Verifiable Intent is an open specification, co-developed by Mastercard and Google, for cryptographically capturing what a user authorized an AI agent to do. Specifically, it defines SD-JWT credentials with eight cryptographic constraint types covering non-payment intent — access, action, delegation scope. Mastercard announced Verifiable Intent on March 5, 2026 as a v0.1 draft under Apache 2.0. Importantly, Mastercard then contributed it to the FIDO Alliance in April 2026 alongside Google’s Agent Payments Protocol (AP2). In short, the two specs are designed to interoperate — the spec’s user-delegation credentials feed into AP2’s Intent Mandate when the agent action is a purchase.
What is Verifiable Intent?
Verifiable Intent is an open specification for cryptographically capturing what a user authorized an AI agent to do. Specifically, it defines a credential format — based on SD-JWT (Selective Disclosure JSON Web Tokens) — that records the user’s instruction, the agent’s identity, and the scope of permitted actions. Then downstream services can verify the credential before letting the agent act on the user’s behalf. As a result, agent actions become auditable end-to-end.
Mastercard announced Verifiable Intent on March 5, 2026, co-developed with Google, as a v0.1 draft under Apache 2.0. Importantly, the spec is broader than AP2 — it covers non-payment intent (access permissions, action constraints, delegation scope) as well as payment-specific cases. In April 2026, Mastercard contributed Verifiable Intent to the FIDO Alliance alongside AP2, giving both specs vendor-neutral governance under the same standards body.
📌 Quick definition. It is an SD-JWT-format credential specification for capturing user-to-agent delegation cryptographically. Open spec under Apache 2.0, co-developed by Mastercard and Google, contributed to the FIDO Alliance in April 2026. Specification at verifiableintent.dev.
How Verifiable Intent works
The core primitive in It is a credential — an SD-JWT signed by the user’s authenticator that captures what they authorized. Specifically, the credential includes the user’s identity, the agent’s identity, and an array of constraints that bound what the agent can do. Then the agent presents this credential to downstream services. As a result, services can verify cryptographically that the agent’s intended action falls within the user’s authorization.
The eight constraint types
the v0.1 draft defines eight cryptographic constraint types. First, action constraints — what the agent is allowed to do (browse, purchase, send). Next, resource constraints — which APIs or domains the agent can interact with. Then monetary constraints — spending limits. Time constraints — when the authorization expires. Geographic constraints — where the action can happen. Counterparty constraints — which merchants the agent can transact with. Identity constraints — which sub-agents in a delegation chain can act. Finally, data-handling constraints — what personal data the agent can disclose.
Selective disclosure
The SD-JWT format gives Verifiable Intent a privacy property that traditional JWTs lack. Specifically, the user signs the full credential, but the agent can selectively reveal only relevant constraints to each downstream service. By contrast, a traditional JWT requires revealing the entire payload. As a result, the agent can prove to a merchant “the user authorized a purchase under $500” without also revealing where the user lives or how long the authorization lasts.
“People need to trust that these actions are secure, authorized and truly reflect their intent.”
Andrew Shikiar, FIDO Alliance CEO — April 28, 2026
Verifiable Intent in the FIDO Alliance
Mastercard contributed Verifiable Intent to the FIDO Alliance on April 28, 2026, the same day Google donated AP2. Specifically, both specifications now sit within the FIDO Alliance’s new Agentic Authentication and Payments Technical Working Groups. As a result, the spec gains the same vendor-neutral governance, multi-stakeholder review, and durability that AP2 gains.
Importantly, the donation also locks in the spec’s interoperability with AP2. By design, the spec’s user-delegation credentials are intended to feed into AP2’s Intent Mandate when the agent action is a purchase. In short, the two specs were designed together, by the same teams, to compose. Notably, both teams emphasize that It works for non-payment intent too — making it broader in scope than AP2 alone.
Verifiable Intent vs AP2 vs other agent identity standards
Verifiable Intent isn’t the only agent-related credential specification. By contrast, three other standards address related but distinct questions. Specifically, AP2 is payment-specific; Verifiable Intent is broader. FIDO Agentic Authentication is the governing framework; Verifiable Intent is a specific credential format. Web Bot Auth operates at HTTP transport; Verifiable Intent at the credentials layer. In short, the four are complementary.
⚠️ What is still missing. Three load-bearing questions remain open in the v0.1 draft. First, revocation — how does a user invalidate a credential they already issued? The spec defers this to the FIDO Alliance’s broader revocation work. Next, multi-agent delegation chains — when an orchestrator agent dispatches to sub-agents, how does each handoff preserve the original intent? Finally, audit trail composition — when an action spans multiple services, who produces the unified audit log?
| Standard | Scope | Format | Governance |
|---|---|---|---|
| Verifiable Intent | All agent actions (payment + non-payment) | SD-JWT with 8 constraint types | Open spec → FIDO Alliance (April 2026) |
| AP2 | Payment authorization | Verifiable Credentials (3 Mandates) | FIDO Alliance (April 2026) |
| FIDO Agentic Authentication | User-to-agent delegation framework | Working Group umbrella | FIDO Alliance (April 2026) |
| Web Bot Auth | HTTP-layer agent identity | HTTP Message Signatures (RFC 9421) | IETF (chartered 2026) |
What this means for builders
First, if you build an agent runtime, plan to accept the credentials as the authoritative signal that an action is user-authorized. In short, your runtime’s authorization layer reads the SD-JWT’s constraints and bounds the agent’s behavior accordingly.
Next, if you operate a SaaS product that agents will interact with, verify the credentials at the API boundary. Specifically, your API should accept the credential, verify the user’s signature, check the action constraint matches the requested operation, and only then allow the call. As a result, your API gains audit-grade authorization data without depending on any specific agent runtime.
Finally, if you build a payment-facing product, Verifiable Intent will likely feed into AP2’s Intent Mandate as the user-delegation layer. In short, the two specs are designed together. By contrast, building only against AP2 misses the broader non-payment intent capture that Verifiable Intent enables.
Builder’s take
Verifiable Intent is the spec I keep coming back to when I think about Cyntr‘s authorization layer. Today my agents use coarse API-key permissions; the spec’s 8 constraint types are exactly the granularity I’d want. The SD-JWT selective disclosure is the killer feature — agents can prove they’re authorized for one specific action without leaking everything else the user authorized. That privacy property is what unlocks enterprise trust.
- If you build a SaaS product that AI agents will interact with, design your authorization model around the spec’s 8 constraints — even before the spec is final. The eight types map cleanly to real-world permission scopes you’d want anyway.
- The “designed with AP2” framing matters. Verifiable Intent is the user-delegation layer; AP2 is the payment leg. Builders should adopt them together, not separately. The two-credential composition is the design feature, not an integration overhead.
- Watch the FIDO Alliance Working Group output over the next 12 months — the missing piece is revocation, and how it’s solved will shape whether enterprises trust the spec at scale. Without good revocation, even the best constraint model fails the legal-team review.
Frequently asked questions
Mastercard announced Verifiable Intent on March 5, 2026 as a v0.1 draft under Apache 2.0, co-developed with Google. Then on April 28, 2026, Mastercard contributed Verifiable Intent to the FIDO Alliance alongside Google’s AP2.
Yes. The specification at verifiableintent.dev is open under Apache 2.0. Since April 2026, the FIDO Alliance governs the spec with vendor-neutral policies. Reference implementations and tooling are being developed under the FIDO Alliance Agentic Authentication Working Group.
AP2 is payment-specific — it handles the authorization of agent-initiated transactions. By contrast, Verifiable Intent is broader — it covers all agent actions (purchases, but also access, delegation, data handling). In short, the spec’s user-delegation credentials feed into AP2’s Intent Mandate when the agent action is a purchase. The two were designed together to compose.
SD-JWT (Selective Disclosure JSON Web Tokens) is an IETF draft standard for JWTs that let the holder reveal only a subset of claims to each verifier. Specifically, it uses SD-JWT so an agent can prove to a merchant “the user authorized a purchase under $500” without revealing other constraints (location, time, identity details). As a result, Verifiable Intent provides privacy that traditional JWTs cannot.
Mastercard and Google co-developed Verifiable Intent. Specifically, Mastercard led the credential format design; Google contributed the integration story with AP2 and the broader agent identity framework. Both contributed the spec to the FIDO Alliance in April 2026 for vendor-neutral governance.
Primary sources
- Verifiable Intent — official specification site
- Mastercard — Verifiable Intent newsroom story — March 5, 2026
- FIDO Alliance — Trusted AI Agent Interactions announcement — April 28, 2026
- PYMNTS — Google and Mastercard Contribute Agentic Commerce Standards to FIDO Alliance
- IETF SD-JWT specification draft
Last updated: May 20, 2026. Related: Commerce, Agent Infrastructure.
