What the flow looks like
- The user expresses an intent in your app (e.g. “find and buy a pair of running shoes under $150 by Friday”).
- Your app creates an Errand that encodes the intent and the agent’s task.
- The user approves the Errand and signs the mandate , delegating the
sr:us:pint:spend:executescope along with a capped amount and a bounded window. - Envoy re-uses a subset of those delegated scopes to mint the narrow, per-action PINTs it needs, signing each with its per-user P-256 agent signer, and executes without further human interaction — it can never escalate beyond what the mandate granted.
- The merchant verifies the PINT’s JWT (and, for spend, the underlying EIP-712
X-Pint-Signature) at checkout and proceeds.
Which Sumvin primitives back it
- Errands coordinate the agent task lifecycle — Intent, Authorization, Vigilance. See the Errand guide and Errand lifecycle.
- Scopes — in particular
sr:us:pint:spend:execute— describe what an agent is authorised to do. See the scopes reference. - Agent signers are per-user P-256 keys Envoy uses to sign the narrow-scoped PINTs it mints; an agent-signed PINT verifies as the user through the Safe’s EIP-1271 path. See agent signers.
- Enhanced verification at checkout requires the merchant to verify both the JWT and the EIP-712 Stamped Mandate signature. See verification tiers.
Where to start
| Concern | Where to go | When |
|---|---|---|
| Orchestration | Errand guide | Running an Errand end-to-end |
| Capability envelope | Scopes reference | Scoping what the agent is allowed to do |
| Cryptographic identity | Agent signers | When the agent signs on the user’s behalf |
| Merchant boundary | Verification tiers | Standard vs Enhanced at checkout |
Related
- Agentic Commerce overview
- Errands quickstart
- Verify an enhanced PINT
- Payment request links — agent-fulfillable payment primitive
- Global x402 acceptance — persistent, SRI-resolvable payment target for agent-to-agent settlement