Skip to main content
You’re building flows where — the money agent — takes actions on behalf of a user: searching, selecting, purchasing, inside a capability envelope the user pre-signed. Envoy executes s against the user’s s. Your integration touches three Sumvin surfaces in sequence: Errands for orchestration, Stamped Mandates (PINTs) for authorisation, and agent signers for cryptographic identity.

How the pieces fit

  • Errands are the orchestration layer. An Errand represents the agent’s task and its state over time — Intent, Authorization, Vigilance.
  • Stamped Mandates (PINTs) are the authorisation layer. The user signs the first Stamped Mandate — the mandate PINT — declaring the cap, duration, and the scopes they delegate to Envoy (e.g. sr:us:pint:spend:execute). Envoy re-uses a subset of those delegated scopes to mint the narrow, per-action PINTs it needs to carry out the mandate — and can never mint a scope the mandate didn’t grant; the policy layer rejects any PINT outside the delegated envelope.
  • P-256 agent signers are the identity layer. Each user has a per-user agent signer — the P-256 key Envoy uses to sign those PINTs on the user’s behalf. An agent-signed PINT verifies as the user through the Safe’s EIP-1271 path, so a merchant sees the same X-Pint-Signature / X-Pint-Payload it would for a user-signed PINT.
An action flows Errand → user-signed mandate PINT (delegating scopes) → Envoy-minted, narrow-scoped PINT (a subset of the mandate) signed by the agent signer → merchant verification of the PINT signature at checkout — including Envoy executing transactions without human interaction, across any rail (a P2P stable payment or a Visa Intelligent Commerce payment), entirely inside the pre-signed envelope.

Start here

Read in this order:
  1. Errand guide — the lifecycle of an Errand, end-to-end.
  2. Scopes reference — the capability envelope, with sr:us:pint:spend:execute as the spend scope.
  3. Agent signers — the per-user P-256 key Envoy uses to act.
  4. Errand lifecycle — the state machine diagram with every transition.

Scope and tier for an agent-initiated action

The scope carried by a Stamped Mandate determines which verification tier applies at checkout. sr:us:pint:spend:execute is the only Enhanced-tier scope today, and it is the scope an agent-initiated purchase carries. Merchants accepting it must verify both the JWT and the underlying EIP-712 signature. See verification tiers for the full breakdown.

Next up

Read the Errand guide for the orchestration layer, then the scopes reference to decide what Envoy may do, then agent signers for the cryptographic key that does the signing. Verification tiers is the merchant-side picture — the shape your Stamped Mandate meets at the checkout boundary. Envoy isn’t trusted because it’s an agent. It’s trusted because the envelope it acts inside was pre-signed by the user.