orcaqubits/ap2-credentials-provider
dist/cursor/ap2-agentic-payments/skills/ap2-credentials-provider/SKILL.md
Build an AP2 Credentials Provider — the agent that manages payment credentials, provides payment methods to users, handles tokenization (DPAN), and facilitates secure payment between Shopping Agent and Payment Processor. Use when implementing the Credentials Provider role.
$ install --global
skillsauthnpx skillsauth add orcaqubits/agentic-commerce-claude-plugins ap2-credentials-providerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 9, 2026, 6:51 AM208.1s1 file scanned
SKILL.md
- name:
- ap2-credentials-provider
- description:
- >
AP2 Credentials Provider Implementation
Before writing code
Fetch live docs:
- Fetch
https://ap2-protocol.org/specification/for Credentials Provider responsibilities - Web-search
site:github.com google-agentic-commerce AP2 samples roles credentials_providerfor reference implementation - Web-search
site:github.com google-agentic-commerce AP2 credentials provider tokenization DPANfor tokenization details - Fetch
https://ap2-protocol.org/topics/privacy-and-security/for security requirements
Conceptual Architecture
What the Credentials Provider Does
The Credentials Provider (CP) is the payment credentials custodian — a digital wallet that securely manages payment methods and handles tokenization:
- Stores payment credentials — User's payment methods (cards, wallets)
- Provides payment method listings — Returns available methods to Shopping Agent
- Handles tokenization — Converts real credentials to DPANs (Digitized Primary Account Numbers)
- Validates Payment Mandates — Verifies user authorization before releasing tokens
- Facilitates payment — Provides credentials to Merchant Payment Processor
- Manages user identity — Links user identity to payment methods
Critical Security Role
The Credentials Provider is the only entity that handles raw payment credentials:
- Shopping Agents never see real card numbers
- Merchants receive only tokenized references
- PCI data stays within the CP's security boundary
- This role-based separation is fundamental to AP2's privacy model
Agent Card
The Credentials Provider advertises:
- AP2 extension support
- Available payment method types
- Tokenization capabilities
- Authentication requirements (OAuth2 recommended)
- Endpoint URL (reference: port 8002, path
/a2a/credentials_provider)
Key Responsibilities
Payment Method Management
- Store user payment methods securely (PCI DSS compliance)
- Return available payment methods when queried by Shopping Agent
- Include method details sufficient for user selection (last 4 digits, card type, expiry)
- Never expose full card numbers to Shopping Agents
Tokenization
- Generate DPANs (Digitized Primary Account Numbers) for selected payment methods
- Bind tokens to specific transactions
- Handle token lifecycle (creation, validation, expiration)
- Support network tokenization standards
Payment Mandate Validation
- Receive Payment Mandate + user attestation from Shopping Agent
- Verify user authorization signature
- Verify mandate contents integrity
- Perform additional tokenization if needed
- Release credentials to Merchant Payment Processor upon valid mandate
Credential Release
When the Merchant Payment Processor requests credentials:
- Validate the Payment Mandate
- Resolve the token to real credentials
- Release credentials securely to the MPP
- Never release credentials without a valid Payment Mandate
Payment Method Addition
If a user lacks eligible payment methods:
- CP instructs the Shopping Agent on the setup process
- May require a tokenization flow on CP's trusted surface
- Network/issuer security requirements enforced
- New method added before transaction can proceed
Security Requirements
- PCI DSS compliance for credential storage
- Hardware security modules (HSM) for key management
- Encryption of all credential data at rest and in transit
- Secure token generation with proper entropy
- Rate limiting on credential access
- Audit logging of all credential operations
Best Practices
- Never expose raw credentials to Shopping Agents — always tokenize
- Implement proper PCI DSS controls
- Use hardware-backed token generation
- Validate every Payment Mandate before releasing credentials
- Support multiple payment method types (cards, wallets, bank accounts)
- Implement proper session management for user interactions
- Log all credential access for audit compliance
- Handle token expiration and renewal gracefully
Fetch the specification for exact Credentials Provider API, tokenization requirements, and Payment Mandate validation process before implementing.
Related Skills
orcaqubits/spree-headless-storefront
development
VerifiedTrustedCommunity
Build with Spree's headless Next.js storefront — the official `spree/storefront` repo (Next.js 16 App Router with Server Actions and Turbopack, React 19 Server Components, Tailwind CSS 4, TypeScript 5, `@spree/sdk`, Sentry), server-only auth (httpOnly JWT cookies + publishable key), MeiliSearch faceted catalog, one-page checkout with Apple/Google Pay/Klarna/Affirm/SEPA, multi-region market routing, GA4 + JSON-LD SEO, and Vercel/Docker deployment. Use when forking or customizing the storefront, or evaluating headless adoption.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-extensions
tools
VerifiedTrustedCommunity
Build Spree extensions as Rails engines — gem scaffolding, `bin/rails g spree:extension`, mounting routes/migrations/assets, the modern `prepend` decorator pattern (`*_decorator.rb` with `self.prepended(base)`), generators (`spree:model_decorator`, `spree:controller_decorator`), the four customization surfaces in preference order (Events > Webhooks > Dependencies > Decorators), Spree::Dependencies for swapping service objects, gem release/versioning, and the deprecated Deface engine. Use when building a reusable Spree extension or adding non-trivial customization to an app.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-events-webhooks
development
VerifiedTrustedCommunity
Build with Spree's event bus and Webhooks 2.0 — `Spree::Events` publication, `Spree::Subscriber` DSL with `subscribes_to` and `on`, wildcard matching, lifecycle events (`{model}.created/.updated/.deleted` via `publishes_lifecycle_events`), the canonical event catalog (order.*, payment.*, shipment.*, product.*), Webhooks 2.0 endpoints, HMAC-SHA256 signing (`X-Spree-Webhook-Signature`), exponential-backoff retries, and Sidekiq job orchestration. Use when wiring event-driven business logic, building webhook consumers, or replacing ActiveSupport callback chains.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-dev-patterns
tools
VerifiedTrustedCommunity
Cross-cutting Spree development patterns — the customization preference hierarchy (Events > Webhooks > Dependencies > Decorators), `Spree::Dependencies` service-object swapping, the `_decorator.rb` + `prepend` + `self.prepended` idiom, idempotent subscribers and webhook receivers, multi-store scoping discipline, prefixed IDs, calculator polymorphism (shipping/promotion/tax share the base), service-object composition with `dry-monads` or simple results, why to avoid `class_eval` reopening and Deface, and Spree-on-Rails idioms (Hotwire/Turbo Stimulus, ActiveStorage, Action Cable, Sidekiq). Use when designing the architecture of a Spree extension or solving cross-cutting concerns.
27SKILL.mdUpdated May 14, 2026