Reference design — Rivier
An agentic payments infrastructure on Tenzro.
A reference design for AI agents that autonomously manage financial transactions, hold assets, and make payments on behalf of humans or other agents — built on Tenzro Network identity, payments, and settlement primitives.
Overview
What Rivier looks like, layered onto Tenzro Network.
Rivier is a hypothetical agentic payments wallet — a substrate where agents hold custody of TNZO and stablecoin balances, transact under programmable mandates, and settle across rails (MPP, x402, AP2, Visa TAP, Mastercard Agent Pay, Tempo). It uses TDIP for delegated and autonomous agent identities, MPC threshold wallets for custody, ERC-7579 validator modules for on-chain enforcement, and the Tenzro PaymentGateway for rail routing.
Architecture
Primitives Rivier would use.
TDIP delegated identities
Each agent registered as did:tenzro:machine:{controller}:{uuid}. Controller binds the human principal; scope binds the spending policy.
MPC threshold custody
Auto-provisioned 2-of-3 MPC wallets. TEE-sealed key shards. No seed phrases. Argon2id-protected local keystore.
ERC-7579 validators
SpendingLimit and SessionKey validators installed on each agent's smart account. Enforced at signing time, not after.
Multi-rail payment
PaymentGateway routes to MPP, x402, AP2, Visa TAP, Mastercard Agent Pay, or Tempo based on counterparty acceptance.
Channel + escrow
Micropayment channels for high-volume agent-to-agent flows. On-chain escrow for high-value coordination.
Cross-chain reach
BridgeRouter selects adapter (Wormhole NTT, LayerZero V2, CCIP, deBridge) for settlement on the right chain.
User journey
From provisioning to settled agent payment.
- 01User signs upProvision a TDIP human DID via passkey. Auto-provisioned MPC wallet. Optional KYC tier upgrade via verifiable credential.
- 02User delegatesIssue an agent DID with DelegationScope — daily spend ceiling, allowed merchants, allowed chains, time bound.
- 03Agent transactsAgent receives HTTP 402 from a service. Signs credential bound to its DID. PaymentGateway routes to the right rail.
- 04Network enforcesIdentityPaymentBinder checks DelegationScope. SpendingPolicyResolver checks runtime daily window. Both must pass.
- 05Settles and receiptsTNZO, USDC, or fiat moves on the chosen rail. Signed ReceiptEnvelope returned with SHA-256 commitment.
- 06User auditsRivier surfaces every receipt, every mandate, every cross-chain hop. Auditable forever on-chain.
Get started