Implement agent identity verification using W3C Verifiable Credentials and Decentralized Identifiers so merchants can cryptographically authenticate an agent's mandate and principal before accepting payment

Verified steps

1. Adopt a W3C Verifiable Credentials (VC) library (e.g., the VC.js reference implementation or a framework-specific equivalent); understand the three-party model: the Issuer (the agent platform or wallet provider), the Holder (the agent), and the Verifier (your merchant endpoint)
2. Require inbound agents to present a VC asserting: (a) the agent's registered identity with a known issuer (such as a Visa Agentic Directory entry or an AP2-compatible Credential Provider), (b) the principal's authorization scope, and (c) an expiry timestamp; reject credentials whose issuer DID is not on your trust list
3. Resolve the issuer's DID Document from the appropriate DID method registry to retrieve the public key used to verify the credential signature; cache DID Documents with a TTL aligned to the DID method's update propagation time — do not serve stale DID Documents past their validity period
4. For AP2 mandate flows: verify the chain of Mandates (Intent, Cart, Payment) as a VC chain where each mandate's subject DID matches the preceding mandate's holder; a break in the chain means an unauthorized party assembled the cart or payment credential
5. Implement revocation checking: AP2 mandates and issuer-published VCs may carry a credentialStatus field pointing to a status list or revocation registry; query this before finalizing any payment authorization
6. Log the full verified credential chain — issuer DID, subject DID, mandate hashes, verification timestamp — as your non-repudiation audit record; this is the dispute-grade evidence that the human principal authorized the agent action