Agentic Commerce Protocol

Beta

Enable AI platforms to create scoped, single-use payment tokens to securely process agentic commerce transactions. This implementation follows the Agentic Commerce Protocol (ACP) delegated payment specification.

To onboard your AI platform, contact us.

Create a delegated payment token

Creates a delegated payment token to securely enable Checkout.com merchants to process agentic payments.

The token secures cardholder credentials for use in agentic commerce transactions. You must provide:

The card details
The spending constraints (allowance)
The Billing address
The risk signals

The request must include a valid HMAC-SHA256 signature in the Signature header and a timestamp in the Timestamp header to verify the request integrity.

SecurityAPI Key: ApiSecretKey

Request

header Parameters

Signature required	string A Base64-encoded HMAC-SHA256 signature used for request body integrity verification. Compute the signature as follows: Concatenate the `Timestamp` header value (as a UTF-8 string) with the raw JSON request body (as a UTF-8 string). Compute the HMAC-SHA256 hash of the concatenated string using your shared HMAC signing key. Base64-encode the resulting hash. Example: `Base64(HMAC-SHA256(key, Timestamp + RequestBody))` Example: eyJtZX...
Timestamp required	string <date-time> The timestamp of the request, in RFC 3339 format (for example, `2026-03-11T10:30:00Z`). The timestamp must be within 5 minutes of the server time. Requests with a timestamp outside this window are rejected with a `401` response. Example: 2025-09-25T10:30:00Z
Cko-Idempotency-Key	string An optional idempotency key for safely retrying payment requests
API-Version	string The API version to use for the request. If not specified, the default version (`2026-01-30`) is used. Example: 2025-09-29

Request Body schema: application/json

required	object The card payment method details.
required	object The spending constraints for the delegated payment token.
required	Array of objects (DelegatedPaymentRiskSignal) An array of risk assessment signals provided by the platform.
required	object A set of key-value pairs to attach to the delegated payment request. The `metadata` object only supports string values.
	object The customer billing address.

Responses

201

Delegated payment token created successfully

400

Malformed JSON or unreadable request body

401

Missing or invalid API key, or signature validation failure

403

Merchant not enabled for the authenticated platform

409

Idempotency key reused with a different request body

422

Unprocessable entity. One or more fields failed validation

500

An unexpected error occurred while processing the request

post/agentic_commerce/delegate_payment

Request samples

Payload
curl
Java
C#
Python

application/json

{"payment_method": {"type": "card",
"card_number_type": "fpan",
"number": "4242424242424242",
"exp_month": "11",
"exp_year": "2026",
"name": "Jane Doe",
"cvc": "223",
"cryptogram": "gXc5UCLnM6ckD7pjM1TdPA==",
"eci_value": "07",
"checks_performed": ["avs",
"cvv",
"ani",
"auth0"
],
"iin": "123456",
"display_card_funding_type": "credit",
"display_wallet_type": "wallet",
"display_brand": "Visa",
"display_last4": "4242",
"metadata": {"issuing_bank": "temp"
}
},
"allowance": {"reason": "one_time",
"max_amount": 10000,
"currency": "USD",
"merchant_id": "cli_vkuhvk4vjn2edkps7dfsq6emqm",
"checkout_session_id": "1PQrsT",
"expires_at": "2025-10-09T07:20:50.52Z"
},
"billing_address": {"name": "John Doe",
"line_one": "123 Fake St.",
"line_two": "Unit 1",
"city": "San Francisco",
"state": "CA",
"postal_code": "12345",
"country": "US"
},
"risk_signals": [{"type": "card_testing",
"score": 10,
"action": "blocked"
}
],
"metadata": {"campaign": "q4"
}
}

Response samples

application/json

{"id": "vt_abc123def456ghi789",
"created": "2026-03-11T10:30:00Z",
"metadata": {"psp": "checkout.com"
}
}