OpenPermit Docs
Roadmap

HTTP Gateway and Challenge Relay

Planned HTTP-only payment paths for agents that cannot use the SDK directly.

This page describes planned behavior. These gateway and challenge relay APIs are not implemented yet. Use the SDK wrapFetch flow or seller middleware today.

Planned adoption bridges include:

  • POST /api/v1/agent/fetch: OpenPermit performs the paid fetch on behalf of an HTTP-only agent.
  • POST /api/v1/agent/challenges/authorize: a direct seller caller relays a 402 challenge to OpenPermit and receives retry credential headers.
  • Scoped agent credentials bound to one organization, mandate, expiry, revocation state, and narrowed seller/resource permissions.
  • Shared orchestration for seller fetch, challenge normalization, policy authorization, payment execution, retry, and receipt metadata.

Planned gateway safety controls include HTTPS-only production fetches, private network blocking, DNS rebinding protection, body size limits, safe header forwarding, idempotency, and metadata redaction.

Until these paths ship, agents should use @openpermit/sdk/buyer when they can run SDK code, and sellers should use @openpermit/sdk/seller to emit compatible challenges.

Public MCP for Agent Clients

Planned hosted and package-based MCP surfaces for OpenPermit agent-client adoption.

Provider Settlement Adapters

Planned adapters for provider-backed vouchers, batch settlement, and settlement assurance.