« All posts

Agent payments need separation of duties, not just signatures

A signature alone can't secure agent payments; execution must be bound to a still-valid mandate, verified by a party that cannot forge it.

Agent payment standards are converging on a single pattern: prove authorization, sign the mandate, attach it to the call. This piece argues that covering the wire is not the same as making the trust boundary provably sound, and that gap is where agent payments will actually break.

Three properties are laid out. First, authorization has a clock: a mandate captured at T0 doesn't automatically bind intent formed later if authorization state changed (revocation, expired strong authentication, a lowered limit) — the safe rule is revocation-dominant, meaning a stale intent must never override a revoked mandate. Second, the verifier cannot be the verified party; if whoever generates the receipt can also forge the attestation chain, the receipt is testimony, not evidence. PSD2's RTS Article 5 dynamic-linking rule is cited as a real-world precedent, where the binding sits under the ASPSP's signature rather than the payment initiator's. Third, the goal isn't raw byte-level integrity, since legitimate mutations happen (currency conversion, fee deduction); what matters is that changes only occur within fields the mandate pre-authorized, and the verifier must stay semantically opaque to avoid re-coupling with what it audits.

The overall argument is that agent payment systems should standardize the binding itself, not just transaction caps — ensuring execution matches a still-live mandate, attested by an unforgeable party, and mutated only where explicitly allowed. This framing, credited partly to John Frandsen of open-banking.io, is positioned as a necessary architectural requirement for engineers building agent-driven payment infrastructure.