Pair Verifiable Intent Payments with Verifiable Intent Email

Mastercard signs the payment. MultiMail signs the message. Together they form a single cryptographic chain from human authorization to agent action.

The problem

Why this matters

Mastercard launched Verifiable Intent in 2026 — a payment-network authentication layer that links every AI agent transaction back to explicit human authorization. Consumers define spending mandates through their banking app, issuers generate signed credentials, agents present them at checkout, and Google's Agent Payments Protocol is interoperable. The framework went live in LATAM and is expanding globally. The architecture is unmistakable: identity (who authorized), intent (what action is permitted), and action (the cryptographically-signed transaction itself). Mastercard built the payment-domain version of what NIST is converging on for general agent identity.

Email is the other half of the agent-action surface. When an agent transacts on a human's behalf, a confirmation email follows. When an agent negotiates terms, escalates an exception, or coordinates with another party, the medium is email. Without a matching signed-identity layer for those messages, the audit chain has a hole in it. The EU Product Liability Directive treats both payment and messaging as agent actions; courts will not separate the two.

The solution

How MultiMail closes the chain

MultiMail attaches the X-MultiMail-Identity header to every outbound message — an ECDSA P-256 signed JSON claim containing operator identity, mailbox, oversight mode, and timestamps. The signature is verifiable against the domain-anchored public key at /.well-known/multimail-signing-key. This is the email-domain implementation of the same trust pattern Mastercard built for payments: cryptographic proof of authorization at time of action, anchored to a verifiable identity, time-bounded by scope and key lifetime.

Operationally: human grants intent in their banking app → agent transacts (Mastercard Verifiable Intent credential signed) → agent confirms via email (MultiMail signed identity attached). Three signatures, one chain, end-to-end verifiable by the recipient, the issuer, the operator, and any auditor reading the trail later.

1

Provision agent identity

Create a MultiMail mailbox tied to the operator domain. The same domain that anchors your DKIM/DMARC infrastructure now anchors the agent's signed identity claims.

2

Scope the API key for time-bounded delegation

Issue a scoped API key matching the time window of the Mastercard intent credential (up to 7 days). The agent gets exactly the email permissions it needs for the duration of the human-granted mandate — no longer.

3

Agent transacts with Mastercard Verifiable Intent

The agent presents the signed Mastercard credential at checkout. The issuer validates the credential, the merchant routes the transaction, and the consumer gets a real-time push notification — everything Mastercard already provides.

4

Agent sends confirmation email with signed identity

Immediately after the transaction, the agent sends a confirmation email. MultiMail attaches the X-MultiMail-Identity header. The recipient's mail server (or a downstream auditor) verifies the signature against the public key at /.well-known/multimail-signing-key.

5

Export the joint audit chain

Pull MultiMail audit logs and align them with Mastercard transaction records. Each row carries the agent's signed identity. The result is a unified evidence package: payment + message, signed at both legs, attributable to the same human-granted mandate.

Code examples

Implementation

Mastercard credential and MultiMail claim side by side
json
"cm"># Mastercard Verifiable Intent credential (illustrative shape)
{
  "iss": "issuer.bank.example",
  "sub": "agent:order-bot-42",
  "intent": {
    "mcc_allow": ["5734", "5942"],
    "cap_usd": 500,
    "exp": 1714521600
  },
  "sig": "..."
}

"cm""># MultiMail X-MultiMail-Identity claim (the email-domain twin)
{
  "iss": "multimail.example.com",
  "sub": "agent:order-bot-42",
  "mailbox": "mb_01HX...",
  "oversight_mode": "monitored",
  "exp": 1714521600,
  "sig": "..."
}

Same agent subject, same expiration window, same cryptographic trust model — in two different domains.

Verify the MultiMail signed identity (Python)
python
import requests, json, base64
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives import hashes, serialization

def verify_multimail(identity_header: str) -> dict:
    """Verify X-MultiMail-Identity against the domain-anchored public key."""
    payload_b64, sig_b64 = identity_header.split(".")

    "cm"># Pull the public key from the well-known endpoint (cache 24h)
    jwk = requests.get(
        "https://multimail.dev/.well-known/multimail-signing-key"
    ).json()

    pad = "=" * (4 - len(payload_b64) % 4)
    payload = json.loads(base64.urlsafe_b64decode(payload_b64 + pad))

    "cm"># ECDSA P-256 verification
    pub_key = ec.EllipticCurvePublicNumbers(
        x=int.from_bytes(base64.urlsafe_b64decode(jwk["x"] + pad), "big"),
        y=int.from_bytes(base64.urlsafe_b64decode(jwk["y"] + pad), "big"),
        curve=ec.SECP256R1()
    ).public_key()
    pub_key.verify(
        base64.urlsafe_b64decode(sig_b64 + pad),
        payload_b64.encode(),
        ec.ECDSA(hashes.SHA256())
    )
    return payload  "cm"># {operator, mailbox, oversight_mode, exp, ...}

No tenant access, no shared secrets — the public key is the only dependency. Verification works for any recipient or auditor.

Webhook payload showing signed identity on a transactional confirmation
json
{
  "event": "outbound.delivered",
  "message_id": "msg_01HX9P...",
  "mailbox_id": "mb_01HX...",
  "to": "[email protected]",
  "subject": "Order confirmed: ORD-42",
  "identity_header": "eyJpc3MiOiJtdWx0aW1haWwuLi4u.MEUCIQ...",
  "agent_ref": "agent:order-bot-42",
  "mastercard_credential_ref": "mc_intent_a91c...",
  "timestamp": "2026-04-19T10:14:32Z"
}

Cross-reference agent_ref across both signed payloads to reconstruct the joint audit chain.

Why this works

Built for the joint exposure

Same Trust Pattern, Two Domains

Mastercard's identity / intent / action structure for payments has the same shape as MultiMail's operator / scope / signed-action structure for email. The two compose into one chain.

Time-Bounded Delegation

Mastercard credentials expire in 7 days; MultiMail scoped API keys plus oversight modes give the same time-bounded delegation for messaging. When the human revokes, both legs fail closed.

End-to-End Signed Chain

Three independently-verifiable signatures: human-granted Mastercard credential, agent-presented transaction, MultiMail-signed confirmation. Every leg attributable to the same mandate.

Liability-Ready

The EU Product Liability Directive doesn't separate payment from messaging when assigning operator liability. Paired signed chains close the joint exposure with cryptographic evidence courts can verify directly.

FAQ

Common questions

What is Mastercard Verifiable Intent?
Mastercard Verifiable Intent is a payment-network authentication layer launched in 2026 that creates cryptographically signed intent credentials linking every AI agent transaction back to explicit human authorization. Consumers define spending mandates (merchant categories, caps, time windows) through their banking app, issuers generate signed tokenized credentials, and agents present those credentials at checkout. Credentials expire in 7 days, after which the agent must re-authorize. Google's Agent Payments Protocol is interoperable.
How does MultiMail's signed identity relate to Verifiable Intent?
They implement the same trust pattern in two different domains. Mastercard signs the payment authorization. MultiMail signs the email sender identity (X-MultiMail-Identity, ECDSA P-256, domain-anchored public key at /.well-known/multimail-signing-key). Together they form a single cryptographic chain: human grants intent → agent transacts (Mastercard signed) → agent confirms via email (MultiMail signed). Every leg is independently verifiable by downstream parties.
How do scoped API keys give time-bounded delegation?
Mastercard credentials expire in 7 days; MultiMail offers similar time-bounded delegation through scoped API keys plus per-mailbox oversight modes. A key can be limited to a single mailbox, a single set of scopes (send only, no oversight changes), and a finite lifetime. When the human revokes, both the next payment and the next email fail closed.
Why does this matter for the EU Product Liability Directive?
The EU Product Liability Directive treats both payment and messaging as agent actions for liability purposes. Operators of agentic systems are on the hook when an agent acts incorrectly. Paired signed chains (Verifiable Intent for the transaction, MultiMail signed identity for the surrounding emails) close the joint exposure: every action is attributable, time-bounded, and cryptographically verifiable in court. Without both, liability allocation becomes a forensic exercise.
Related

Explore more

Agent Identity Standards

NIST · identity

View use case →

EU Product Liability for Agents

liability · legal

View use case →

EU AI Act Email Compliance

disclosure · legal

View use case →
Get started

The only agent email with a verifiable sender

Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a 38-tool MCP server. Formally verified in Lean 4.

Read the Docs See Pricing