Payments with Mastercard Agent Pay

PaymentsIntermediate30 min

Mastercard Agent Pay brings enterprise-grade commerce infrastructure to AI agents. Through Know Your Agent (KYA) identity verification, agentic token issuance, and structured purchase intents, agents can conduct transparent, auditable commerce with the same trust guarantees as human transactions. This tutorial walks through the entire flow using only the tenzro CLI and curl—no Rust or TypeScript source code required.

Prerequisites

tenzro CLI installed (cargo install tenzro-cli or download from releases)
curl and jq for JSON-RPC examples
A running Tenzro node or access to rpc.tenzro.network (public testnet)
Funded wallet with TNZO balance (use the faucet: curl -X POST https://api.tenzro.network/faucet)
Controller identity with KYC tier ≥ Enhanced (for agent identities)

What You'll Learn

Set up an agent identity and wallet using tenzro join and tenzro identity
Verify agent identity with Know Your Agent (KYA) at 4 verification levels
Issue and manage agentic tokens (SingleUse, SessionBound, Recurring) from the CLI
Create purchase intents for transparent, auditable commerce
Settle payments on Tenzro Ledger with KYA-verified receipts
Spawn commerce agents from AgentKit templates

What is Mastercard Agent Pay?

Mastercard Agent Pay is an enterprise payment protocol designed specifically for agentic commerce. It extends Mastercard's traditional commerce infrastructure to AI agents through three core innovations:

Key features of Mastercard Agent Pay:

Know Your Agent (KYA): 4-level identity verification system (Basic, Enhanced, Premium, Enterprise)
Agentic Tokens: Cryptographic payment tokens with domain restrictions, amount limits, and usage constraints
Purchase Intents: Structured transaction metadata documenting what the agent is purchasing and why
TDIP integration:Leverages Tenzro's decentralized identity for agent verification and delegation scopes
Risk-based authorization: Transaction limits and merchant restrictions based on KYA verification level
Transparent commerce: All purchases auditable with intent metadata and settlement receipts

Step 1: Join the Network and Set Up Your Identity

Start by joining the Tenzro Network. The tenzro join command provisions your human identity, creates an MPC wallet, and detects your hardware profile in a single step.

# One-click onboarding: provisions your identity, wallet, and hardware profile
tenzro join

Output:

Joining Tenzro Network...
Identity provisioned: did:tenzro:human:a1b2c3d4-e5f6-7890-abcd-ef1234567890
Wallet created: 0x7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b
Hardware profile detected: Apple M2 Pro, 16 GB RAM
Welcome to Tenzro Network!

Next, register a machine identity for your agent. This is the DID that will be used for KYA verification and payment authorization.

# Register a machine identity controlled by your human DID
tenzro identity register \
  --type machine \
  --controller did:tenzro:human:a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  --display-name "Commerce Agent" \
  --format json

Output:

{
  "did": "did:tenzro:machine:a1b2c3d4:agent-7f8e9d0c",
  "type": "Machine",
  "controller": "did:tenzro:human:a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "display_name": "Commerce Agent",
  "status": "Active",
  "wallet": "0x3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d",
  "created_at": "2026-04-08T14:20:00Z"
}

Add a verifiable credential to the agent so it can pass KYA verification. The credential links the agent to its controller's KYC tier.

# Add a verifiable credential to the agent (issued by a trusted authority)
tenzro identity add-credential \
  --did did:tenzro:machine:a1b2c3d4:agent-7f8e9d0c \
  --type KycAttestation \
  --issuer did:tenzro:human:a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  --claim tier=Enhanced \
  --claim verified=true

Output:

Credential added to did:tenzro:machine:a1b2c3d4:agent-7f8e9d0c
  Type: KycAttestation
  Issuer: did:tenzro:human:a1b2c3d4-e5f6-7890-abcd-ef1234567890
  Claims: tier=Enhanced, verified=true
  Expires: 2027-04-08T14:20:00Z

Optionally, register a payment service endpoint on the identity:

# Register the agent's payment service endpoint
tenzro identity add-service \
  --did did:tenzro:machine:a1b2c3d4:agent-7f8e9d0c \
  --service-id mastercard-agent-pay \
  --type AgentPayService \
  --endpoint https://api.tenzro.network/agent-pay

Output:

Service endpoint added to did:tenzro:machine:a1b2c3d4:agent-7f8e9d0c
  Service ID: mastercard-agent-pay
  Type: AgentPayService
  Endpoint: https://api.tenzro.network/agent-pay

Step 2: Verify KYA Readiness

Know Your Agent (KYA) is Mastercard's identity verification framework for AI agents. Before making a payment, verify that the agent's identity meets KYA requirements by resolving the DID:

# Verify the agent identity and check KYA readiness
tenzro identity resolve \
  --did did:tenzro:machine:a1b2c3d4:agent-7f8e9d0c \
  --format json

Output:

{
  "did": "did:tenzro:machine:a1b2c3d4:agent-7f8e9d0c",
  "type": "Machine",
  "status": "Active",
  "controller": "did:tenzro:human:a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "controller_kyc_tier": "Enhanced",
  "display_name": "Commerce Agent",
  "credentials": [
    {
      "type": "KycAttestation",
      "issuer": "did:tenzro:human:a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "claims": { "tier": "Enhanced", "verified": "true" },
      "valid": true
    }
  ],
  "services": [
    {
      "id": "mastercard-agent-pay",
      "type": "AgentPayService",
      "endpoint": "https://api.tenzro.network/agent-pay"
    }
  ],
  "delegation_scope": {
    "max_transaction_value": 10000000,
    "allowed_payment_protocols": ["mastercard-agent-pay", "mpp", "x402"],
    "allowed_operations": ["payment", "settlement"]
  },
  "attestation_score": 85,
  "kya_eligible_level": "Enhanced"
}

The kya_eligible_levelfield shows that this agent qualifies for Enhanced-level KYA verification. The resolve command checks the controller's KYC status, delegation scopes, verifiable credentials, and attestation scores automatically.

Understanding KYA Levels

KYA verification has four levels, each with increasing TDIP requirements and transaction limits:

KYA Level	TDIP Requirements	Use Cases
Basic	• Valid did:tenzro:machine DID • Controller DID exists • No active revocations	Low-value transactions (<$10 equivalent)
Enhanced	• Basic requirements • Controller has KYC tier ≥ Enhanced (2) • Delegation scope configured • At least 1 verifiable credential	Medium-value transactions ($10-$1000)
Premium	• Enhanced requirements • Controller has KYC tier = Full (3) • Multiple credentials from trusted issuers • Attestation score ≥ 80	High-value transactions ($1000-$10,000)
Enterprise	• Premium requirements • Organizational controller DID • Multi-sig delegation control • Hardware-backed attestation (TEE) • Attestation score ≥ 95	Enterprise commerce (>$10,000)

Step 3: Create a Payment Challenge

Create a Mastercard Agent Pay payment challenge using the CLI. The challenge encodes the resource, amount, recipient, and KYA requirements.

# Create a Mastercard Agent Pay payment challenge
tenzro payment challenge \
  --protocol mastercard-agent-pay \
  --resource /api/premium-data \
  --amount 1000000 \
  --asset TNZO \
  --recipient 0x0000000000000000000000000000000000000001 \
  --format json

Output:

{
  "challenge_id": "mc_agent_pay_ch_p9o8n7m6l5k4",
  "protocol": "mastercard-agent-pay",
  "resource": "/api/premium-data",
  "amount": 1000000,
  "asset": "TNZO",
  "recipient": "0x0000000000000000000000000000000000000001",
  "chain_id": 1337,
  "requires_kya": true,
  "required_kya_level": "Enhanced",
  "merchant_id": "merchant_tenzro_001",
  "token_restrictions": {
    "domain": "api.tenzro.network",
    "max_amount": 1000000,
    "valid_until": "2026-04-08T16:30:00Z"
  },
  "created_at": "2026-04-08T15:30:00Z",
  "expires_at": "2026-04-08T16:30:00Z"
}

The challenge includes requires_kya: true and required_kya_level: "Enhanced", indicating that the agent must pass Enhanced-level KYA verification to complete payment. The token_restrictions define domain, amount, and time limits for agentic tokens.

Equivalent curl call:

# Equivalent curl call via JSON-RPC
curl -s -X POST "https://rpc.tenzro.network" \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 1,
    "method": "tenzro_createPaymentChallenge",
    "params": {
      "protocol": "mastercard-agent-pay",
      "resource": "/api/premium-data",
      "amount": 1000000,
      "asset": "TNZO",
      "recipient": "0x0000000000000000000000000000000000000001"
    }
  }' | jq .result

Step 4: Spawn an Agent with AgentKit (Optional)

If you want an autonomous agent to handle payments on your behalf, use AgentKit templates. The CLI can list available templates and spawn agents with pre-configured payment capabilities.

# List available agent templates with payment capabilities
tenzro agent list-templates --capability payment --format json

Output:

[
  {
    "template_id": "commerce-agent-v1",
    "name": "Commerce Agent",
    "description": "Agent with Mastercard Agent Pay, MPP, and x402 payment capabilities",
    "capabilities": ["payment", "settlement", "identity"],
    "supported_protocols": ["mastercard-agent-pay", "mpp", "x402"]
  },
  {
    "template_id": "subscription-agent-v1",
    "name": "Subscription Agent",
    "description": "Agent for recurring billing and subscription management",
    "capabilities": ["payment", "recurring-billing"],
    "supported_protocols": ["mastercard-agent-pay"]
  }
]

Spawn a commerce agent from the template:

# Spawn a commerce agent from a template
tenzro agent spawn-template \
  --template commerce-agent-v1 \
  --did did:tenzro:machine:a1b2c3d4:agent-7f8e9d0c \
  --format json

Output:

{
  "agent_id": "agent-7f8e9d0c",
  "template": "commerce-agent-v1",
  "did": "did:tenzro:machine:a1b2c3d4:agent-7f8e9d0c",
  "status": "Active",
  "capabilities": ["payment", "settlement", "identity"],
  "supported_protocols": ["mastercard-agent-pay", "mpp", "x402"],
  "wallet": "0x3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d"
}

Step 5: Execute Payment

The tenzro payment pay command handles the entire Mastercard Agent Pay flow in a single step: KYA verification, agentic token issuance, purchase intent creation, and on-chain settlement.

# Execute the Mastercard Agent Pay payment
# Combines KYA verification, token issuance, and settlement in one step
tenzro payment pay \
  --protocol mastercard-agent-pay \
  --challenge mc_agent_pay_ch_p9o8n7m6l5k4 \
  --payer-did did:tenzro:machine:a1b2c3d4:agent-7f8e9d0c \
  --amount 1000000 \
  --asset TNZO \
  --token-type SingleUse \
  --domain api.tenzro.network \
  --intent-description "Premium data access for inference pipeline" \
  --intent-item "Premium API Access,1,1000000" \
  --merchant merchant_tenzro_001 \
  --format json

Output:

{
  "payment_id": "mc_agent_pay_pay_k4l5m6n7o8p9",
  "challenge_id": "mc_agent_pay_ch_p9o8n7m6l5k4",
  "protocol": "mastercard-agent-pay",
  "status": "settled",
  "payer_did": "did:tenzro:machine:a1b2c3d4:agent-7f8e9d0c",
  "amount": 1000000,
  "asset": "TNZO",
  "recipient": "0x0000000000000000000000000000000000000001",
  "settlement_tx": "0x9988776655443322...",
  "settled_at": "2026-04-08T15:33:45Z",
  "token": {
    "token_id": "mc_token_k4l5m6n7o8p9",
    "token_type": "SingleUse",
    "domain": "api.tenzro.network",
    "max_amount": 1000000,
    "status": "consumed"
  },
  "purchase_intent": {
    "intent_id": "550e8400-e29b-41d4-a716-446655440000",
    "merchant_id": "merchant_tenzro_001",
    "description": "Premium data access for inference pipeline",
    "items": [
      { "name": "Premium API Access", "quantity": 1, "unit_price": 1000000 }
    ],
    "total_amount": 1000000
  },
  "kya_verification": {
    "level": "Enhanced",
    "controller_verified": true,
    "attestation_score": 85,
    "risk_level": "Low",
    "verified_at": "2026-04-08T15:33:40Z"
  }
}

The response includes the full audit trail: the agentic token (now consumed), purchase intent with itemized details, and KYA verification metadata showing the agent's verification level, controller status, attestation score, and risk assessment.

Equivalent curl call:

# Equivalent curl call via JSON-RPC
curl -s -X POST "https://rpc.tenzro.network" \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 2,
    "method": "tenzro_payMastercard",
    "params": {
      "challenge_id": "mc_agent_pay_ch_p9o8n7m6l5k4",
      "payer_did": "did:tenzro:machine:a1b2c3d4:agent-7f8e9d0c",
      "amount": 1000000,
      "asset": "TNZO",
      "token_type": "SingleUse",
      "domain": "api.tenzro.network",
      "purchase_intent": {
        "merchant_id": "merchant_tenzro_001",
        "description": "Premium data access for inference pipeline",
        "items": [
          { "name": "Premium API Access", "quantity": 1, "unit_price": 1000000 }
        ]
      }
    }
  }' | jq .result

Step 6: Retrieve Receipt and Audit

After settlement, retrieve the payment receipt for record-keeping and auditing:

# Retrieve the payment receipt for auditing
tenzro payment receipt \
  --payment-id mc_agent_pay_pay_k4l5m6n7o8p9 \
  --format json

Output:

{
  "payment_id": "mc_agent_pay_pay_k4l5m6n7o8p9",
  "challenge_id": "mc_agent_pay_ch_p9o8n7m6l5k4",
  "protocol": "mastercard-agent-pay",
  "payer_did": "did:tenzro:machine:a1b2c3d4:agent-7f8e9d0c",
  "amount": 1000000,
  "asset": "TNZO",
  "recipient": "0x0000000000000000000000000000000000000001",
  "settlement_tx": "0x9988776655443322...",
  "settled_at": "2026-04-08T15:33:45Z",
  "token_id": "mc_token_k4l5m6n7o8p9",
  "purchase_intent_id": "550e8400-e29b-41d4-a716-446655440000",
  "kya_level": "Enhanced",
  "kya_verification": {
    "controller_verified": true,
    "attestation_score": 85,
    "risk_level": "Low",
    "verified_at": "2026-04-08T15:33:40Z"
  }
}

You can also list all active payment sessions for your agent:

# List all active Mastercard Agent Pay sessions
tenzro payment sessions \
  --protocol mastercard-agent-pay \
  --format json

Output:

[
  {
    "session_id": "mc_sess_a1b2c3d4",
    "payer_did": "did:tenzro:machine:a1b2c3d4:agent-7f8e9d0c",
    "protocol": "mastercard-agent-pay",
    "token_type": "SessionBound",
    "token_id": "mc_token_session_456",
    "payments_count": 3,
    "total_spent": 2500000,
    "max_amount": 5000000,
    "status": "active",
    "expires_at": "2026-04-08T18:00:00Z"
  }
]

Agentic Token Types

When calling tenzro payment pay, the --token-type flag determines the token behavior. Each type serves different commerce scenarios:

1. SingleUse — One transaction, then invalidated

Ideal for one-time purchases, data downloads, or discrete API calls. The token is automatically invalidated after a single successful transaction.

tenzro payment pay --token-type SingleUse --domain api.tenzro.network ...

2. SessionBound — Valid for browsing session duration

Bound to a session ID, the token remains valid until the session expires or the time limit is reached. Ideal for shopping carts and multi-step checkouts.

tenzro payment pay --token-type SessionBound --session-id sess_xyz789 --max-amount 5000000 ...

3. Recurring — For subscription payments

Supports recurring billing with configurable intervals and per-period amount caps. Ideal for SaaS subscriptions and recurring service fees.

tenzro payment pay --token-type Recurring --billing-interval monthly --max-per-period 1000000 ...

Checking Protocol Support

Use tenzro payment info to see all supported payment protocols and their configuration:

# View supported payment protocols and their configuration
tenzro payment info --format json

Output:

{
  "protocols": [
    {
      "id": "mastercard-agent-pay",
      "name": "Mastercard Agent Pay",
      "status": "active",
      "features": ["kya", "agentic-tokens", "purchase-intents"],
      "kya_levels": ["Basic", "Enhanced", "Premium", "Enterprise"],
      "token_types": ["SingleUse", "SessionBound", "Recurring"],
      "settlement": "on-chain"
    },
    {
      "id": "mpp",
      "name": "Machine Payments Protocol",
      "status": "active"
    },
    {
      "id": "x402",
      "name": "HTTP 402 (Coinbase)",
      "status": "active"
    }
  ]
}

Complete Flow: End-to-End Script

Here is the full Mastercard Agent Pay flow as a single shell script. Copy and run it to execute the entire pipeline from identity setup through payment settlement:

#!/bin/bash
# Full Mastercard Agent Pay flow using the tenzro CLI
# No source code required - just CLI commands

# 1. Join the network (one-time setup)
tenzro join

# 2. Register a machine identity for your agent
AGENT_DID=$(tenzro identity register \
  --type machine \
  --controller did:tenzro:human:a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  --display-name "Commerce Agent" \
  --format json | jq -r .did)

echo "Agent DID: $AGENT_DID"

# 3. Add a KYC attestation credential
tenzro identity add-credential \
  --did "$AGENT_DID" \
  --type KycAttestation \
  --issuer did:tenzro:human:a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  --claim tier=Enhanced \
  --claim verified=true

# 4. Spawn a commerce agent from AgentKit template
tenzro agent spawn-template \
  --template commerce-agent-v1 \
  --did "$AGENT_DID"

# 5. Create a payment challenge
CHALLENGE_ID=$(tenzro payment challenge \
  --protocol mastercard-agent-pay \
  --resource /api/premium-data \
  --amount 1000000 \
  --asset TNZO \
  --recipient 0x0000000000000000000000000000000000000001 \
  --payer-did "$AGENT_DID" \
  --format json | jq -r .challenge_id)

echo "Challenge: $CHALLENGE_ID"

# 6. Execute payment (KYA + token + intent + settlement in one step)
PAYMENT_ID=$(tenzro payment pay \
  --protocol mastercard-agent-pay \
  --challenge "$CHALLENGE_ID" \
  --payer-did "$AGENT_DID" \
  --amount 1000000 \
  --asset TNZO \
  --token-type SingleUse \
  --domain api.tenzro.network \
  --intent-description "Premium data access for inference pipeline" \
  --intent-item "Premium API Access,1,1000000" \
  --merchant merchant_tenzro_001 \
  --format json | jq -r .payment_id)

echo "Payment settled: $PAYMENT_ID"

# 7. Retrieve the receipt
tenzro payment receipt --payment-id "$PAYMENT_ID" --format json

How It Differs from Visa TAP

Mastercard Agent Pay (Commerce-First)

KYA verification: 4-level identity verification tied to TDIP KYC tiers
Agentic tokens: Payment credentials with usage constraints (SingleUse, SessionBound, Recurring)
Purchase intents: Structured metadata documenting what agent is buying
Risk-based limits: Transaction amounts capped based on KYA level
Commerce transparency: Full audit trail with merchant, items, and intent metadata

Visa TAP (Identity-First)

RFC 9421 signatures:Every request signed with agent's private key
No tokens: Direct cryptographic authentication per request
Domain binding: Signatures tied to specific domains
Stateless verification: No session state, each request verified independently
CDN-level authorization: Verification at edge proxies

Use Mastercard Agent Pay when you need structured commerce with purchase transparency, risk-based transaction limits, and token-based authorization. Use Visa TAP for stateless identity verification, CDN-level authorization, or when you need cryptographic signatures per request.

CLI Command Reference

Command	Description
`tenzro join`	One-click onboarding: provisions identity, wallet, hardware profile
`tenzro identity register`	Register a human or machine DID via TDIP
`tenzro identity resolve`	Resolve a DID to view identity, credentials, and KYA eligibility
`tenzro identity add-credential`	Add a verifiable credential to an identity
`tenzro identity add-service`	Register a service endpoint on an identity
`tenzro payment challenge`	Create a payment challenge for any supported protocol
`tenzro payment pay`	Execute payment: KYA + token + intent + settlement
`tenzro payment receipt`	Retrieve a payment receipt by ID
`tenzro payment sessions`	List active payment sessions
`tenzro payment info`	View supported protocols and configuration
`tenzro agent list-templates`	List available AgentKit templates
`tenzro agent spawn-template`	Spawn an agent from an AgentKit template

Security Considerations

KYA verification: Always verify KYA level meets merchant requirements before accepting payment
Token validation: Check token type, domain restrictions, amount limits, and expiration
Purchase intent validation: Ensure intent total matches payment amount exactly
Controller verification:Verify agent's controller DID has appropriate KYC tier
Delegation scope enforcement: Validate TDIP delegation scopes allow the payment protocol, amount, and chain
Attestation score monitoring: Track attestation scores and risk levels, flag low-score transactions
Token revocation: Support emergency token revocation in case of compromise
Wallet security: The CLI uses MPC 2-of-3 threshold wallets with Argon2id-encrypted keystore — no seed phrases required

What's Next?

Payments with Visa TAP — Learn RFC 9421 HTTP signature-based payments
Build an AI payment agent — Create an autonomous agent that uses Mastercard Agent Pay
TDIP Documentation — Deep dive into decentralized identity and KYC tiers
Payment Protocols Documentation — Compare MPP, x402, Visa TAP, and Mastercard Agent Pay

Ready to Accept Mastercard Agent Pay?

Everything in this tutorial can be run from the command line with tenzro. For programmatic integration, explore the Tenzro SDKs or use the JSON-RPC endpoint directly.

CLI Documentation SDK Documentation View on GitHub

← Previous: Payments with Visa TAP Next: Build AI Payment Agent →