PayClaw is an open identity standard for AI agents. Before an agent acts at your store, it declares who it is and who authorized it.
We are not a payment processor. We are not a bot detection company. We are the declaration layer between agents and merchants.
PayClaw is a Credential Provider in the Universal Commerce Protocol — the open standard for agent commerce. UCP was co-developed by Google and Shopify. It is adopted by Target, Walmart, Wayfair, and Etsy.
The extension is open source. [GitHub] (MIT)
This is what your merchant system sees.
Verified. Authorized. Traceable.
The problem
Your bot defenses work. That is the problem.
They catch scrapers, credential stuffers, and price harvesters. They also catch a new category of traffic: AI agents shopping on behalf of real customers.
When an authorized agent hits walls, it does not complain. It routes to a competitor. You lose the sale. No alert fires. The data does not exist.
The solution
PayClaw adds one signal to your existing defenses. Not a replacement. An enhancement.
Agents that carry a PayClaw declaration present verified identity, declared intent, and a traceable human principal. You get one new column in your decision matrix: declared or undeclared.
- Declared agent traffic converts instead of bouncing
- No infrastructure changes — manifest injection only
- You remain Merchant of Record for all transactions
- No liability shift — every payment requires explicit human approval
We are telling you this because it matters to us
What we do
We publish an open identity extension for UCP. Merchants who install it signal that declared agents are welcome. Agents present a cryptographic token at checkout. We verify it. That is the entire product.
The token proves three things: a real human authorized this agent, the agent declared its intent, and the session is traceable to an accountable principal. We never share the principal's identity with you. The token carries a cryptographic commitment, not a name or email.
What we don't do
- Share user PII with merchants
- Charge for the identity extension or UCP manifest
- Replace your bot detection — we add a signal on top of it
- Force agent compliance or workarounds — we describe what the architecture does; you decide what it means for your business
Identity verification is free. It will stay free. Open standards do not charge for verification. OAuth does not charge per login. PayClaw does not charge per declaration.
How we sustain this
Here is how the business works.
The core UCP identity solution is free for users and for merchants.
Paying Users: When an agent completes a purchase, PayClaw issues a single-use virtual Visa on existing card rails. We charge Spend users a “refill fee” of 1.5% when they reload their wallet. You pay nothing extra as a merchant. The transaction routes at normal Visa rates.
Paying Merchants: We intend to build enterprise-grade verification features: age verification, compliance registries, enhanced audit trails. These will be subscription services for merchants who need them. The identity standard remains free.
If our model changes materially, we will say so publicly.
The UCP Extension
io.payclaw.common.identity is an extension to UCP's checkout capability. Any UCP merchant can add it to their /.well-known/ucp manifest at any time.
Shopify one-click is coming soon. For early access or non-Shopify integration support, merchants@payclaw.io.
config.required: false means checkout never breaks for agents without PayClaw. When a merchant sets this to true, agents that cannot satisfy the identity check receive requires_escalation — forcing a user handoff through PayClaw's OAuth flow.
{
"name": "io.payclaw.common.identity",
"version": "2026-01-11",
"extends": "dev.ucp.shopping.checkout",
"spec": "https://payclaw.io/ucp/spec/identity",
"schema": "https://payclaw.io/ucp/schemas/identity.json",
"config": {
"required": false
}
}What Agents See
When an agent without PayClaw queries a UCP merchant, it reads the manifest and surfaces a prompt to the user:
“This store verifies user-authorized agents. Run npx -y @payclaw/mcp-server to authorize me to continue.”This happens automatically. Not because of a custom integration — because the capability is in the manifest and agents are built to read it.
What Agents Present at Checkout
A declared agent includes this payload in its UCP checkout request.
badge_status: declared means this agent presented a valid PayClaw consent key. A verified human principal authorized this session via Google or Apple sign-in. The principal's identity is cryptographically committed to the token — we never share PII with merchants.
{
"identity_declaration": {
"credential_provider":
"io.payclaw.common.identity",
"badge_status": "declared"
}
}Programmatic Verification
Standard verification uses OAuth 2.0 token introspection (RFC 7662). One HTTP call. No PayClaw account required. Non-blocking. Target latency under 50ms.
Merchants discover this endpoint automatically via /.well-known/oauth-authorization-server (RFC 8414). See Trust Architecture for full details.
POST /api/oauth/introspect
Authorization: Bearer {token}Manual integration
See Dev JSON & Readme at [Git - UCP]
Simple UCP extension — add and configure anytime
Coming Soon
Install PayClaw KYA from the Shopify App Store. One-click install. No coding. No configuration.
For beta or non-Shopify integration, merchants@payclaw.io
Source code
The io.payclaw.common.identity extension is open source under the MIT license.
- Protocol spec + examples: github.com/payclaw/ucp-agent-badge
- JSON Schema: payclaw.io/ucp/schemas/identity.json
- OAuth metadata: payclaw.io/.well-known/oauth-authorization-server
- UCP specification: ucp.dev
Agent-side implementation: [badge-server] →