Configure your Apple Pay payment request to include a recurring payment configuration object; without one of Apple's recurring payment configurations in the request, Apple returns a DPAN (device-specific token) rather than an MPAN (merchant-specific token), which is device-locked and not suitable for agent-initiated recurring charges
Include a managementURL field in the recurring payment configuration pointing to a page on your site where the customer can view and revoke the recurring authorization; Apple requires this URL as part of MPAN issuance
Provide a tokenNotificationURL where Apple will POST lifecycle events affecting the MPAN (e.g., card update, suspension, revocation); your handler must update your stored token record in response to these events before the next billing cycle
Store the MPAN token (not the raw card number) in your vault alongside the associated cryptogram; when the agent initiates a charge, request a new cryptogram for each transaction using the MPAN — do not reuse cryptograms
Submit merchant-initiated transaction (MIT) indicators in your authorization request when the agent charges without the customer present; Apple Pay and the downstream card networks require MIT flagging for recurring charges that occur outside a customer session
Refer to the Apple Pay Merchant Integration Guide (March 2026 edition) for current field names and required parameters; Apple updates this guide with each major OS release and some field names differ from third-party documentation
Known gotchas
MPANs are device-independent but issuer-dependent: the issuer must support the MPAN scheme, and not all issuers globally have enrolled — a DPAN fallback strategy is necessary for buyers whose issuer does not support MPANs
Cryptograms have a short validity window (refer to current Apple documentation for the exact duration); an agent that fetches a cryptogram and then waits for human approval before submitting the auth may find the cryptogram has expired, requiring a new MPAN transaction initiation
Apple does not provide a direct developer API to proactively request MPAN creation; the MPAN is issued by Apple only in response to a valid Apple Pay session — you cannot pre-provision MPANs for agent use outside of that flow
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp