Payment Protocols on Tenzro

Agents transact with humans, with services, with other agents — and with merchants who only accept cards. No single payment protocol covers all four. Tenzro Network doesn't pick favourites — it implements every rail that matters and routes through a unified PaymentGateway.

The principle: agents shouldn't have to know which rail their counterparty accepts. The challenge dictates; the gateway routes; the credential proves; settlement executes; the receipt anchors.

MPP — Machine Payments Protocol co-authored by Stripe and Tempo. HTTP 402 challenge / credential / receipt flow with session management. MppPaymentServer issues challenges; MppClient signs credentials; MppSessionManager tracks streaming sessions for per-token billing.

x402 — Coinbase's HTTP 402 payment protocol. EIP-3009 transferWithAuthorization. CDP facilitator for verify and settle. Stablecoin-native. Stateless one-shot semantics.

Both use HTTP 402 as the gating mechanism. A model API, a TEE endpoint, or any resource returns 402 with a payment challenge. The agent's wallet signs a credential bound to its TDIP DID. Tenzro verifies and settles.

AP2 (Agent Payments Protocol) introduces cart mandates — structured commitments where the user pre-authorizes a specific basket up to a max amount with an expiry. Tenzro's Ap2Validator::validate_with_delegation_and_policy enforces all three nested ceilings before settlement: AP2 IntentMandate constraints (item set, max_amount), TDIP DelegationScope (max value, allowed operations, time bound), and runtime SpendingPolicy (per-tx, rolling daily window).

Every ceiling must pass. The mandate hash is bound to the TDIP DID. Replay-safe by nonce.

Visa Trusted Agent Payments and Mastercard Agent Pay extend card rails to agents acting on behalf of consumers. Cryptographic mandate validation. Verifiable delegation. The agent submits a credential; the card network's acquirer validates against the mandate; settlement clears through standard card rails.

For merchants who haven't adopted MPP/x402, this is the path that lets autonomous agents purchase from them. Tenzro's role is to issue and verify the mandate; the clearing rail is the card network's.

Tempo is the stablecoin settlement chain co-developed with Stripe. Tenzro participates directly in Tempo through TempoParticipant — EIP-155 Secp256k1 transaction signing (k256), RLP encoding, Keccak-256 hashing, eth_sendRawTransaction submission, balance queries, transfer execution.

Stripe Payment Intents for fiat onramps. HMAC-SHA256 webhook signature verification (RFC 2104). The stack is: MPP wire protocol → SPT token primitive → Tempo settlement chain.

For per-token AI inference billing, on-chain settlement per call is too expensive. Tenzro's MicropaymentChannelManager opens a channel between consumer and provider. State updates are exchanged off-chain with Ed25519 signatures over the canonical (nonce, payer_balance, payee_balance) preimage. Periodically (or on dispute), the latest signed state closes the channel to the ledger.

For high-value coordination — bonds, sealed orders, expiring offers — on-chain escrow primitive: CreateEscrow (0x01000010), ReleaseEscrow (0x01000011), RefundEscrow (0x01000012). Vault addresses derived deterministically. Payer-only authorization. Atomic against fraud.

Every agent payment is gated by three independent ceilings: the protocol-specific limits embedded in the challenge (e.g. AP2 cart max), the TDIP DelegationScope (max value, allowed operations, allowed protocols, allowed chains, time bound), and the runtime SpendingPolicy (per-tx limit, rolling-window daily spend with current usage tracked).

IdentityPaymentBinder coordinates the three checks. Both must pass for settlement to proceed. ERC-7579 validator modules on-chain provide defense-in-depth at signing time.