ap2-cart-mandate
Implement the AP2 Cart Mandate — the human-present VDC that binds user authorization to a specific transaction with merchant-signed product offers and user-signed confirmation. Use when building cart creation, signing, and verification for human-present checkout flows.
Best use case
ap2-cart-mandate is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement the AP2 Cart Mandate — the human-present VDC that binds user authorization to a specific transaction with merchant-signed product offers and user-signed confirmation. Use when building cart creation, signing, and verification for human-present checkout flows.
Teams using ap2-cart-mandate should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/ap2-cart-mandate/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How ap2-cart-mandate Compares
| Feature / Agent | ap2-cart-mandate | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement the AP2 Cart Mandate — the human-present VDC that binds user authorization to a specific transaction with merchant-signed product offers and user-signed confirmation. Use when building cart creation, signing, and verification for human-present checkout flows.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# AP2 Cart Mandate
## Before writing code
**Fetch live docs**:
1. Fetch `https://ap2-protocol.org/specification/` for the Cart Mandate schema
2. Web-search `site:github.com google-agentic-commerce AP2 src/ap2/types mandate` for the Python type definitions
3. Web-search `site:github.com google-agentic-commerce AP2 samples cart mandate` for sample implementations
4. Fetch `https://ap2-protocol.org/topics/core-concepts/` for Cart Mandate conceptual details
## Conceptual Architecture
### What the Cart Mandate Is
The Cart Mandate is the **primary VDC for human-present transactions**. It captures explicit user authorization for a specific set of items at specific prices, cryptographically binding the user's identity and consent to the exact transaction details.
### Who Creates It
The **Merchant Endpoint** creates and signs the Cart Mandate after receiving an Intent Mandate from the Shopping Agent. The merchant's signature guarantees fulfillment of the specified items at the specified prices.
### Who Signs It
Two signatures are required:
1. **Merchant signature** — Entity-level (not agent-level) guarantee of fulfillment
2. **User signature** — Hardware-backed device key with in-session authentication
### Cart Mandate Structure
A CartMandate has two parts: `contents` (CartContents) and `merchant_authorization` (a JWT).
**CartContents fields**: `id`, `user_cart_confirmation_required`, `payment_request` (W3C PaymentRequest), `cart_expiry`, `merchant_name`.
Based on the specification, key fields include:
```json
{
"contents": {
"id": "cart_identifier",
"user_cart_confirmation_required": true,
"payment_request": {
"method_data": [
{
"supportedMethods": "https://processor.example.com/pay",
"data": { ... }
}
],
"details": {
"id": "order_id",
"displayItems": [
{ "label": "Product Name", "amount": { "currency": "USD", "value": "29.99" } }
],
"total": {
"label": "Total",
"amount": { "currency": "USD", "value": "29.99" }
},
"shipping_options": null
},
"options": {
"requestPayerName": true,
"requestShipping": true,
"requestPayerEmail": false,
"requestPayerPhone": false
}
},
"cart_expiry": "2025-09-01T13:00:00Z",
"merchant_name": "Example Merchant"
},
"merchant_authorization": "<base64url-header>..<base64url-signature>"
}
```
### Payment Request API Structure
Cart Mandates embed the W3C Payment Request API structure:
- **methodData** — Supported payment methods with processor endpoint URLs
- **details** — Order ID, line items with amounts, total, shipping options
- **options** — What payer information the merchant requests
### Cart Mandate Flow
1. Shopping Agent presents Intent Mandate to Merchant
2. Merchant searches catalog, finds matching products
3. Merchant creates Cart Mandate with product offers, prices, totals
4. Merchant signs the Cart Mandate (entity-level signature)
5. Cart Mandate returned to Shopping Agent
6. Shopping Agent displays cart to user
7. User reviews and confirms
8. User signs the Cart Mandate on trusted device surface
### Merchant Authorization
The `merchant_authorization` is a **Base64url-encoded JWT using detached JWS format**: `<base64url-header>..<base64url-signature>` (double dots — the payload is omitted because it is the canonicalized CartContents).
**Supported signing algorithms**: ES256, ES384, ES512 (ECDSA with P-256, P-384, P-521 curves).
**JCS (RFC 8785) canonicalization** is applied to the CartContents JSON before signing, ensuring deterministic serialization.
The JWT header MUST include `alg` and `kid` claims. The JWT payload includes: `iss`, `aud`, `iat`, `exp`, `jti`, `cart_hash`.
The merchant authorization guarantees:
- The listed products are available
- The prices are accurate
- The merchant commits to fulfilling the order at those terms
- This is an **entity** authorization, not an agent authorization — the merchant organization, not its AI agent
### User Signature
The user signature proves:
- The user reviewed the cart contents
- The user authorized the purchase
- The signature is hardware-backed (device key) and in-session authenticated
- This provides non-repudiation for dispute resolution
### Best Practices
- Always include all line items with individual prices — don't just show a total
- Include clear product descriptions the user can review
- Validate the Cart Mandate signature chain before processing payment
- Store signed Cart Mandates for dispute resolution
- Handle the case where the user rejects the cart (don't force signing)
- Include shipping options when physical fulfillment is involved
- Use the W3C Payment Request API structure consistently
Fetch the specification for exact Cart Mandate fields, signature format, and the payment_request schema before implementing.Related Skills
ucp-ap2-mandates
Implement UCP AP2 Mandates extension — cryptographic payment mandates for fully autonomous agent commerce using SD-JWT credentials, merchant authorization signatures, and the Agent Payments Protocol. Use when building autonomous agent payment flows without human-in-the-loop.
sf-b2c-cartridges
Build B2C Commerce cartridges — cartridge directory structure (controllers/, models/, scripts/, templates/, static/), cartridge stacking, naming conventions (app_custom_*, plugin_*, int_*), cartridge path configuration, and certification requirements. Use when creating or modifying SFCC cartridges.
medusa-cart-checkout
Implement Medusa v2 cart and checkout — cart lifecycle, line items, shipping and payment selection, sales channels, and checkout completion flow. Use when building cart and checkout features.
ap2-payment-mandate
Implement the AP2 Payment Mandate — the VDC shared with payment networks and issuers to signal AI involvement and user authorization. Use when building payment authorization flows, tokenization, and network integration.
ap2-intent-mandate
Implement the AP2 Intent Mandate — the human-not-present VDC that pre-authorizes agent purchases within defined constraints. Use when building autonomous agent shopping with user-signed intent, TTL, and constraint enforcement.
woo-testing
Test WooCommerce extensions — PHPUnit unit/integration tests, WP test suite, WooCommerce test helpers, E2E with Playwright, and WP-CLI test scaffolding. Use when writing tests for WooCommerce plugins or setting up a test environment.
woo-shipping
Build WooCommerce shipping methods — WC_Shipping_Method, shipping zones, shipping classes, rate calculation, tracking, and integration with carriers. Use when creating custom shipping integrations or configuring shipping logic.
woo-setup
Install WooCommerce, configure the development stack, and set up a local dev environment with WP-CLI, Docker, or wp-env. Use when setting up a new WooCommerce project or development environment.
woo-security
Implement WooCommerce security — nonces, capabilities, input sanitization, output escaping, data validation, PCI compliance considerations, and WordPress security best practices. Use when hardening a WooCommerce store or reviewing security posture.
woo-plugin-dev
Create WooCommerce extensions/plugins — file structure, main plugin file, activation/deactivation hooks, custom database tables, autoloading, and WordPress plugin API. Use when building new WooCommerce extensions or structuring plugin code.
woo-performance
Optimize WooCommerce performance — object caching, transients, HPOS, database optimization, Action Scheduler, lazy loading, and query optimization. Use when improving store performance or diagnosing slowness.
woo-payments
Build WooCommerce payment gateways — WC_Payment_Gateway, direct/redirect/hosted integrations, tokenization, subscriptions support, refunds, and PCI compliance. Use when creating custom payment method integrations.