Skip to main content

Visa TAP

Visa TAP secures agent-initiated payment requests with HTTP Message Signatures and registry-verifiable agent keys.

RFC 9421 Signatures

Registry-Based Trust

Agent Registry API

  • GET https://api.useanima.sh/api/agents/:id
  • POST https://api.useanima.sh/api/agents/:id/keys
  • POST https://api.useanima.sh/api/agents/:id/revoke

Replay Protection (Nonce + Freshness)

Replay protection relies on a unique nonce, a tight freshness window, and a short-lived nonce cache to reject captured requests before they can be reused.
FieldRequirementPurpose
Nonce64-byte base64 valuePrevent duplicate request replay.
Freshness window8 minutes max skewReject stale captured requests.
Nonce cacheTTL ≥ 8 minutesGuarantee one-time use within validity window.

Supported Algorithms

  • Ed25519
  • rsa-pss-sha256

Signing Example

visa-tap-sign.ts
import { createHash, randomBytes, sign } from "crypto";

const body = JSON.stringify({ amount: 1250, currency: "USD" });
const nonce = randomBytes(64).toString("base64");
const created = Math.floor(Date.now() / 1000);
const digest = createHash("sha-256").update(body).digest("base64");

const signatureBase = [
  '"@method": post',
  '"@path": /payments/authorize',
  '"x-agent-nonce": ' + nonce,
  '"x-agent-created": ' + created,
  '"digest": sha-256=:' + digest + ":",
].join("\n");

const signature = sign(null, Buffer.from(signatureBase), privateKey).toString(
  "base64",
);

const signatureInput =
  'sig1=("@method" "@path" "@x-agent-nonce" "@x-agent-created" "digest");alg="ed25519"';
Note: Persist nonce + signature input hashes for short-term forensic replay analysis.
Tip: Validate signature, timestamp, nonce uniqueness, and key status in a single atomic verification transaction.