With AI agents increasingly making API calls to payment endpoints, there's a gap in how agents declare and verify their identity when calling Stripe's API.
The OpenAPI Initiative recently registered the x-agent-trust extension in its Extensions Registry — a security scheme that lets an API declare it expects a signed agent identity (algorithm, trust levels, JWKS endpoint for verification).
For Stripe's spec, this could look like:
components:
securitySchemes:
AgentTrust:
type: apiKey
name: Agent-Signature
in: header
x-agent-trust:
algorithm: ES256
trustLevels: [L0, L1, L2, L3, L4]
issuerKeysUrl: /.well-known/agent-trust-keys
paths:
/v1/charges:
post:
security:
- AgentTrust: [L3] # only trusted agents can create charges
/v1/balance:
get:
security:
- AgentTrust: [L1] # any verified agent can check balanceThis gives Stripe graduated trust levels for agent callers — read-only operations at L1, payment creation at L3, refunds or sensitive operations at L4. Similar to how restricted keys limit scope today, but per-agent and cryptographically verified per-request.
Registry entry: https://spec.openapis.org/registry/extension/x-agent-trust.html
Integration guide: https://x-agent-auth.fly.dev/integrate
With AI agents increasingly making API calls to payment endpoints, there's a gap in how agents declare and verify their identity when calling Stripe's API.
The OpenAPI Initiative recently registered the
x-agent-trustextension in its Extensions Registry — a security scheme that lets an API declare it expects a signed agent identity (algorithm, trust levels, JWKS endpoint for verification).For Stripe's spec, this could look like:
This gives Stripe graduated trust levels for agent callers — read-only operations at L1, payment creation at L3, refunds or sensitive operations at L4. Similar to how restricted keys limit scope today, but per-agent and cryptographically verified per-request.
Registry entry: https://spec.openapis.org/registry/extension/x-agent-trust.html
Integration guide: https://x-agent-auth.fly.dev/integrate