Signed offer
The merchant's offer carries an RFC 9421 HTTP message signature, so tampering and replay are detectable in the wallet.
How it works
Authorize once. Bounded every time after.
A principal authorizes an agent; the agent receives a cryptographically-bounded mandate; the merchant verifies it and settles on its own rail. Every payment leaves a signed trail.
Authorize once
You approve your agent with a strong customer authentication (SCA) check.
Bounded mandate
The authorization server issues a mandate capped by amount, merchant, and expiry.
Agent presents it
Your agent shows the mandate to a merchant at checkout.
Merchant verifies
The merchant verifies the four signatures before it charges.
Settles on their rail
The charge settles to the merchant's own account, via Stripe today.
Signed receipt
A signed receipt and dispute pack are recorded for both sides.
The proof
Four signatures on every payment.
When a dispute comes, the merchant has proof of authorization, not "we have logs." The pack auto-assembles into the processor's dispute flow.
Signed mandate
An SD-JWT VC mandate, capped by amount, merchant, and expiry, bound to the principal and provable without re-disclosure.
Proof of possession
The agent's token is sender-constrained (RFC 9449): it cannot be lifted from the wire and replayed.
Signed receipt
A signed receipt records the settled payment, completing the trail for both sides.