, regulatory\ncompliance mapping (PCI DSS, PSD2, etc.).\n\n\u003e **Note:** Regulatory references (PSD2, SCA) in this specification are informational only. This specification does not make compliance claims and is not legal advice.\n\nEach layer contains one or more **mandates** — signed claims expressing a\nspecific aspect of purchase intent (e.g., checkout details or payment parameters).\n\n## Two Execution Modes\n\n| | Immediate | Autonomous |\n|---|---|---|\n| **Layers** | 2 (L1 + L2) | 3 (L1 + L2 + L3) |\n| **User role** | Reviews and confirms final values | Sets constraints; agent acts independently |\n| **Agent role** | Forwarding only | Selects products, creates checkout, builds L3a + L3b |\n| **Delegation** | No `cnf` in mandates — no delegation | `cnf.jwk` binds agent's key |\n| **Use cases** | User-confirmed purchases, re-orders, one-click buy | Delegated shopping, automated replenishment, price-watching agents |\n| **Example** | \"Buy these 3 tennis balls for $5.99\" | \"Buy me a racket and some balls under $300 from Tennis Warehouse\" |\n\n**When to use which mode:** Use *Immediate* when the user is present and can\nreview exact checkout contents and payment details before authorizing — the agent\nfacilitates but does not decide. Use *Autonomous* when the user sets boundaries\nand delegates the decision; the user may not be present at transaction time.\n\n## Architecture at a Glance\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│                    LAYER 1 — SD-JWT                         │\n│              Credential Provider → User                     │\n│                                                             │\n│  Identity claims (email), pan_last_four, scheme             │\n│  cnf.jwk = User Device Key                                  │\n│  Lifetime: ~1 year                                          │\n│  Signed by: Credential Provider private key                 │\n└───────────────────────────┬─────────────────────────────────┘\n                            │ L2 signed by key in L1 cnf.jwk\n                            ▼\n┌─────────────────────────────────────────────────────────────┐\n│                    LAYER 2 — KB-SD-JWT                      │\n│                  User → Agent / Verifier                    │\n│                                                             │\n│  IMMEDIATE MODE             │  AUTONOMOUS MODE              │\n│  ─────────────              │  ───────────────              │\n│  Final checkout (checkout_jwt)│ Checkout constraints + cnf.jwk│\n│  Final payment values       │  Payment constraints + cnf.jwk│\n│  NO cnf in mandates         │  cnf.jwk = Agent Key          │\n│  Lifetime: ~15 minutes      │  Lifetime: 24 hours – 30 days │\n│  Signed by: User Device Key │  Signed by: User Device Key   │\n└─────────────────────────────┼───────────────────────────────┘\n                              │\n                              │ In Autonomous mode, both the checkout mandate\n                              │ and payment mandate each contain cnf.jwk binding\n                              │ the same agent key. These MUST be identical\n                              │ (see credential-format.md §12.7).\n                              │ L3 signed by key in L2\n                              │ mandate cnf.jwk\n                              ▼ (Autonomous only)\n┌─────────────────────────────────────────────────────────────┐\n│              LAYER 3 — Split KB-SD-JWTs                     │\n│               (Autonomous mode only)                        │\n│                                                             │\n│  L3a (Payment → Network)    │  L3b (Checkout → Merchant)    │\n│  ─────────────────────────  │  ──────────────────────────   │\n│  Final payment values       │  Final checkout (checkout_jwt)│\n│  transaction_id             │  checkout_hash                │\n│  payment_instrument         │                               │\n│  header.jwk = Agent Key     │  header.jwk = Agent Key       │\n│                                                             │\n│  Cross-reference: L3a transaction_id == L3b checkout_hash   │\n│  Lifetime: ~5 minutes                                       │\n│  Signed by: Agent private key                               │\n└─────────────────────────────────────────────────────────────┘\n```\n\n## Design Principles\n\n- **Verifiable delegation** — Any party can cryptographically verify that an agent's actions trace back to explicit user authorization\n- **Minimal disclosure** — Each party sees only the claims required for its role; sensitive data stays hidden from parties that don't need it\n- **Constraint enforcement** — User-defined constraints (amount range, allowed line items, approved merchants/payees) are cryptographically bound; quantitative constraints are machine-enforceable, while descriptive fields provide informational context\n- **Protocol agnostic** — Works across payment protocols, agent frameworks, and commerce platforms without modification\n- **Standards aligned** — Built on SD-JWT, JWS, JWK, and RFC 7800; no novel cryptography\n- **Incremental adoption** — Supports both human-present (Immediate) and agent-delegated (Autonomous) flows, allowing gradual migration\n\n## Quick Start\n\n```bash\n# Install (using uv)\nuv venv .venv \u0026\u0026 source .venv/bin/activate\nuv pip install -e \".[dev]\"\n\n# Or using pip\npython -m venv .venv \u0026\u0026 source .venv/bin/activate\npip install -e \".[dev]\"\n\n# Run an example\npython examples/autonomous_flow.py\n```\n\n## Examples\n\nEach example is a standalone script — no servers, no setup:\n\n```bash\npython examples/autonomous_flow.py       # 3-layer autonomous purchase\npython examples/immediate_flow.py        # 2-layer immediate purchase\npython examples/selective_disclosure.py   # Role-specific credential views\npython examples/constraint_checking.py    # All 5 constraint types + validation\npython examples/network_validation.py     # Payment validation pipeline\n```\n\n## Tests\n\n```bash\npytest tests/ -v\n```\n\n## Repository Structure\n\n```\nverifiable-intent/\n├── spec/                   # Normative specification documents\n│   ├── README.md           #   Architecture, trust model, conformance\n│   ├── credential-format.md  # Credential format, claim tables, serialization\n│   ├── constraints.md      #   Constraint types, validation rules\n│   └── security-model.md   #   Security analysis, threats, key management\n├── src/verifiable_intent/  # Python reference implementation\n│   ├── crypto/             #   SD-JWT, signing, disclosure primitives\n│   ├── models/             #   Credential and mandate data models\n│   ├── issuance/           #   Layer 1/2/3 credential creation\n│   └── verification/       #   Chain verification, constraint checking\n├── examples/               # Standalone runnable examples\n└── tests/                  # SDK test suite\n```\n\n## Specification\n\n| Document | Description |\n|----------|-------------|\n| [spec/README.md](spec/README.md) | Architecture overview, trust model, selective disclosure, conformance requirements |\n| [spec/credential-format.md](spec/credential-format.md) | Normative credential format: layer headers, payloads, disclosure formats, hash bindings |\n| [spec/constraints.md](spec/constraints.md) | Constraint type definitions, validation rules, strictness modes, extensibility |\n| [spec/security-model.md](spec/security-model.md) | Security analysis, threat model, attack mitigations, key management |\n\n## License\n\n[Apache 2.0](https://github.com/agent-intent/verifiable-intent/blob/main/LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fagent-intent%2Fverifiable-intent","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fagent-intent%2Fverifiable-intent","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fagent-intent%2Fverifiable-intent/lists"}