Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

orcaqubits/ap2-payment-mandate

Name: ap2-payment-mandate
Author: orcaqubits

dist/cursor/ap2-agentic-payments/skills/ap2-payment-mandate/SKILL.md

npx skillsauth add orcaqubits/agentic-commerce-claude-plugins ap2-payment-mandate

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

AP2 Payment Mandate

Before writing code

Fetch live docs:

Fetch https://ap2-protocol.org/specification/ for the Payment Mandate schema
Web-search site:github.com google-agentic-commerce AP2 payment mandate for type definitions
Web-search site:github.com google-agentic-commerce AP2 src/ap2/types payment for Python types
Fetch https://ap2-protocol.org/topics/core-concepts/ for Payment Mandate conceptual details

Conceptual Architecture

What the Payment Mandate Is

The Payment Mandate is a separate VDC specifically for the payment ecosystem — shared with payment networks (Visa, Mastercard) and issuers (banks). Unlike the Cart/Intent Mandates that focus on purchase authorization, the Payment Mandate provides visibility into the agentic nature of the transaction.

Purpose

The Payment Mandate serves three functions:

Signals AI involvement — Tells the network/issuer that an AI agent initiated this transaction
Signals user presence — Indicates whether the user was present (human-present vs human-not-present)
Provides authorization proof — Includes user-signed authorization for the payment

Who Creates It

The Merchant Payment Processor (MPP) constructs the Payment Mandate from the transaction information after the user has authorized the purchase. The Shopping Agent does not create the Payment Mandate — it is assembled on the MPP side from the payment context.

Payment Mandate Contents

{
  "payment_mandate_contents": {
    "payment_mandate_id": "pm_unique_id",
    "payment_details_id": "order_id",
    "payment_details_total": {
      "amount": {
        "currency": "USD",
        "value": "29.99"
      },
      "refund_period": 30
    },
    "payment_response": {
      "request_id": "order_id",
      "method_name": "CARD",
      "details": {
        "token": "dpan_token_xyz"
      },
      "shipping_address": null
    },
    "merchant_agent": "MerchantAgentName",
    "timestamp": "2025-09-01T12:00:00Z"
  },
  "user_authorization": "eyJhbGc..."
}

Key Fields

payment_mandate_id — Unique identifier for this payment mandate
payment_details_id — Links back to the order/cart
payment_details_total — Transaction amount, currency, and refund period
payment_response — Selected payment method, tokenized credentials, shipping
merchant_agent — Identity of the merchant's agent
user_authorization — User's cryptographic signature
timestamp — When the mandate was created

How It Flows Through the System

1. User authorizes purchase on trusted device surface
2. Shopping Agent sends Cart Mandate + user attestation to Merchant
3. Merchant submits payment to Merchant Payment Processor (MPP)
4. MPP constructs the Payment Mandate from the transaction context
5. MPP requests payment credentials from Credentials Provider (CP)
6. CP verifies and performs tokenization (if needed)
7. CP returns credentials to MPP
8. Network/Issuer evaluates the mandate for risk assessment
9. Payment authorized (or challenged)

Payment Method Tokenization

The Payment Mandate includes a tokenized payment method (DPAN — Digitized Primary Account Number):

The actual card number is never exposed to the Shopping Agent
Credentials Provider handles tokenization
The token is bound to the specific transaction
Network/Issuer can resolve the token to the real credentials

Relationship to Cart/Intent Mandates

Cart Mandate → authorizes what's being purchased (user → merchant)
Intent Mandate → authorizes the shopping scope (user → agent)
Payment Mandate → authorizes the payment (user → payment ecosystem)

All three work together: the Cart/Intent Mandate proves the purchase is authorized; the Payment Mandate proves the payment is authorized and provides network visibility.

Refund Period

The refund_period field in the mandate specifies the refund window (in days). This is important for:

Dispute resolution timelines
Chargeback eligibility
Merchant liability assessment

Best Practices

Always include a valid user_authorization signature
Link the Payment Mandate to the corresponding Cart/Intent Mandate via IDs
Include accurate merchant_agent identification
Set realistic refund periods aligned with merchant policy
Store Payment Mandates for the full refund period for dispute resolution
Never expose raw payment credentials to Shopping Agents
Validate the payment method token before processing

Fetch the specification for exact Payment Mandate fields, token formats, and network integration requirements before implementing.

orcaqubits/ap2-payment-mandate

dist/cursor/ap2-agentic-payments/skills/ap2-payment-mandate/SKILL.md

Implement the AP2 Payment Mandate — the VDC shared with payment networks and issuers to signal AI involvement and user authorization. Use when building payment authorization flows, tokenization, and network integration.

23 stars

development

Updated May 9, 2026

$ install --global

skillsauth

npx skillsauth add orcaqubits/agentic-commerce-claude-plugins ap2-payment-mandate

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 9, 2026, 6:52 AM157.0s1 file scanned

SKILL.md

name:: ap2-payment-mandate
description:: >

AP2 Payment Mandate

Before writing code

Fetch live docs:

Fetch https://ap2-protocol.org/specification/ for the Payment Mandate schema
Web-search site:github.com google-agentic-commerce AP2 payment mandate for type definitions
Web-search site:github.com google-agentic-commerce AP2 src/ap2/types payment for Python types
Fetch https://ap2-protocol.org/topics/core-concepts/ for Payment Mandate conceptual details

Conceptual Architecture

What the Payment Mandate Is

Purpose

The Payment Mandate serves three functions:

Signals AI involvement — Tells the network/issuer that an AI agent initiated this transaction
Signals user presence — Indicates whether the user was present (human-present vs human-not-present)
Provides authorization proof — Includes user-signed authorization for the payment

Who Creates It

Payment Mandate Contents

{
  "payment_mandate_contents": {
    "payment_mandate_id": "pm_unique_id",
    "payment_details_id": "order_id",
    "payment_details_total": {
      "amount": {
        "currency": "USD",
        "value": "29.99"
      },
      "refund_period": 30
    },
    "payment_response": {
      "request_id": "order_id",
      "method_name": "CARD",
      "details": {
        "token": "dpan_token_xyz"
      },
      "shipping_address": null
    },
    "merchant_agent": "MerchantAgentName",
    "timestamp": "2025-09-01T12:00:00Z"
  },
  "user_authorization": "eyJhbGc..."
}

Key Fields

payment_mandate_id — Unique identifier for this payment mandate
payment_details_id — Links back to the order/cart
payment_details_total — Transaction amount, currency, and refund period
payment_response — Selected payment method, tokenized credentials, shipping
merchant_agent — Identity of the merchant's agent
user_authorization — User's cryptographic signature
timestamp — When the mandate was created

How It Flows Through the System

1. User authorizes purchase on trusted device surface
2. Shopping Agent sends Cart Mandate + user attestation to Merchant
3. Merchant submits payment to Merchant Payment Processor (MPP)
4. MPP constructs the Payment Mandate from the transaction context
5. MPP requests payment credentials from Credentials Provider (CP)
6. CP verifies and performs tokenization (if needed)
7. CP returns credentials to MPP
8. Network/Issuer evaluates the mandate for risk assessment
9. Payment authorized (or challenged)

Payment Method Tokenization

The Payment Mandate includes a tokenized payment method (DPAN — Digitized Primary Account Number):

The actual card number is never exposed to the Shopping Agent
Credentials Provider handles tokenization
The token is bound to the specific transaction
Network/Issuer can resolve the token to the real credentials

Relationship to Cart/Intent Mandates

Cart Mandate → authorizes what's being purchased (user → merchant)
Intent Mandate → authorizes the shopping scope (user → agent)
Payment Mandate → authorizes the payment (user → payment ecosystem)

All three work together: the Cart/Intent Mandate proves the purchase is authorized; the Payment Mandate proves the payment is authorized and provides network visibility.

Refund Period

The refund_period field in the mandate specifies the refund window (in days). This is important for:

Dispute resolution timelines
Chargeback eligibility
Merchant liability assessment

Best Practices

Always include a valid user_authorization signature
Link the Payment Mandate to the corresponding Cart/Intent Mandate via IDs
Include accurate merchant_agent identification
Set realistic refund periods aligned with merchant policy
Store Payment Mandates for the full refund period for dispute resolution
Never expose raw payment credentials to Shopping Agents
Validate the payment method token before processing

Fetch the specification for exact Payment Mandate fields, token formats, and network integration requirements before implementing.

Related Skills

orcaqubits/spree-headless-storefront

development

VerifiedTrustedCommunity

Build with Spree's headless Next.js storefront — the official `spree/storefront` repo (Next.js 16 App Router with Server Actions and Turbopack, React 19 Server Components, Tailwind CSS 4, TypeScript 5, `@spree/sdk`, Sentry), server-only auth (httpOnly JWT cookies + publishable key), MeiliSearch faceted catalog, one-page checkout with Apple/Google Pay/Klarna/Affirm/SEPA, multi-region market routing, GA4 + JSON-LD SEO, and Vercel/Docker deployment. Use when forking or customizing the storefront, or evaluating headless adoption.

27SKILL.mdUpdated May 14, 2026

orcaqubits/spree-headless-storefront

orcaqubits/spree-extensions

tools

VerifiedTrustedCommunity

Build Spree extensions as Rails engines — gem scaffolding, `bin/rails g spree:extension`, mounting routes/migrations/assets, the modern `prepend` decorator pattern (`*_decorator.rb` with `self.prepended(base)`), generators (`spree:model_decorator`, `spree:controller_decorator`), the four customization surfaces in preference order (Events > Webhooks > Dependencies > Decorators), Spree::Dependencies for swapping service objects, gem release/versioning, and the deprecated Deface engine. Use when building a reusable Spree extension or adding non-trivial customization to an app.

27SKILL.mdUpdated May 14, 2026

orcaqubits/spree-extensions

orcaqubits/spree-events-webhooks

development

VerifiedTrustedCommunity

Build with Spree's event bus and Webhooks 2.0 — `Spree::Events` publication, `Spree::Subscriber` DSL with `subscribes_to` and `on`, wildcard matching, lifecycle events (`{model}.created/.updated/.deleted` via `publishes_lifecycle_events`), the canonical event catalog (order.*, payment.*, shipment.*, product.*), Webhooks 2.0 endpoints, HMAC-SHA256 signing (`X-Spree-Webhook-Signature`), exponential-backoff retries, and Sidekiq job orchestration. Use when wiring event-driven business logic, building webhook consumers, or replacing ActiveSupport callback chains.

27SKILL.mdUpdated May 14, 2026

orcaqubits/spree-events-webhooks

orcaqubits/spree-dev-patterns

tools

VerifiedTrustedCommunity

Cross-cutting Spree development patterns — the customization preference hierarchy (Events > Webhooks > Dependencies > Decorators), `Spree::Dependencies` service-object swapping, the `_decorator.rb` + `prepend` + `self.prepended` idiom, idempotent subscribers and webhook receivers, multi-store scoping discipline, prefixed IDs, calculator polymorphism (shipping/promotion/tax share the base), service-object composition with `dry-monads` or simple results, why to avoid `class_eval` reopening and Deface, and Spree-on-Rails idioms (Hotwire/Turbo Stimulus, ActiveStorage, Action Cable, Sidekiq). Use when designing the architecture of a Spree extension or solving cross-cutting concerns.

27SKILL.mdUpdated May 14, 2026

orcaqubits/spree-dev-patterns

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/orcaqubits/agentic-commerce-claude-plugins.git

# Copy into Claude Code skills folder (global)
cp -r agentic-commerce-claude-plugins/dist/cursor/ap2-agentic-payments/skills/ap2-payment-mandate ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

orcaqubits/agentic-commerce-claude-plugins

23 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT