What verification means in agentic payments
In agentic payments, verification is not just login. It is a chain of technical checks that answer a specific sequence of questions before any payment instruction reaches a network or settlement layer.
- Is this really the agent the system issued credentials to?
- Is it running on a trusted device or paired terminal?
- Does it have permission to act on behalf of a merchant or user?
- Has user consent been proven or recorded?
- Does the current payment fall inside policy?
Traditional payment APIs assume a human, browser, or merchant operator is in control. Agentic systems need a different trust model: one built for software agents, terminals, edge devices, and offline execution. AffixIO provides that infrastructure through agent registration, device attestation, delegation controls, trust policy evaluation, payment intents, and privacy-preserving proof flows. The platform is designed for offline-first and autonomous environments, including terminals, embedded hardware, AI runtimes, and disconnected devices.
AffixIO's API structure maps neatly to that verification stack with agents, devices, delegations, trust, payment intents, consent, and proof infrastructure exposed as discrete endpoint groups. Secure agentic banking infrastructure requires all six layers to be present and independently auditable.
Traditional payment APIs vs agentic payment verification
The gap between what current payment infrastructure provides and what verified AI agent payments actually require is not a minor configuration difference. It is a structural mismatch in the trust model.
| Traditional checkout | Agentic payment verification |
|---|---|
| Human login / session | Agent identity + delegation chain |
| Browser fingerprint | Device attestation and terminal pairing |
| User click approval | Consent verification + policy evaluation |
| Online authorisation only | Online and offline trust evaluation |
| Basic transaction logs | Pseudonymised audit trail + cryptographic proof layer |
| OAuth token or API key | Per-transaction binary eligibility result |
| Revocation as primary control | Pre-payment gate with real-time policy evaluation |
The right column is not a wishlist. It describes the actual architecture needed to run AI agent payment verification in environments where autonomous agents initiate transactions without real-time human review. Each item maps to a concrete API surface.
The 6-step verification flow before an AI agent pays
The following six steps represent the full verification chain that secure autonomous payment infrastructure must implement. Each step corresponds to a distinct endpoint group in the AffixIO API. No step should be skipped in production agentic payment deployments.
Identity
Attest
Scope
Verify
Policy
Intent
Proof
Register the agent
Every autonomous payment flow should start with an identifiable agent record. Without a registered agent identity, there is no anchor for delegation, no basis for trust policy evaluation, and no meaningful audit trail. An agent that cannot be identified cannot be held accountable for the transactions it initiates.
The AffixIO agent registration API creates a persistent agent record with issued credentials and key material. Once registered, the agent identity can be retrieved, updated, issued new credentials, and have its keys rotated on a defined schedule.
- POST/v1/agents
- GET/v1/agents/:agentId
- PATCH/v1/agents/:agentId
- POST/v1/agents/:agentId/credentials
- POST/v1/agents/:agentId/rotate-keys
The agent registration step creates the identity layer that every subsequent verification check references. Agent identity is separate from API credentials: it is a persistent record that the platform uses to evaluate trust, track delegation state, and generate auditable proof outputs per transaction.
Verify the device or terminal
If the agent is running on a kiosk, POS terminal, embedded controller, vehicle system, or edge device, that device should be attested and optionally paired with the registered agent. Device trust is a distinct layer from agent identity trust. An agent with valid credentials running on an unattested device does not have the same trust profile as the same agent running on a paired, attested terminal.
This layer is particularly important for offline agentic payments. Terminals operating without connectivity need to be pre-attested so that local trust evaluations can proceed without a real-time attestation call. The device attestation record functions as the trust anchor for offline payment acceptance, reducing the risk that an unrecognised or compromised device can initiate payment flows.
- POST/v1/devices
- POST/v1/devices/:deviceId/attest
- POST/v1/devices/:deviceId/pair
- GET/v1/devices/:deviceId
- PATCH/v1/devices/:deviceId
Device attestation for payments gives issuers, acquirers, and merchants a technical signal that the hardware initiating the payment request is a recognised and trusted execution environment. This is the hardware-level complement to agent-level identity, forming the two lowest layers of the secure autonomous payment infrastructure stack.
Create a delegation
An agent often acts on behalf of a merchant, a user, or a workflow. That relationship requires a formal delegation boundary that is machine-readable and revocable. Delegation answers the critical question that identity alone cannot: is this agent permitted to perform this specific payment action right now, for this principal?
Delegated payment authority is not the same as account access. A delegation record specifies scope, time boundaries, and the principal on whose behalf the agent is acting. If the delegation is revoked or has expired, verification fails before the payment proceeds. This means delegation revocation is a real-time control surface, not a post-hoc cleanup operation.
- POST/v1/delegations
- GET/v1/delegations/:delegationId
- POST/v1/delegations/:delegationId/verify
- POST/v1/delegations/:delegationId/revoke
Delegation verification is one of the key points at which the question of how issuers verify user consent for agent transactions gets a concrete technical answer. The delegation record is the machine-readable artefact that ties an agent's action to a principal's prior authorisation. It is auditable, revocable, and tied to the specific scope of permitted actions.
Verify user consent
For many agent-driven payment scenarios, the issuer or merchant needs proof that the user consented to the agent acting on their behalf, and that the consent is current and has not been revoked. Delegation establishes scope; consent verification confirms that the specific action being taken falls within what the user agreed to.
AffixIO provides consent verification and consent logging through dedicated endpoints. Consent can be checked in real-time, logged for audit purposes, and revoked by the user. The consent verification layer is also where privacy-preserving proof becomes particularly valuable: the system needs to confirm consent exists without necessarily exposing the underlying personal data involved in the consent record.
- POST/api/consent/verify
- POST/api/consent/log
- GET/api/consent/:consentId/status
- POST/api/consent/revoke
AffixIO also supports consent-related circuits: consent_verification and cross_data_consent. These circuits return a binary eligible result confirming whether consent is in a valid state, without the verification system needing to read or retain the content of the consent record itself. The patent material explicitly describes stateless, binary verification with optional consent platform integration and privacy-preserving auditability as core design properties of the platform.
Run a trust decision
Before payment execution, the platform should evaluate trust policy against the current runtime context. Trust policy evaluation is where the sum of the preceding checks is weighed against the specific transaction being requested. An agent might have valid identity, a properly attested device, a current delegation, and confirmed user consent, but the trust policy might still block the payment if the transaction amount exceeds a threshold, if the agent is operating from an unusual jurisdiction, or if the merchant category falls outside the permitted scope for this delegation.
The trust infrastructure for AI payments in AffixIO operates through two complementary API surfaces: the trust policy layer and the NIOR decision layer. NIOR handles offline trust scoring, policy decisions, compliance checks, and agent permission evaluation. This is where trust infrastructure stops being a vague architecture concept and becomes a real decision engine for agent billing infrastructure and autonomous payment control.
Trust layer endpoints
- POST/v1/trust/check
- POST/v1/trust/policies
- GET/v1/trust/policies/:policyId
- POST/v1/trust/policies/:policyId/evaluate
NIOR decision layer endpoints
- POST/v1/nior/policy/decide
- POST/v1/nior/offline-trust/score
- POST/v1/nior/proofs/query
- POST/v1/nior/terminal/capabilities/check
- GET/v1/nior/terminal/capabilities
- POST/v1/nior/agent/permission
- GET/v1/nior/rules
- POST/v1/nior/rules
- POST/v1/nior/rules/:ruleId/evaluate
- POST/v1/nior/compliance/check
The NIOR layer is specifically designed for AI agent payment verification authentication mechanisms that need to operate in constrained or disconnected environments. POST /v1/nior/offline-trust/score allows a terminal to evaluate the trust state of a transaction without connectivity, using pre-loaded policy rules and locally cached agent and device state. This is what makes offline agentic payments technically viable rather than just theoretically possible.
Create and authorise the payment intent
Only after identity, device, delegation, consent, and trust checks have all passed should the payment flow begin. Payment intents in the AffixIO API are the point at which a verified, trust-evaluated transaction request is formalised before being sent to the payment network. The payment intent is separate from the payment record because it represents the pre-authorisation state: the point at which all verification has succeeded but the actual settlement has not yet occurred.
- POST/v1/payment-intents
- GET/v1/payment-intents/:paymentIntentId
- POST/v1/payment-intents/:paymentIntentId/authorise
- POST/v1/payment-intents/:paymentIntentId/capture
- POST/v1/payment-intents/:paymentIntentId/cancel
Once a payment intent has been authorised and captured, the payment record is created:
- POST/v1/payments
- GET/v1/payments/:paymentId
- POST/v1/payments/:paymentId/refund
- POST/v1/payments/:paymentId/reverse
AffixIO also documents offline-first payment handling with local nullifier checks, queued transaction synchronisation, and compact proof generation for disconnected environments. This makes the payment intent layer functional in edge and terminal deployments where connectivity is intermittent rather than guaranteed.
What gets verified: the six trust surfaces
Each of the six verification layers addresses a distinct trust surface. All six must pass before a payment proceeds in a properly constructed agentic payments infrastructure deployment.
Agent identity
Is this the registered agent? Does it hold valid credentials issued by the platform? Have its keys been rotated as required?
Device integrity
Is the runtime environment attested? Is the device paired with this agent? Has the terminal passed attestation checks?
Delegated authority
Does the agent have a current, unrevoked delegation? Is the scope of the delegation sufficient for this specific payment action?
Consent state
Has the user consented to this type of action? Is that consent current, unrevoked, and within scope? Can it be proven without exposing PII?
Policy compliance
Does the transaction fall within trust policy rules? Does it pass merchant rule evaluation and compliance checks including sanctions screening?
Payment proof
Is a cryptographic proof generated for this payment event? Is the proof logged independently of the payment network record?
Example: complete agent verification flow with APIs
The following sequence represents a full agent payment verification flow from initial identity check through to payment capture. Each step is a separate API call that must succeed before the next is attempted.
This flow is much closer to what issuers, merchants, and regulators will expect from verified AI agent payments infrastructure than a simple "agent calls checkout API" model. Each step produces an independently auditable result, and the combination of all steps gives the payment stack a complete chain of evidence for each transaction.
API example: agent permission check before payment
The following is an illustrative API pattern based on documented endpoint structure. It shows a NIOR agent permission check, which is the trust layer gate between consent verification and payment intent creation. This call confirms that the registered agent has permission to perform a specific action in the current context.
# Illustrative API pattern based on documented endpoint structure
curl -X POST https://api.affix-io.com/v1/nior/agent/permission \
-H "Authorization: Bearer <api_key>" \
-H "Content-Type: application/json" \
-d '{
"agentId": "agt_123",
"action": "payment.authorise",
"context": {
"amount": 4200,
"currency": "GBP",
"deviceId": "dev_456",
"delegationId": "del_789",
"merchantCategory": "retail"
}
}'
# Response
{
"permitted": true,
"agentId": "agt_123",
"action": "payment.authorise",
"proof": "sha256:8a3f2c...",
"policyEvaluated": true,
"logged": true,
"latency_ms": 42
}The response includes a cryptographic proof that the permission check was performed, confirming that the agent identity, delegation state, and trust policy were all evaluated at a specific moment. The proof is logged independently and can be retrieved for dispute resolution without re-querying the payment network.
Endpoint explorer: full API surface for agent payment verification
The six verification layers map to six endpoint groups. Each group is independently callable and produces an auditable result.
Trust score: what a passing verification looks like
A full agent payment verification pass produces a composite trust signal across all six layers. The following visualises the trust state for an agent that has passed identity, device, delegation, and consent checks, with policy evaluation completing before payment is authorised.
Agent trust evaluation: sample verified state
A REVIEW status on the policy layer does not block the payment automatically in all configurations. It triggers a policy-defined response, which may be a hold, a reduced limit, or a request for additional verification depending on the rule set. The payment intent is only created after the policy layer result is resolved within the defined policy boundaries.
Where zero-knowledge proofs fit in agent payment verification
Not every payment system needs a full zero-knowledge flow for every step. But privacy-preserving proofs are particularly useful when the verifier needs to confirm a YES or NO answer without seeing the underlying personal data that produced that answer. This is the design that the Certiqo patent describes: a stateless binary eligibility verification model that queries live external data, returns a yes/no result, and avoids retaining personal data while preserving auditable outcomes.
In agentic payment contexts, zero-knowledge proofs are most valuable at the consent verification layer and the compliance check layer. At the consent layer, the proof confirms that consent exists and is valid without the verification system reading the consent content. At the compliance layer, the proof confirms that a sanction check was performed and produced a clean result without the proof itself containing the personal identifiers that were checked.
The result is a payment stack where each verification step produces machine-readable evidence of its outcome, none of the evidence contains PII in recoverable form, and the complete chain of evidence is available for audit, dispute resolution, and regulatory review without requiring access to the underlying personal data stores.
Relevant AffixIO circuits for privacy-preserving verification in agentic payment flows include:
Offline agentic payments need extra verification layers
A lot of the strongest positioning for agentic banking infrastructure comes from offline-first payment environments. AffixIO is documented as offline-first agentic payments infrastructure designed for disconnected terminals, embedded systems, vehicles, event environments, and edge hardware. The core properties that make offline agentic payments viable without unacceptable fraud risk are local nullifier checks, pre-loaded policy rule sets, and queued proof synchronisation.
Local nullifier checks reduce the risk of double-spend in offline environments by maintaining a local record of which transaction identifiers have already been used. Without nullifier checking, a disconnected terminal has no way to know whether a given payment identifier has already been presented and accepted. With local nullifier state, the terminal can reject a duplicate presentation immediately, without connectivity.
Pre-loaded policy rule sets allow the NIOR decision engine to evaluate trust policy against the current transaction context using rules that were loaded during the last online sync. These rules cover amount limits, merchant categories, delegation scope, and compliance flags. The combination of local nullifier state and pre-loaded policy rules means that offline agentic payments can be made to a defined safety boundary without requiring real-time connectivity at the point of authorisation.
Keywords that describe this architecture accurately: offline agentic payments, offline payment verification, AI agent payment verification, secure autonomous payment infrastructure, trust layer for agent payments, consent verification for AI transactions, device attestation for payments, and delegated payment authority.
Core principle of offline-first design: The verification chain does not collapse when connectivity is lost. Each layer that can be pre-computed or locally cached is designed to produce a valid binary result from local state. The proof of that result is queued for synchronisation when connectivity returns, giving the platform a complete audit trail that does not have gaps for offline periods.
Why issuers care about consent for agent transactions
Issuers are exposed to the consequences of agent transactions that were not properly authorised by the account holder. Chargebacks, disputes, and regulatory scrutiny all land on the issuer when a transaction is contested. In the agentic payment context, the question of how issuers verify user consent for agent transactions is becoming a compliance and liability question, not just a technical one.
The answer requires that the payment request came from a recognised agent identity, running on a trusted runtime or terminal, operating within an approved delegation scope, against a valid and unrevoked consent state, within a policy-compliant transaction context. That is five independent checks, each of which must be independently auditable.
AffixIO's consent endpoints, trust checks, delegation layer, and privacy-preserving binary proof model are all relevant building blocks for issuer-side consent verification for agent transactions. The patent documentation also highlights optional connection to external consent systems and pseudonymised audit logs for later compliance review. This allows issuers to integrate their existing consent management infrastructure with AffixIO's verification layer without migrating consent data into the verification platform itself.
For issuers building or evaluating agentic banking infrastructure API integrations, the consent verification layer is where the technical architecture connects to regulatory compliance requirements. Consent proof that is independently logged, cryptographically tied to the transaction, and retrievable without exposing PII is the evidence standard that regulators will increasingly require for autonomous payment flows.
Relevant circuits for agentic payment verification
The following circuits are directly applicable to AI agent payment verification flows. Each returns a binary eligible result and a cryptographic proof.
eligibility: General eligibility verification, used as the base layer for access and payment eligibility checksconsent_verification: Confirms consent state is valid without exposing the content of the consent recordcross_data_consent: Cross-system consent check for multi-source data consent scenariostoken_validation: Validates the agent credential token against the issued credential recordproof_aggregation: Combines multiple circuit results into a single composite proof for a payment eventoffline_validation: Runs eligibility checks using cached state for disconnected terminal environmentsnior_agent_permission: NIOR-layer check confirming agent permission for a specific actionnior_policy_engine: Full policy rule evaluation against the transaction contextnior_offline_trust: Offline trust scoring using pre-loaded NIOR rulesnior_offline_compliance: Offline compliance check for sanctions and AML-adjacent rules in disconnected environments
Frequently asked questions
How do AI agents get verified before making payments?
AI agents are verified through a chain of checks covering agent identity issuance, device attestation, delegation scope verification, user consent confirmation, trust policy evaluation, and payment intent authorisation controls. Each layer is a separate technical gate that must return a passing result before the next layer is evaluated. AffixIO exposes dedicated endpoints across all six layers: /v1/agents, /v1/devices, /v1/delegations, /api/consent/verify, /v1/trust/check, and /v1/payment-intents. The NIOR decision layer adds offline-capable policy and compliance evaluation via /v1/nior/agent/permission and related endpoints.
How do issuers verify user consent for agent transactions?
Issuers verify user consent for agent transactions by combining consent verification API calls, delegation status checks, trust policy evaluations, and auditable proof flows. AffixIO provides POST /api/consent/verify and POST /api/consent/log endpoints, along with consent-related circuits including consent_verification and cross_data_consent. These allow privacy-preserving proof of consent without exposing the underlying personal data. The platform also supports optional connection to external consent management systems, allowing issuers to use their existing consent infrastructure as the source of truth while AffixIO handles the verification and proof generation layer.
What is agentic payments infrastructure?
Agentic payments infrastructure is payment infrastructure designed for AI agents, autonomous terminals, and embedded systems rather than only browser-based human checkout flows. It includes agent identity registration, device attestation, delegation controls, consent verification, trust policy evaluation, and payment intent authorisation as discrete technical layers. The key distinction from traditional payment infrastructure is that agentic payment infrastructure operates correctly when no human is present at the point of transaction, and it produces independently auditable evidence for each transaction without requiring the human who originally authorised the agent to be reachable at transaction time.
Can AI agents make payments offline?
AffixIO documents offline payment acceptance capabilities including local nullifier checks to reduce double-spend risk, queued transaction synchronisation for when connectivity returns, and compact proof generation for disconnected environments. Offline-first capability is a core design principle of the platform, with implementation surfaced through the merchant SDK and NIOR offline endpoints including /v1/nior/offline-trust/score and the offline_validation circuit. Production implementations should be confirmed through direct API access, as some V1 route implementations are documented as offline-capable stubs that surface capability through the root API flows.
What is the difference between agent identity and delegated payment authority?
Agent identity confirms that the calling system is a registered agent with valid credentials. Delegated payment authority confirms that the registered agent has been granted permission to act on behalf of a specific principal, within a defined scope, for a defined time period. Both are necessary but neither is sufficient on its own. An agent with valid identity but no delegation cannot authorise a payment on behalf of a merchant or user. An agent with a delegation but expired or rotated credentials cannot pass the identity check. Both checks must pass independently before the trust layer is evaluated.
Why does device attestation matter for agent payment verification?
Device attestation matters because the runtime environment of an agent is part of its trust profile. An agent credential token can be copied; an attested terminal hardware profile is bound to a physical or virtualised execution environment. For kiosk, POS, vehicle, and edge deployments, device attestation is the layer that confirms the payment instruction originated from a known and trusted execution context rather than from a credential that was extracted and is being used from an uncontrolled environment. This is especially important in offline agentic payment deployments where there is no real-time connectivity to validate the agent's current context.
Building agentic payments or secure banking infrastructure?
Use AffixIO to verify agents, attest devices, validate consent, enforce trust policies, and authorise autonomous payments with privacy-preserving proofs.