Agent Commerce
Modei includes a complete agent-to-agent economy layer. Agents can discover services, negotiate terms, transact, and settle, all cryptographically verifiable, all tamper-proof.
The Four Pillars
Permission Catalogs
Service providers publish immutable, signed catalogs defining what actions they offer, at what price, with what service-level agreement (SLA) guarantees. Agents can verify the terms locally, no trust in the discovery server required.
Read more →Service Discovery
GET /api/discover, public, no auth, cached 60s. Agents find services by capability, filter by price and SLA, and receive cryptographically verifiable results.
Read more →Bilateral Metering
Both parties hold signed consumption attestations for every transaction. Settlement aggregates CAs with bigint math (no floats), batch-verifies signatures, and produces immutable summaries.
Read more →Anti-Bait-and-Switch
Passports are pinned to a catalog_content_hash at issuance. If the operator changes terms, existing passports continue under the original terms. The reissue flow gives agents a breaking-change diff before they accept new terms.
Read more →The Commerce Flow End-to-End
Operator publishes catalog
Defines permissions, pricing, SLA. Published as signed snapshot. Gate becomes discoverable.
Agent discovers service
GET /api/discover?capability=api:search, gets result with catalog_signature for local verification.
Agent verifies terms
Recomputes content hash, verifies Ed25519 (an industry-standard elliptic curve signing algorithm) signature. Confirms the terms haven't been tampered with.
Operator issues passport
Pinned to catalog version (catalog_content_hash), immutable at issuance. Price and SLA are locked in.
Agent calls the API
Gate enforces: the enforcement layer evaluates constraints. On allow, consumption attestation is automatically issued.
Both parties hold receipts
Signed consumption attestations, bilateral, cryptographic proof of every transaction.
Monthly settlement
POST /api/billing, aggregates CAs, verifies signatures, bigint math, immutable summary. Status machine: pending → invoiced → paid.
Why Bilateral Metering?
Traditional billing systems rely on the operator's word for how much was consumed. With bilateral metering, both parties hold signed receipts for every transaction.
If there's ever a billing dispute, the cryptographic receipts resolve it. Neither party can unilaterally inflate or deflate the transaction count, the Ed25519 signatures on each consumption attestation are mathematically unforgeable.
No floating-point arithmetic
All amounts are stored and computed as bigint in cents. No rounding errors, no floating-point drift. Platform fees use ceiling division for precision.
Nonce replay protection
UNIQUE constraint on (nonce, passport_id, gate_id) prevents double-billing. Nonces are purged hourly after 24h.
MCP tools for commerce
| Tool | Description |
|---|---|
| publish_catalog | Build, sign, and publish a catalog snapshot atomically. |
| get_catalog | Fetch published catalog by version. |
| list_catalog_versions | List all published versions (metadata only). |
| discover_services | Trustless service discovery by capability. |
| reissue_passport | Re-issue with catalog version pin update, with breaking change diff. |
| issue_consumption_attestation | Record service usage (bilateral metering). |
| generate_settlement | Aggregate and settle a billing period. |
| get_billing_summary | List settlements with filters. |
| update_settlement_status | Transition settlement status (pending → invoiced → paid). |
| get_sla_compliance | SLA compliance metrics for a gate and period. |
Deep Dives
- Permission Catalogs, Building, publishing, and versioning signed catalogs.
- Service Discovery, How agents find and verify your service.
- Billing & Metering, Consumption attestations, settlement, SLA compliance.
- Anti-Bait-and-Switch, Passport pinning and the consent reissue flow.
- Commerce API Reference, All commerce endpoints.