Trust in Depth for AI Agents
The Landscape

Verifiable Intent (VI)

Mastercard's SD-JWT credential format for binding human intent to agent actions.

Verifiable Intent is Mastercard's protocol for binding human intent to AI agent actions in commerce. Announced in October 2025 and published as a specification in February 2026, it addresses a specific and important question: how do you prove that an AI agent's purchase was authorized by a human, and that the purchase fell within the constraints the human set?

The Credential Chain

VI uses a three-level credential chain, each level more constrained and shorter-lived than the one above it.

L1: Identity Binding

The L1 credential is an SD-JWT issued by Mastercard (acting as the "VI Issuer"). It binds the user's identity to a cryptographic public key.

  • Format: SD-JWT with selective disclosure
  • Issuer: Mastercard (the VI Issuer)
  • Lifetime: Approximately 1 year
  • Purpose: Establishes that this public key belongs to this verified human
  • Identity basis: KYC performed through the card network's existing verification

The L1 credential is the root of the delegation chain. Everything downstream depends on the claim that this key belongs to this person, and that claim rests on Mastercard's identity verification.

L2: User Constraints

The L2 credential is a KB-SD-JWT+KB signed by the user (using the key bound in L1). It constrains what the agent is permitted to do.

  • Format: KB-SD-JWT+KB (Key Binding SD-JWT with Key Binding)
  • Signer: The user
  • Lifetime: 24 hours to 30 days
  • Purpose: Defines the boundary conditions for agent autonomy

L2 constraints include:

  • Merchant restrictions: which merchants the agent may transact with
  • Amount limits: maximum transaction value, possibly per-transaction and aggregate
  • Item restrictions: categories or specific items the agent may purchase
  • Autonomy mode: either autonomous (agent acts independently within constraints) or approval (agent must request human confirmation before executing)

The L2 credential is where human intent becomes machine-verifiable. A user does not say "buy me something nice." A user says "spend up to $200 at these three merchants on items in this category, and ask me before you finalize."

L3: Execution Proof

The L3 credential is created by the agent at execution time. It has two variants:

  • L3a — Payment Mandate: Sent to the payment network. Contains the autonomous mode flag, an agent-generated checkout reference, and constraint verification status.
  • L3b — Checkout Mandate: Sent to the merchant. Contains checkout details and references back to the constraint chain.

L3 credentials have a lifetime of approximately 5 minutes. They contain no cnf (confirmation) claim — they are terminal. No further delegation is possible. The chain ends here.

Constraint Verification

The constraint system is VI's most technically interesting contribution. When the agent creates an L3 credential, the system verifies that the L3 parameters satisfy the L2 bounds:

  • The merchant is on the permitted list
  • The amount is within the specified range
  • The items match the allowed categories
  • If approval mode is set, the user has confirmed

This verification is cryptographically grounded. The L2 constraints are signed by the user's key (bound to their identity via L1). The L3 execution references the L2. A verifier can trace the chain: this purchase was made by this agent, operating under these constraints, set by this human, whose identity was verified by Mastercard.

The Payment Mandate

The L3a Payment Mandate is VI's interface with the payment network. It signals AI involvement to the payment processor, carrying:

  • Whether the agent operated in autonomous or approval mode
  • The agent-generated checkout reference
  • The constraint verification status (did the L3 satisfy the L2?)

This signaling matters. It allows payment networks to apply different risk models to agent-initiated transactions, to flag them for enhanced monitoring, or to route them through different authorization paths.

Identity Model

VI's identity model is deep but narrow.

What it covers:

  • Human identity: Through L1, grounded in Mastercard's KYC via the card network
  • Agent identity: Through L2's cnf binding — the agent's key is cryptographically bound to the user's delegation

What it does not cover:

  • Entity identity: If an agent acts on behalf of a corporation, VI does not verify the corporation's authority structure, its authorized signers, or its organizational constraints
  • Jurisdictional identity: VI does not bind the transaction to any legal jurisdiction or regulatory framework
  • Persistent agent identity: The agent's identity is scoped to the L2 delegation. Across different L2 credentials (or different users), the same agent has no persistent, verifiable identity

What VI Handles Well

VI is the most sophisticated of the four protocols in its treatment of delegation and authorization. The three-level credential chain is a genuine contribution — it creates a verifiable, cryptographic proof that a human authorized an agent to act within specific bounds, and that the agent's action fell within those bounds.

For the purchase transaction, this is strong infrastructure. You can answer the question "did the human approve this?" with cryptographic evidence rather than contractual assertion.

What VI Defers

VI's own specification is explicit about what it does not cover.

Section 2.4 states: "VI does not define how disputes are initiated, routed between parties, escalated, or resolved."

This is a clear-eyed acknowledgment. VI proves that the human authorized the purchase. It does not address what happens when the purchase goes wrong — when the item does not arrive, when it does not match the description, when the merchant disputes the agent's representation of the checkout, or when the constraint verification itself is contested.

VI also defers:

  • Agreement lifecycle: VI handles the transaction moment, not ongoing obligations
  • Entity authority: No mechanism for corporate authorization structures
  • Cross-protocol identity: VI identity is bound to Mastercard's network; it does not compose with AP2's VDCs or UCP's DNS-based identity

The delegation chain proves intent. It does not resolve disagreement about what that intent produced.

Protocol Landscape

Four major protocols define how AI agents conduct commerce. They all solve the same problem — and they all defer the same things.

Universal Commerce Protocol (UCP)

Google and Shopify's composable commerce standard for agent-to-merchant interaction.

On this page

The Credential ChainL1: Identity BindingL2: User ConstraintsL3: Execution ProofConstraint VerificationThe Payment MandateIdentity ModelWhat VI Handles WellWhat VI Defers