Authorization Evidence
Portable proof that an agent was authorized to act.
Authorization evidence is any signed, verifiable, or provider-issued artifact that helps prove why an agent was allowed to request or pay for a resource.
OpenPermit mandates remain the canonical internal policy object. External evidence can be attached to mandates, payment intents, authorizations, executions, receipts, and settlement reports so buyers, sellers, providers, and auditors can verify the surrounding context without making OpenPermit depend on one payment network.
Examples include:
- Verifiable Intent or AP2 intent, checkout/cart, and payment mandate artifacts.
- OpenPermit mandate approval proofs.
- Web Bot Auth request signatures used to verify agent identity before payment.
- Provider-issued agent credentials, agentic tokens, or short-lived voucher credentials.
- Seller challenge signatures, cart commitments, resource commitments, and provider settlement receipts.
Future APIs should prefer an optional authorizationEvidence[] array. Each item should identify the type, issuer, subject, audience, artifactHash, expiresAt, verificationStatus, disclosurePolicy, and metadata.
OpenPermit should store evidence hashes and verification metadata by default. Raw AP2, Verifiable Intent, prompt, checkout, payment, or provider credential payloads should be stored only when the mandate metadata policy allows it.
Standards Fit
- Verifiable Intent can provide portable cryptographic proof of user-to-agent authorization.
- AP2 can provide agent-commerce mandate semantics and role separation.
- Web Bot Auth can verify agent HTTP request identity before payment.
- x402 and MPP can still handle payment execution while OpenPermit records authorization and dispute evidence around the payment.
This split keeps the OpenPermit role clear: OpenPermit verifies and records authorization evidence, evaluates policy, and records receipts. It does not become the payment network just because it stores network or provider evidence.