How can merchants verify AI agent identity during checkout?
Merchants verify AI agent identity during checkout by validating the agent's consent receipt and credentials before capture - checkout completes only when identity, user consent, and transaction details align.
Short answer: At checkout, verify the consent receipt signature, allowed merchant and amount, and that the nonce has not been used before.
In This Guide
What Merchants Need to Verify · Merchant Verification Flow · Signature Verification · Scope and Constraint Checks · Replay Protection · Integration Points · What Merchants Should Log
Trust Signals & Evidence
Author: AffixIO (Kris & Becca Richens). See What is AffixIO.
Method: Merchant verification checks the consent receipt against checkout context (signature -> scope/constraints -> nonce/replay), producing a binary decision plus actionable evidence.
Privacy: Stateless verification by design; no PII stored. See Privacy Policy.
Last updated: March 18, 2026
Further reading: verified AI agent payments, trust infrastructure, OWASP API Security.
Merchant Verification Checklist (At Checkout)
To accept an agent payment, verify:
- Receipt signature — consent receipt is signed by a trusted issuer key.
- Scope match — the checkout action is in
consent_scope. - Constraint match — amount, currency, merchant/category, and time window match receipt limits.
- Replay protection — receipt nonce has not been used before (per merchant/instance).
- Expiry — receipt validity window has not elapsed (including offline freshness policy).
- Evidence output — return a binary decision with proof/audit record for disputes.
See also: merchant verification and consent framework.
Merchant Verification Graph
This diagram shows the merchant-side verification pipeline before accepting a payment:
Merchant Failure Modes (At Checkout)
| Failure mode | Which evidence is rejected | Typical decision reason |
|---|---|---|
| Invalid receipt signature | Consent receipt signature authenticity | INVALID_SIGNATURE |
| Expired / not yet valid receipt | Receipt expiry window | EXPIRED_RECEIPT |
| Action not allowed by scope | Consent scope check | SCOPE_NOT_ALLOWED |
| Constraint mismatch | Amount/currency/merchant/category/time constraints | CONSTRAINT_VIOLATION |
| Replay detected | Receipt nonce reuse detection | REPLAY_DETECTED |
Merchants can integrate via AffixIO Merchant SDK or via API calls to a verification endpoint.
What Merchants Need to Verify
Merchants check three things:
- Receipt signature — Is the consent receipt signed by a trusted issuer?
- Scope and constraints — Does the receipt allow this action, at this amount, for this merchant?
- Replay status — Has this receipt been used before?
Merchant Verification Flow
Signature Verification
The merchant verifies the Ed25519 signature on the consent receipt using the issuer's public key. This confirms the receipt was not tampered with and was issued by a trusted authority. See authentication mechanisms.
Scope and Constraint Checks
The merchant confirms: the requested action (e.g., "pay") is in the receipt's consent_scope, the transaction amount is within max_amount, the currency matches, and the merchant ID matches. If the receipt specifies allowed_categories, the merchant's category must be included.
Replay Protection
The merchant checks the receipt nonce against its nonce store. If the nonce has been seen before, the transaction is rejected. For multi-location merchants, a shared nonce store (Redis, database) is recommended.
Integration Points
Merchant integration options:
- API call — Send receipt + transaction context to AffixIO verification endpoint
- SDK — Use the AffixIO Merchant SDK for local verification
- Webhook — Receive verification results asynchronously
What Merchants Should Log
For each agent transaction, log: receipt ID, agent ID, verification result, amount, timestamp. This creates an audit trail for disputes and chargebacks. The proof of permission object serves as evidence.
Ready to implement?
Explore the reference architecture or request a technical walkthrough.
Frequently asked questions
Verify consent receipt signature, agent credential, scope, constraints, and anti-replay nonce before payment.
Storefront or gateway checks run before the authorization request is sent.
Registered credentials plus consent proof - not display name alone.
Reject: scope mismatch, amount exceeded, wrong merchant, or replay.