Agent Pay · Ledger Systems Manual · Vol. 01
Plate 27 · Authorization & Release

An AI agent can’t move your money until your live face says yes.

Agents now hold real spend authority. ShipSafe binds every payment to a live, enrolled human face and a single, specific action — the three things a checkbox approval can’t prove.

a live face moves the money.
See the mechanismRead the proof
Proven on production · 4 Jun 2026 · wallet $5 → $0
Fig. 1 — the release gate: a live face authorizes the agent’s draw.
Fig. 1 — the release gate: a live face authorizes the agent’s draw.
In plain terms

A prepaid wallet for your agent.

You load it. Your agent spends it. Your live face guards every spend.

Agent Pay is a prepaid debit card for your AI agent — and your live face is the PIN that can’t be stolen, copied, or reused.

  1. OPEN

    Your agent gets a wallet.

    A prepaid balance that lives at ShipSafe — stored value, like a transit card. Not your bank login, not your raw card number.

  2. LOAD

    You fill it with a card.

    Top up with a normal credit card through Stripe — $10, $25, $50, or any amount up to $1,000. That balance is the most your agent can ever touch.

  3. SPEND

    Your agent draws it down.

    Every paid tool call comes out of the wallet, never your card. When it hits zero the agent is stopped with a top-up link — never a surprise bill.

  4. APPROVE

    Your face releases the money.

    Before a charge clears, your live enrolled face approves that exact spend. A leaked token or a deepfake can’t move a cent.

The exposure

The agent holds the wallet now.

Agents spend on their own.

MCP tools cost money — compute, data, fixes, API calls. The agent decides when to pull the trigger.

Today’s approval is a checkbox.

A reused API key or a one-click “allow.” It can be phished, replayed, and proves nothing about who — or what — is on the other end.

No proof a human is present.

Nothing verifies a real, specific person agreed to this exact charge. That’s the gap between “automated” and “authorized.”

The mechanism

Six steps from request to debit.

No money moves until step six — and step six can’t happen without a live face at step three.

  1. Fig. 2
    REQUEST

    The agent asks to spend.

    An autonomous agent calls a paid tool. Instead of charging, ShipSafe answers HTTP 202 — approval required. No money has moved.

  2. Fig. 3
    HAND-OFF

    A deep-link goes to a human.

    The agent can’t self-approve. It surfaces a one-time approval link to a person. The decision leaves the machine entirely.

  3. Fig. 4
    LIVENESS

    Prove a live human.

    AWS Face Liveness confirms a real, present person — not a photo, a screen, or a deepfake. A flat image is rejected on sight.

  4. Fig. 5
    MATCH

    Prove the right human.

    The live face is matched against the enrolled identity. Liveness alone isn’t enough — it has to be the person authorized to spend.

  5. Fig. 6
    MINT

    Mint a single-use seal.

    On a pass, FaceGate mints a signed assertion bound to this one action, with a unique id (jti). One action. One token. Once.

  6. Fig. 7
    REDEEM

    Redeem, burn, debit.

    The agent re-submits with the assertion. ShipSafe redeems it, FaceGate burns the jti so it can never replay, and the wallet debits.

What the approval binds to

Four bindings and a paper trail.

A generic approval grants access. ShipSafe binds it — to a live human, an identity, an action, and a single use.

ShipSafe agent-pay illustration
BOUND TO A LIVE HUMAN

Liveness

Anti-deepfake. A present, living face — not a photo, replay, or generated likeness.

ShipSafe agent-pay illustration
BOUND TO AN IDENTITY

Face match

Matched to the enrolled person. Not just “a human” — the right human.

ShipSafe agent-pay illustration
BOUND TO ONE ACTION

Action binding

The approval unlocks this exact tool call and amount. Nothing else it touches.

ShipSafe agent-pay illustration
BOUND TO ONE USE

Single-use

The assertion is burned on redemption. No replay, no second charge.

ShipSafe agent-pay illustration
RECORDED

Audited ledger

Every approved spend lands as a ledger line with the assertion it redeemed.

Both sides of the glass

What the agent sees. What the human sees.

Fig. 13 — the agent’s view
Fig. 13 — the agent’s view

The agent is stopped, not trusted.

The tool call comes back 402 / approval required. The agent can keep working, but it cannot spend until a human closes the loop.

Fig. 14 — the human’s view
Fig. 14 — the human’s view

The human sees exactly what they’re signing.

One action, one amount, one face scan. Approve releases a single-use seal — not a standing permission.

Why it’s structural

What a generic approval can’t do.

This isn’t a feature race. It’s a shape an access-token approval structurally can’t take.

Generic agent approval
  • Proves a human is present
  • Proves which human
  • Bound to one specific action
  • Can’t be replayed
  • Survives a stolen token
ShipSafe action-binding
  • Proves a human is present
  • Proves which human
  • Bound to one specific action
  • Can’t be replayed
  • Survives a stolen token
a leaked token is worthless without your live, present face. that’s the moat.
Not a mockup

A live face moved real money on production.

On 4 June 2026, a live human face authorized an autonomous agent to draw down a real wallet — end to end, through the full chain below. No staging, no mock.

$5 → $0
wallet, debited
202 → 200
gated, then released
1 / 1
jti, burned
wallet_ledger — entry
credit13:53Z · funding+500 ¢
debit18:00:40Z · agent draw−500 ¢
balance500 → 00 ¢
assertion redeemed · jti burned · replay-proof

Give your agents a wallet you can actually trust.

Talk to us →What is ShipSafe?