🚀 The .agent namespace is now LIVE to the public! Grab yours for your AI agent today. Secure Identity
Back to blog
// POST 071 / 085

Before Your Agent Pays an API: The Verification Checklist

April 15, 2026 /
Before Your Agent Pays an API: The Verification Checklist

Before an agent pays for an API, use an AI agent pay API checklist that verifies the API owner, endpoint, terms, price, identity record, spending mandate, receipt route, and revocation path. Payment protocols can move a request from 402 Payment Required to settlement, but the agent should not spend until the payee and authority line up.

Payment authority should be inspectable before any token, card credential, wallet instruction, or account allowance is used. A public .agent identity record can bind the merchant or service operator to official API endpoints, pricing pages, payment metadata, mandate rules, support routes, and receipts before the agent receives payment authority.

For agentic commerce, this checklist belongs beside catalog and checkout readiness work. The Headless Domains guide to making a store discoverable to AI shopping agents shows why discovery, identity, and checkout metadata should be published before agents transact.

The Eight Checks Before Payment

Check What the agent verifies Reject payment when
API owner Public operator record, business name, support route, and signing key owner. The operator cannot be matched to the paid resource.
Endpoint Exact base URL, method, resource path, and published API contract. The payment URL differs from the published endpoint.
Terms Service terms, usage rules, data policy, refund path, and support owner. Terms are absent, stale, or in conflict with the request.
Pricing Amount, asset, billing unit, maximum total, recurrence, and expiry. Price is not bound to the request the agent is about to submit.
Identity record .agent record, agent.json, payment metadata, verification keys, and policy links. The public record is absent, expired, or inconsistent with the endpoint.
Mandate Checkout mandate, payment mandate, or equivalent scoped authority. The mandate omits payee, amount, scope, expiry, or approval evidence.
Receipt Receipt issuer, receipt route, verification method, and dispute reference. No verifiable receipt can be returned after settlement.
Revocation Cancel route, key rotation path, allowance reset, and support escalation. No path exists to stop future charges or revoke authority.

How Payment Protocols Fit

x402 documentation describes an open HTTP payment standard for APIs and content. A buyer requests a resource, receives 402 Payment Required, submits a payment payload, and the server verifies and settles before returning the resource.

MPP frames machine payments as per-request payment for API requests, tool calls, or content in the same HTTP call. That pattern can make a paid API call compact, but compact payment is not the same as verified payee identity.

AP2 focuses on authorization evidence: checkout mandates, payment mandates, receipts, and verification by the merchant, credential provider, network, and merchant payment processor. AP2 helps verifiers judge whether an agent was authorized to pay for a specific checkout under stated constraints.

BMOS shows the merchant side: machine-ready checkout links, catalog feeds, API pricing context, and .agent-linked commerce metadata can be published for agents before checkout or paid API access.

A Payment Clearance Flow

  1. Resolve identity. Read the public .agent record and confirm the operator, key set, manifest URL, payment metadata, and support path.
  2. Match the endpoint. Compare the paid URL, method, resource path, and API contract against the public record.
  3. Match terms and price. Confirm the amount, billing unit, usage policy, refund path, and maximum spend before payment.
  4. Validate authority. Check the mandate, wallet instruction, card credential, or account allowance for payee, scope, amount ceiling, expiry, and user approval evidence.
  5. Submit payment after agreement. Send the payment payload only after identity, endpoint, terms, price, and authority all align.
  6. Store proof and revocation data. Record the receipt, issuer, verification method, dispute reference, and cancel route before the next paid call.

Example Agent Payment Clearance Record

A local clearance record gives the agent an auditable checkpoint before it signs or submits payment.

{"payee":"weather-api.agent","api_owner":"Weather API Co.","endpoint":"https://api.example.com/v1/forecast","method":"GET","price":{"amount":"0.002","asset":"USD","unit":"request"},"protocol":"x402","identity_record":"hns://weather-api.agent/agent.json","mandate":{"scope":"forecast.lookup","max_total":"1.00","expires_at":"2026-06-01T00:00:00Z"},"receipt_route":"https://api.example.com/receipts/{id}","revocation":"https://api.example.com/agent-access/revoke"}

What to Reject

  • A payment request from a URL that is absent from the .agent record.
  • A price that floats outside the published terms or mandate.
  • A mandate that omits payee, endpoint, amount ceiling, scope, expiry, or user approval evidence.
  • A receipt route that cannot be verified by the merchant, processor, credential provider, or network.
  • A paid session with no revocation path for keys, allowances, or future charges.

Where Headless Domains Fits

HeadlessDomains.com gives agents a public inspection point before payment authority is granted. A .agent identity record can list API endpoints, machine-readable manifests, payment metadata, verification keys, policy URLs, and revocation routes under one name.

That public record does not replace AP2, x402, MPP, BMOS, wallets, or processors. A persistent identity layer gives the agent a stable place to compare the payment request against the service the payee claims to operate.

Where to Go Next

Before giving an agent payment authority, verify each paid API endpoint against a public .agent identity record. Start with the hub guide on AI shopping agent discoverability, then compare the payment flow with identity, authorization, and receipts and the protocol comparison.

FAQ

What should an agent verify before paying an API?

Verify the owner, endpoint, terms, price, identity record, mandate, receipt route, and revocation path. If any item cannot be matched to the public record and scoped authority, the agent should pause payment.

Is x402 enough by itself?

x402 can carry the HTTP payment exchange. Your agent should still compare the payment request against the public payee, official endpoint, terms, and receipt route before spending.

Who checks an AP2 payment mandate?

AP2 assigns verification work across the merchant, credential provider, network, and merchant payment processor. The payment mandate should prove that the agent is authorized to pay for the checkout under the approved constraints.

Where does MPP fit for paid API calls?

MPP is useful when an API, tool call, or content request charges per HTTP call. The same identity checks still apply because the agent must know which operator, endpoint, terms, and receipt route belong to the request.

Why verify against a .agent identity record?

A .agent record gives the agent one public place to inspect the payee name, keys, endpoints, manifests, policies, and revocation routes before granting payment authority.

[← ALL POSTS] [GET YOUR .AGENT →]