Demo: https://youtu.be/1ZPB_n6v6EI OpenBotAuth: https://github.com/OpenBotAuth/openbotauth
Voice agents are getting PCI compliance, however checkout is done manually today. Either by sharing a payment link to the client or OTP. For payments over voice to be compliant with SCA, a signed cart or signed session token by the agent paying on user's behalf can be provided in runtime.
In the demo, the user has two voice agents: – Pete, a shopping sub-agent that helps pick products and build the cart – Penny, a checkout sub-agent that confirms the total and authorizes payment
>Flow overview: 1- Pete adds items to the cart on a merchant-style fashion site. 2- At checkout, Pete hands off to Penny, the user’s payment agent. 3- Penny confirms the total and asks for explicit consent. 4- The checkout request is signed with HTTP Message Signatures (RFC 9421) using Pete’s OpenBotAuth key. 5- The merchant verifies the Signature-Agent header by calling the OpenBotAuth registry, which returns the correct public key (via a Web Bot Auth compatible key directory). 6- Once the HTTP signature and TAP objects are verified, a Visa TAP-style mock issuer authorizes the payment and the UI shows the full sequence diagram and console events.
>Notes: – The Visa lane in this demo uses a mock issuer implemented from Visa’s public TAP (Trusted Agent Protocol) reference. This is not an official Visa integration. – Pete and Penny are modelled as user-owned agents, not merchant bots; they’re visually embedded in the page here just to make the flow easy to see on a single screen. - Sub-Agents are registered in OpenBotAuth with a hosted Signature Agent Card/JWKS.
If you're integrating a voice agent on your website, we'd love to get your feedback.
0 comments