VORIM
We use cookies

We use cookies to analyze site traffic and improve your experience. You can choose to accept all cookies or only essential ones. See our Privacy Policy.

StripeCommercePaymentsIntegration

Securing Agent Commerce: Identity Verification for Stripe's Agentic Commerce Protocol

S
Kwame Nyantakyi
April 16, 2026 · 6 min read

Agents Are Spending Money. Who's Checking Their ID?

Stripe just launched the Agentic Commerce Protocol (ACP). It lets AI agents discover products, create checkout sessions, and complete purchases on behalf of users. OpenAI's ChatGPT already uses it for Instant Checkout. Shopify, Etsy, and hundreds of merchants are onboarding.

This is the future of commerce. Agents will buy things for us.

But here's the security question nobody's answering: when an agent initiates a $500 purchase, how does the merchant verify that this specific agent is authorized to spend money? Stripe handles the payment credentials via Shared Payment Tokens (SPTs), which are scoped by seller, time, and amount. That's excellent for payment security. But there's no identity verification of the agent itself.

A compromised agent with a valid SPT can still make purchases. An agent that was trusted yesterday but has been behaving erratically today can still check out. An agent without explicit transaction authorization from its organization can still initiate payments.

We built the Vorim Stripe ACP integration to close this gap.

How It Works

The integration adds a verification layer before any Stripe ACP checkout. Three checks run in sequence:

1. Permission check: Does this agent have the transact permission scope? This is an explicit authorization from the organization that deployed the agent. Without it, the agent is blocked before it reaches Stripe.

2. Trust score check: What's this agent's behavioral trust score? An agent with a score of 82/100 (consistent track record, low denial rate) gets through. An agent with a score of 30/100 (frequent errors, high denial rate) gets blocked. The threshold is configurable.

3. Status check: Is this agent currently active? Suspended or revoked agents are blocked regardless of permissions or trust score.

If all three pass, the checkout proceeds and a success event is logged. If any fail, the checkout is blocked and a denial event is logged with the specific reason.

TypeScript

import createVorim from '@vorim/sdk';
import { createVorimACP } from '@vorim/sdk/integrations/stripe-acp';

const vorim = createVorim({ apiKey: 'agid_sk_...' });
const acp = createVorimACP(vorim, { minTrustScore: 70 });

// Before creating a Stripe ACP checkout
const auth = await acp.authorizeCheckout({
  agentId: 'agid_abc123',
  seller: 'acme-store',
  amount: 4999,
  currency: 'usd',
});

if (auth.authorized) {
  // Proceed with Stripe ACP checkout
  console.log('Trust score:', auth.trustScore);
} else {
  console.log('Blocked:', auth.reason);
  // "Agent does not have agent:transact permission"
  // "Trust score 35 is below minimum 70"
  // "Agent is suspended, not active"
}

Express Middleware

For sellers implementing the ACP checkout endpoints, the middleware drops in with one line:

// Agent must send X-Vorim-Agent-Id header
app.post('/checkouts',
  acp.middleware({ minTrustScore: 70 }),
  (req, res) => {
    // Only reached if agent is verified
    const { trustScore, status } = req.vorimAuthorization;
    // Create Stripe checkout session...
  }
);

Python

from vorim.stripe_acp import VorimACP

acp = VorimACP(api_key='agid_sk_...', min_trust_score=70)

# Verify before checkout
result = acp.authorize_checkout(
    agent_id='agid_abc123',
    seller='acme-store',
    amount=4999,
    currency='usd',
)

if result['authorized']:
    print(f'Verified: trust score {result["trust_score"]}')
else:
    print(f'Blocked: {result["reason"]}')

# Flask/FastAPI decorator
@acp.require_transact()
def create_checkout(request):
    # Only reached if agent has transact permission
    return process_checkout(request)

The Audit Trail

Every commerce interaction is logged to Vorim's tamper-proof audit trail:

- checkout.authorize — permission check + trust verification (success or denied with reason)
  • checkout.created — checkout session initiated
  • checkout.completed — payment processed
  • checkout.canceled — checkout abandoned

Each event includes the agent ID, seller, amount, currency, and trust score at the time of the action. When a compliance team asks "which agent authorized this $5,000 purchase and what was its trust level?", you have cryptographic proof.

Why This Matters

Agentic commerce is going to be massive. Stripe's ACP is already live in ChatGPT. 75% of retailers at NRF 2026 said they're implementing agentic commerce. Google launched Universal Commerce Protocol. Shopify is onboarding 1M+ merchants.

But commerce without identity verification is a fraud vector. The same way you wouldn't let an unidentified person walk into a store and charge $10,000 to someone else's credit card, you shouldn't let an unidentified agent initiate purchases without verifying who it is, what it's allowed to do, and whether it has a track record of trustworthy behavior.

Stripe handles the payment security (SPTs, Radar, fraud detection). Vorim handles the agent identity security (cryptographic identity, permission scoping, trust scoring, audit trails). Together, they form a complete security stack for agentic commerce.

Get Started

# TypeScript
npm install @vorim/sdk

# Python
pip install vorim

Full documentation: vorim.ai/docs Integrations page: vorim.ai/integrations

If you're building with Stripe ACP and want to add agent identity verification, reach out at team@vorim.ai or book a call at vorim.ai/contact.

Ready to build with agent identity?

Free plan: 3 agents, 10K auth events/month, full SDK access. No credit card.