Design and enforce scoped payment credentials with spend controls for agent mandates using Stripe Shared Payment Tokens and OAuth-gated Link wallet authorization

Verified steps

1. Study the Shared Payment Token (SPT) specification in Stripe's documentation; SPTs are a machine-native payment credential that encode scope controls (amount ceiling, currency, merchant scope) before the token is released to an agent — the agent never sees raw card credentials
2. Implement the Link wallet OAuth flow: a consumer authorizes an agent by granting it OAuth access to their Link wallet, then approves each spend request through Link's web, iOS, or Android interface before any credential is released; build this approval UX into your agent's pre-purchase step
3. When the consumer approves, the agent obtains either a one-time-use virtual card number via Stripe Issuing for agents or an SPT; configure the SPT with the tightest scope required for the task — amount cap in the transaction currency, single merchant if possible, short expiry
4. Pass the SPT to the merchant's ACP or UCP checkout endpoint rather than a raw card; the merchant's payment service provider decodes and charges the SPT through Stripe, keeping PCI-sensitive data off the agent runtime
5. For repeat agent purchases, re-authorize a new SPT per transaction rather than reusing an old one; SPTs are designed for single-authorization use and reusing one outside its scope will result in a decline
6. Monitor all SPT-based transactions in the Stripe Dashboard under the Agentic Commerce section introduced in the Agentic Commerce Suite (December 2025); use the transaction metadata to correlate SPTs back to the originating agent session for reconciliation