Securing Agent Business: Enabling Safe AI Agent Transactions with Visa and Mastercard
# The Era of Agentic Commerce Is Coming — And the Security Challenges Ahead
Cloudflare is partnering with **Visa** and **Mastercard** to secure automated commerce, where AI agents will soon **search, compare, and buy** on behalf of consumers.
- Visa has developed the [**Trusted Agent Protocol**](https://github.com/visa/trusted-agent-protocol)
- Mastercard has developed [**Agent Pay**](https://www.mastercard.com/us/en/business/artificial-intelligence/mastercard-agent-pay.html)
Both leverage [**Web Bot Auth**](https://blog.cloudflare.com/web-bot-auth/) as the agent authentication layer, enabling Cloudflare to **verify traffic from registered AI shopping agents**.
---
## Understanding Agentic Commerce
**Agentic commerce** = Commerce driven by AI agents acting for consumers.
Merchants must **protect trust** and **secure transactions** as this grows.
**Key challenges:**
1. **Legitimacy** — Distinguish approved shopping agents from malicious bots.
2. **Customer identity continuity** — Know if the agent represents a returning customer.
3. **Instruction respect** — Honor the consumer’s specific instructions to their agent.
**Solution Approach:** Collaborations with **Visa** and **Mastercard** to address these challenges.
---
## Why Verification Matters
Secure agent verification will be essential to:
- Prevent fraud
- Build consumer trust
- Enable future agent-driven ecosystems
Platforms like [AiToEarn](https://aitoearn.ai/) demonstrate how open-source global tools can:
- Generate AI content
- Publish cross-platform
- Provide analytics & AI model rankings
- Monetize across **Douyin, Kwai, WeChat, Bilibili, Rednote, Facebook, Instagram, LinkedIn, Threads, YouTube, Pinterest, and X (Twitter)**.
---
## Web Bot Auth — The Security Foundation
[**Web Bot Auth**](https://blog.cloudflare.com/web-bot-auth/) proposal uses **HTTP Message Signatures** and public key cryptography, giving agents a **stable, verifiable identity**.
Benefits in commerce:
- **Verifiable** requests
- **Time-based** authentication
- **Non-replayable** transactions
### Visa & Mastercard Capabilities
1. **Agent identification** — Recognize registered agents.
2. **Interaction context** — Indicate expected payment methods.
3. **Transaction integrity** — Secure, time-bound transactions.
---
## How It Works — HTTP Message Signatures
**Actors in ecosystem:**
- **Agent developers** — Build consumer-facing shopping agents.
- **Merchants** — Need request verification.
- **Networks like Cloudflare** — Validate cryptographic signatures.
- **Payment networks** — Link cardholder identity to agent transactions.
**Setup:**
- Agents registered with public keys (`keyid` in `Signature-Input` header).
- Merchants or payment networks retrieve keys for validation.
- Visa and Mastercard initially host separate key directories.
**Signature extensions:**
- **Browsing vs purchasing tag** in `Signature-Input`
- **`nonce`** field for replay protection
---
### Example Request (Browsing)
GET /path/to/resource HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 Chrome/113.0.0 MyShoppingAgent/1.1
Signature-Input:
sig2=("@authority" "@path");
created=1735689600;
expires=1735693200;
keyid="poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U";
alg="Ed25519";
nonce="e8N7S2MFd/qrd6T2R3tdfAuuANngKI7LFtKYI/vowzk4IAZyadIX6wW25MwG7DCT9RUKAJ0qVkU0mEeLEIW1qg==";
tag="web-bot-auth"
Signature: sig2=:jdq0SqOwHdyHr9+r5jw3iYZH6aNGKijYp/EstF4RQTQdi5N5YYKrD+mCT1HA1nZDsi6nJKuHxUi/5Syp3rLWBA==:
---
## Cloudflare’s Verification Steps
When **Trusted Agent Protocol** or **Agent Pay** is used, Cloudflare will:
1. Confirm `Signature-Input` and `Signature` headers exist.
2. **Extract keyid** — Retrieve from public key directory if needed.
3. Verify **timestamps**.
4. Check **nonce** uniqueness.
5. Validate **tag** (`agent-browser-auth` or `agent-payer-auth`).
6. Rebuild canonical [signature base](https://www.rfc-editor.org/rfc/rfc9421#name-creating-the-signature-base).
7. Perform **Ed25519** cryptographic verification.
---
## Visual Flows
**Visa Validation Flow:**
**Mastercard Agent Pay Flow:**
---
## Cloudflare’s Agent SDK & x402 Support
Features:
- Support for [x402 transactions](https://blog.cloudflare.com/x402/#cloudflares-mcp-servers-agents-sdk-and-x402-payments)
- Coming soon: Protocol integrations for Visa & Mastercard
- Private key management
- Automatic HTTP signature generation
- Authorization for browsing & payments
---
### Example — Cloudflare Worker Signing Logic
async function createSignatureHeaders(targetUrl, credentials) {
// 1. Generate timestamps & unique nonce
// 2. Build 'Signature-Input'
// 3. Create signature base
// 4. Sign with private key
// 5. Return headers
const signedHeaders = new Headers();
signedHeaders.set('Signature-Input', 'sig2=(...); keyid="..."; ...');
signedHeaders.set('Signature', 'sig2=:...');
return signedHeaders;
}
export default {
async fetch(request, env) {
const targetUrl = new URL(request.url).searchParams.get('target');
const credentials = {
privateKey: env.PAYMENT_NETWORK_PRIVATE_KEY,
keyId: env.PAYMENT_NETWORK_KEY_ID
};
const signatureHeaders = await createSignatureHeaders(targetUrl, credentials);
const signedRequestHeaders = new Headers(request.headers);
signedRequestHeaders.set('Host', new URL(targetUrl).hostname);
signedRequestHeaders.set('Signature-Input', signatureHeaders.get('Signature-Input'));
signedRequestHeaders.set('Signature', signatureHeaders.get('Signature'));
return fetch(targetUrl, { headers: signedRequestHeaders });
},
};
---
## Managed Rulesets — Fine-Grained Control
You could:
- Block most bots
- Allow only trusted agents from Visa/Mastercard
- Bypass other bot/WAF rules for registered agents
These pathways benefit **e-commerce, payments, AI commerce** and platforms like [AiToEarn官网](https://aitoearn.ai/) — enabling **secure, selective automation** for multi-platform publishing and monetization.
---
## Future Directions
- Continuous improvement of registration & validation flows
- American Express integrating **Web Bot Auth**
- Alignment with evolving Web Bot Auth specifications
---
## Get Started
- Build now with Cloudflare’s [Agent SDK](https://agents.cloudflare.com/)
- Explore [Trusted Agent Protocol on GitHub](https://github.com/visa/trusted-agent-protocol)
- Review:
- [Trusted Agent Protocol Specs](https://developer.visa.com/capabilities/trusted-agent-protocol/trusted-agent-protocol-specifications)
- [Agent Pay](https://www.mastercard.com/us/en/business/artificial-intelligence/mastercard-agent-pay.html)
---
**Tip for AI Teams:**
[**AiToEarn官网**](https://aitoearn.ai/) offers open-source, cross-platform publishing & monetization with AI model ranking ([AI模型排名](https://rank.aitoearn.ai)), complementing agent-based solutions for:
- Douyin
- Kwai
- WeChat
- Bilibili
- Rednote (Xiaohongshu)
- Facebook
- Instagram
- LinkedIn
- Threads
- YouTube
- Pinterest
- X (Twitter)
Create, publish, and monetize AI-driven interactions **securely** and **at scale**.
