Documentation Index
Fetch the complete documentation index at: https://docs.nevermined.app/llms.txt
Use this file to discover all available pages before exploring further.
Agent Payments
How agents pay with your real card, within limits you control.How is this different from issuing a prepaid card for my agent?
How is this different from issuing a prepaid card for my agent?
Card Delegation uses your real credit or debit card, not a separate prepaid balance. At enrollment, the card number is tokenized by a PCI-compliant vault (VGS Collect for Visa and Stripe; Braintree Drop-in for Braintree). Nevermined never sees or stores the raw PAN. What the agent receives is a scoped delegation that encodes identity, spending limits, and (for Visa) the device that approved it. The actual charge still runs on existing card rails, so it appears on your normal statement. No prefunding, no separate balance to manage.
What happens if an agent tries to exceed the delegation?
What happens if an agent tries to exceed the delegation?
The transaction is rejected instantly before it reaches the payment processor. Delegations are enforced server-side on every verify and settle call. The agent receives a clear 402 error explaining which limit was hit (lifetime spending limit, transaction count, or duration), so it can adapt its behavior or notify the user.
Can I use Card Delegation with any AI agent framework?
Can I use Card Delegation with any AI agent framework?
Yes. Any software that can make an HTTP request can use x402 payments. That includes OpenAI Assistants, Anthropic Claude, LangChain, CrewAI, Strands, MCP tool servers, and custom agents. Nevermined also provides TypeScript and Python SDKs, a CLI, and an MCP server for convenience, but none are required.
How do I revoke an agent's ability to spend?
How do I revoke an agent's ability to spend?
One click in the dashboard or
DELETE /api/v1/delegation/{delegationId}. Revocation is immediate: no grace period, no cached tokens, and no pending window. The agent loses payment capability the instant you revoke, and any in-flight verify/settle calls fail with DELEGATION_INACTIVE.What's the difference between the Visa, Stripe, and Braintree settlement paths?
What's the difference between the Visa, Stripe, and Braintree settlement paths?
From the agent’s perspective, nothing changes. It sends the same x402 payment header either way. The difference is in how settlement runs under the hood:
- Visa path — Your card is tokenized as a Visa Agentic Token via the VGS Credential Management Platform. Each delegation is bound to your device with a one-time WebAuthn/passkey ceremony enforced by Visa VTS. Settlement runs through Stripe Connect against the seller’s connected account.
- Stripe path — Your card is tokenized by Stripe, and settlement runs through Stripe PaymentIntents directly. The seller connects their Stripe account when they enroll with Nevermined.
- Braintree path — Your card is vaulted as a Braintree
paymentMethodToken, and settlement runs throughtransaction.saleagainst the seller’s per-currency OAuth-connected Braintree merchant account.
What security and compliance standards does Card Delegation meet?
What security and compliance standards does Card Delegation meet?
Card data is captured via a PCI-compliant vault (VGS Collect for Visa / Stripe, Braintree Drop-in for Braintree) and tokenized before it enters the system. Nevermined holds ISO 27001 and SOC 2 Type II certifications and operates at PCI SAQ-D level. For Visa, Strong Customer Authentication via WebAuthn/passkey (or email OTP fallback) is enforced per delegation by Visa VTS. Every transaction is logged with agent ID, amount, merchant, and timestamp for full auditability.
Delegation Selection
How agents pick which delegation to charge.How does my agent know which delegation to use?
How does my agent know which delegation to use?
There are three ways the system resolves which delegation to charge, from simplest to most explicit:
- Automatic — If your API key has access to exactly one active delegation, it is selected automatically. Just pass your API key and go. If there are zero or multiple delegations, you get a clear error asking you to be more specific.
- Key-linked — Link a specific delegation to a specific API key, either when you create the delegation or by revoking and recreating it. The system always routes that key to its linked delegation, even if you have multiple delegations active. Only the linked key can use that delegation.
- Explicit delegation ID — Pass
delegationIdindelegationConfigfor full control. This is the only supported mode for Visa.
When should I link an API key to a delegation?
When should I link an API key to a delegation?
If you have one delegation and one API key, you don’t need to link them. Automatic selection handles it. Linking becomes useful when you have multiple delegations and want each agent (or API key) to use a specific one without passing a delegation ID on every request. It’s the recommended approach for multi-agent setups on Stripe and Braintree, and a useful convenience for Visa.
What happens if I have multiple delegations and no key linked?
What happens if I have multiple delegations and no key linked?
The automatic selection will fail because the system can’t determine which delegation to charge. Your agent receives a 402 error explaining that multiple delegations are available. You can resolve this by either linking your API key to a specific delegation, or passing the
delegationId explicitly.Can the same API key be used across Visa, Stripe, and Braintree?
Can the same API key be used across Visa, Stripe, and Braintree?
Yes. API keys are provider-agnostic. The same key works for delegations on any network. The link is stored as
apiKeyId directly on the delegation record, so each delegation independently decides whether to honor the caller’s key.How do I change which delegation an API key is linked to?
How do I change which delegation an API key is linked to?
Delegations are immutable. To change the link, revoke the existing delegation and create a new one with the desired
apiKeyId. For Visa, this also requires a fresh WebAuthn/passkey device-binding ceremony.Stripe
Settlement through Stripe’s network.How does the Stripe settlement path work?
How does the Stripe settlement path work?
When you enroll a card via Stripe, VGS Collect tokenizes the PAN and Stripe vaults it as a
pm_… PaymentMethod. When your agent makes a payment, Nevermined creates an off-session PaymentIntent against that PaymentMethod, optionally routing to the seller’s Stripe Connect account. The payment is wrapped in the x402 protocol, so the seller (or a facilitator) triggers the flow by responding with a 402 status code.What does a seller need to accept Stripe-path payments?
What does a seller need to accept Stripe-path payments?
The seller enrolls with Nevermined and connects their Stripe account via Stripe Connect. Once enrolled, they can receive payments from AI agents via the x402 protocol. The seller needs an active Stripe account since the Stripe path settles through Stripe’s network. Nevermined handles agent authentication, delegation enforcement, and the x402 flow on the seller’s behalf.
Which cards work with Stripe?
Which cards work with Stripe?
Stripe supports most Visa, Mastercard, American Express, and Discover cards. Both credit and debit cards are eligible. The card is tokenized at enrollment and charges appear on your normal statement.
Visa Agentic Tokens
Settlement through Visa’s Trusted Agent Protocol.Is this a sandbox integration, or production Visa infrastructure?
Is this a sandbox integration, or production Visa infrastructure?
Production-ready. Nevermined integrates with the Visa Trusted Agent Protocol through the VGS Credential Management Platform (CMP) and Visa VTS device-binding service. Your enrolled card becomes a Visa Agentic Token bound to Nevermined as the token requestor, and every delegation captures a fresh WebAuthn/passkey approval before it can charge.
How does VGS Credential Management Platform protect my card?
How does VGS Credential Management Platform protect my card?
At enrollment, your real PAN is captured by a VGS Collect iframe and posted directly to CMP. It never passes through or is stored by Nevermined. CMP mints a Visa Agentic Token (
vat_…) bound to Nevermined as the token requestor. Even if the token were compromised, it can’t be used outside the Nevermined ecosystem, and you can revoke it instantly from the dashboard.What is the device-binding step and why does it matter?
What is the device-binding step and why does it matter?
Every Visa delegation requires a one-time WebAuthn/passkey ceremony — an iframe embedded by Visa VTS prompts you to approve the spending limit, duration, and merchant. Approving produces a single-use
assuranceData blob that binds the delegation to your device. This means even if an agent is compromised, it can’t widen its own spending power without your hardware key. It’s purpose-built for high-frequency, autonomous agent payments.What if I don't have a passkey?
What if I don't have a passkey?
Visa VTS falls back to an email OTP delivered to the address on file for your CMP cardholder. The webapp surfaces an OTP input when the SDK reports
needsOtp: true.What does a seller need to accept Visa-path payments?
What does a seller need to accept Visa-path payments?
The seller must have completed Stripe Connect onboarding — Visa delegations settle through Stripe Connect against the seller’s connected account. The seller does not need any direct relationship with Visa or VGS; Nevermined acts as the token requestor. Visa delegations also require a
planId so the delegation binds to a single seller per the Trusted Agent Protocol.Can I create a Visa delegation from the SDK or CLI?
Can I create a Visa delegation from the SDK or CLI?
No. Visa delegation creation requires
consumerPrompt and assuranceData, both of which can only be produced by the WebAuthn ceremony embedded in the Nevermined webapp. The SDK and CLI surface explicit errors (BCK.VISA.0014) when callers attempt create_delegation(provider="visa", ...). You can, however, consume an existing Visa delegation from the SDK by passing its delegationId to DelegationConfig exactly like Stripe or Braintree.Which cards are eligible for Visa Agentic Tokens?
Which cards are eligible for Visa Agentic Tokens?
Any Visa card whose issuer participates in the Visa Trusted Agent Protocol. During the pilot, support is concentrated on US issuers; the eligibility list is widening as more issuers integrate.
Limits & Seller Onboarding
Pilot ceilings, increased limits, and accepting agent payments.What are the current spending limits?
What are the current spending limits?
During the pilot, each enrolled card has a $10.00 cumulative ceiling across all active delegations. This applies to all three networks independently. Individual delegation amounts are validated against the remaining ceiling at creation time.
Can I get higher limits?
Can I get higher limits?
Yes. The $10 ceiling is a pilot default. Contact the Nevermined team to request increased limits for your account.
How do I onboard as a seller?
How do I onboard as a seller?
Contact the Nevermined team to schedule a seller onboarding call. Once enrolled, your business can accept payments from AI agents via the x402 protocol. Sellers on Stripe complete Stripe Connect; sellers on Braintree complete OAuth Connect with at least one child merchant account per accepted currency. Visa Trusted Agent plans require the seller’s Stripe Connect account because Visa delegations settle through Stripe Connect.