ACP Delegated Payment & SharedPaymentToken
Before writing code
Fetch live docs:
- Fetch
https://developers.openai.com/commerce/specs/payment/for the delegated payment specification - Fetch
https://docs.stripe.com/agentic-commerce/concepts/shared-payment-tokensfor SPT implementation details - Web-search
site:docs.stripe.com agentic-commerce delegate paymentfor Stripe integration guide - Web-search
site:github.com agentic-commerce-protocol spec openapi delegatefor the delegate payment OpenAPI spec
Conceptual Architecture
What Delegated Payment Solves
The agent facilitates purchases but must never see raw card data. Delegated payment creates a secure intermediary:
- Buyer's payment credentials go to the PSP (Stripe), not the agent or merchant
- PSP returns a single-use, scoped token (SPT)
- Agent passes the SPT to the merchant in the
completecall - Merchant charges via PSP using the SPT
End-to-End Flow
Buyer → Agent: "Buy this"
Agent → PSP: POST /agentic_commerce/delegate_payment (credentials + constraints)
PSP → Agent: SharedPaymentToken (single-use, scoped)
Agent → Merchant: POST /checkout_sessions/{id}/complete (with SPT)
Merchant → PSP: Charge using SPT
PSP → Merchant: Payment confirmation
Merchant → Agent: Session status = completed + order
SPT Constraints (Allowance)
Each SharedPaymentToken is scoped with:
- max_amount — Maximum chargeable amount (integer, minor units)
- currency — Currency code
- checkout_session_id — Tied to a specific session
- merchant_id — Only usable by the specified merchant
- expires_at — Expiration timestamp
- reason — Purpose of the allowance (value:
"one_time"for single-use checkout tokens)
If any constraint is violated, the charge fails.
SPT Properties
- Single-use — Can only be charged once
- Time-bound — Expires after a configured duration
- Amount-scoped — Cannot exceed the max amount
- Merchant-scoped — Only the designated merchant can use it
- Session-scoped — Tied to a specific checkout session
3D Secure Flow
When the merchant returns authentication_required:
- Agent receives a 3DS challenge
- Agent performs 3DS authentication with the buyer
- Agent calls
completeagain withauthentication_resultcontaining:three_ds_cryptogramelectronic_commerce_indicatortransaction_idversion
SPT Webhook Events
| Event | Recipient | Purpose |
|---|---|---|
shared_payment.granted_token.used | Merchant | Confirms SPT was consumed |
shared_payment.granted_token.deactivated | Merchant | SPT revoked or expired |
shared_payment.issued_token.used | Agent | Payment was processed |
shared_payment.issued_token.deactivated | Agent | SPT invalidated |
PCI Considerations
- Direct
/delegate_paymentintegration may affect PCI DSS scope - Network tokens preferred over full PAN (FPAN) where possible
- Never log full card numbers or CVCs
- SPT itself is not PCI-sensitive — it's a vault reference
Best Practices
- Always set
max_amountto the session total (not higher) - Set short expiration times — just enough for the checkout completion
- Handle SPT expiration gracefully — re-provision if needed
- Implement SPT webhook listeners for lifecycle tracking
- Log SPT creation and usage for reconciliation (without sensitive data)
Fetch the delegated payment OpenAPI spec and Stripe SPT docs for exact endpoint, request/response schemas, and error codes before implementing.