> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nevermined.app/llms.txt
> Use this file to discover all available pages before exploring further.

# FAQ

> Frequently asked questions about Nevermined, card delegation, delegation selection, Visa Agentic Tokens, and Stripe / Braintree settlement.

## Agent Payments

How agents pay with your real card, within limits you control.

<Accordion title="How is this different from issuing a prepaid card for my agent?">
  Card Delegation uses your real credit or debit card, not a separate prepaid balance. At enrollment, the card number is tokenized by a PCI-compliant vault (VGS Collect for Visa and Stripe; Braintree Drop-in for Braintree). Nevermined never sees or stores the raw PAN. What the agent receives is a scoped delegation that encodes identity, spending limits, and (for Visa) the device that approved it. The actual charge still runs on existing card rails, so it appears on your normal statement. No prefunding, no separate balance to manage.
</Accordion>

<Accordion title="What happens if an agent tries to exceed the delegation?">
  The transaction is rejected instantly before it reaches the payment processor. Delegations are enforced server-side on every verify and settle call. The agent receives a clear 402 error explaining which limit was hit (lifetime spending limit, transaction count, or duration), so it can adapt its behavior or notify the user.
</Accordion>

<Accordion title="Can I use Card Delegation with any AI agent framework?">
  Yes. Any software that can make an HTTP request can use x402 payments. That includes OpenAI Assistants, Anthropic Claude, LangChain, CrewAI, Strands, MCP tool servers, and custom agents. Nevermined also provides TypeScript and Python SDKs, a CLI, and an MCP server for convenience, but none are required.
</Accordion>

<Accordion title="How do I revoke an agent's ability to spend?">
  One click in the [dashboard](https://nevermined.app) or `DELETE /api/v1/delegation/{delegationId}`. Revocation is immediate: no grace period, no cached tokens, and no pending window. The agent loses payment capability the instant you revoke, and any in-flight verify/settle calls fail with `DELEGATION_INACTIVE`.
</Accordion>

<Accordion title="What's the difference between the Visa, Stripe, and Braintree settlement paths?">
  From the agent's perspective, nothing changes. It sends the same x402 payment header either way. The difference is in how settlement runs under the hood:

  * **Visa path** — Your card is tokenized as a Visa Agentic Token via the VGS Credential Management Platform. Each delegation is bound to your device with a one-time WebAuthn/passkey ceremony enforced by Visa VTS. Settlement runs through Stripe Connect against the seller's connected account.
  * **Stripe path** — Your card is tokenized by Stripe, and settlement runs through Stripe PaymentIntents directly. The seller connects their Stripe account when they enroll with Nevermined.
  * **Braintree path** — Your card is vaulted as a Braintree `paymentMethodToken`, and settlement runs through `transaction.sale` against the seller's per-currency OAuth-connected Braintree merchant account.

  In all three cases, sellers enroll with Nevermined to accept agent payments. Nevermined handles the x402 protocol, agent authentication, delegation enforcement, and settlement on their behalf.
</Accordion>

<Accordion title="What security and compliance standards does Card Delegation meet?">
  Card data is captured via a PCI-compliant vault (VGS Collect for Visa / Stripe, Braintree Drop-in for Braintree) and tokenized before it enters the system. Nevermined holds ISO 27001 and SOC 2 Type II certifications and operates at PCI SAQ-D level. For Visa, Strong Customer Authentication via WebAuthn/passkey (or email OTP fallback) is enforced **per delegation** by Visa VTS. Every transaction is logged with agent ID, amount, merchant, and timestamp for full auditability.
</Accordion>

## Delegation Selection

How agents pick which delegation to charge.

<Accordion title="How does my agent know which delegation to use?">
  There are three ways the system resolves which delegation to charge, from simplest to most explicit:

  1. **Automatic** — If your API key has access to exactly one active delegation, it is selected automatically. Just pass your API key and go. If there are zero or multiple delegations, you get a clear error asking you to be more specific.
  2. **Key-linked** — Link a specific delegation to a specific API key, either when you create the delegation or by revoking and recreating it. The system always routes that key to its linked delegation, even if you have multiple delegations active. Only the linked key can use that delegation.
  3. **Explicit delegation ID** — Pass `delegationId` in `delegationConfig` for full control. This is the only supported mode for Visa.

  See [Delegation Selection](/docs/products/payments/mandate-selection) for the full resolution algorithm.
</Accordion>

<Accordion title="When should I link an API key to a delegation?">
  If you have one delegation and one API key, you don't need to link them. Automatic selection handles it. Linking becomes useful when you have multiple delegations and want each agent (or API key) to use a specific one without passing a delegation ID on every request. It's the recommended approach for multi-agent setups on Stripe and Braintree, and a useful convenience for Visa.
</Accordion>

<Accordion title="What happens if I have multiple delegations and no key linked?">
  The automatic selection will fail because the system can't determine which delegation to charge. Your agent receives a 402 error explaining that multiple delegations are available. You can resolve this by either linking your API key to a specific delegation, or passing the `delegationId` explicitly.
</Accordion>

<Accordion title="Can the same API key be used across Visa, Stripe, and Braintree?">
  Yes. API keys are provider-agnostic. The same key works for delegations on any network. The link is stored as `apiKeyId` directly on the delegation record, so each delegation independently decides whether to honor the caller's key.
</Accordion>

<Accordion title="How do I change which delegation an API key is linked to?">
  Delegations are immutable. To change the link, revoke the existing delegation and create a new one with the desired `apiKeyId`. For Visa, this also requires a fresh WebAuthn/passkey device-binding ceremony.
</Accordion>

## Stripe

Settlement through Stripe's network.

<Accordion title="How does the Stripe settlement path work?">
  When you enroll a card via Stripe, VGS Collect tokenizes the PAN and Stripe vaults it as a `pm_…` PaymentMethod. When your agent makes a payment, Nevermined creates an off-session PaymentIntent against that PaymentMethod, optionally routing to the seller's Stripe Connect account. The payment is wrapped in the x402 protocol, so the seller (or a facilitator) triggers the flow by responding with a 402 status code.
</Accordion>

<Accordion title="What does a seller need to accept Stripe-path payments?">
  The seller enrolls with Nevermined and connects their Stripe account via Stripe Connect. Once enrolled, they can receive payments from AI agents via the x402 protocol. The seller needs an active Stripe account since the Stripe path settles through Stripe's network. Nevermined handles agent authentication, delegation enforcement, and the x402 flow on the seller's behalf.
</Accordion>

<Accordion title="Which cards work with Stripe?">
  Stripe supports most Visa, Mastercard, American Express, and Discover cards. Both credit and debit cards are eligible. The card is tokenized at enrollment and charges appear on your normal statement.
</Accordion>

## Visa Agentic Tokens

Settlement through Visa's Trusted Agent Protocol.

<Accordion title="Is this a sandbox integration, or production Visa infrastructure?">
  Production-ready. Nevermined integrates with the Visa Trusted Agent Protocol through the VGS Credential Management Platform (CMP) and Visa VTS device-binding service. Your enrolled card becomes a Visa Agentic Token bound to Nevermined as the token requestor, and every delegation captures a fresh WebAuthn/passkey approval before it can charge.
</Accordion>

<Accordion title="How does VGS Credential Management Platform protect my card?">
  At enrollment, your real PAN is captured by a VGS Collect iframe and posted directly to CMP. It never passes through or is stored by Nevermined. CMP mints a Visa Agentic Token (`vat_…`) bound to Nevermined as the token requestor. Even if the token were compromised, it can't be used outside the Nevermined ecosystem, and you can revoke it instantly from the dashboard.
</Accordion>

<Accordion title="What is the device-binding step and why does it matter?">
  Every Visa delegation requires a one-time WebAuthn/passkey ceremony — an iframe embedded by Visa VTS prompts you to approve the spending limit, duration, and merchant. Approving produces a single-use `assuranceData` blob that binds the delegation to your device. This means even if an agent is compromised, it can't widen its own spending power without your hardware key. It's purpose-built for high-frequency, autonomous agent payments.
</Accordion>

<Accordion title="What if I don't have a passkey?">
  Visa VTS falls back to an email OTP delivered to the address on file for your CMP cardholder. The webapp surfaces an OTP input when the SDK reports `needsOtp: true`.
</Accordion>

<Accordion title="What does a seller need to accept Visa-path payments?">
  The seller must have completed Stripe Connect onboarding — Visa delegations settle through Stripe Connect against the seller's connected account. The seller does not need any direct relationship with Visa or VGS; Nevermined acts as the token requestor. Visa delegations also require a `planId` so the delegation binds to a single seller per the Trusted Agent Protocol.
</Accordion>

<Accordion title="Can I create a Visa delegation from the SDK or CLI?">
  No. Visa delegation creation requires `consumerPrompt` and `assuranceData`, both of which can only be produced by the WebAuthn ceremony embedded in the Nevermined webapp. The SDK and CLI surface explicit errors (`BCK.VISA.0014`) when callers attempt `create_delegation(provider="visa", ...)`. You can, however, **consume** an existing Visa delegation from the SDK by passing its `delegationId` to `DelegationConfig` exactly like Stripe or Braintree.
</Accordion>

<Accordion title="Which cards are eligible for Visa Agentic Tokens?">
  Any Visa card whose issuer participates in the Visa Trusted Agent Protocol. During the pilot, support is concentrated on US issuers; the eligibility list is widening as more issuers integrate.
</Accordion>

## Limits & Seller Onboarding

Pilot ceilings, increased limits, and accepting agent payments.

<Accordion title="What are the current spending limits?">
  During the pilot, each enrolled card has a \$10.00 cumulative ceiling across all active delegations. This applies to all three networks independently. Individual delegation amounts are validated against the remaining ceiling at creation time.
</Accordion>

<Accordion title="Can I get higher limits?">
  Yes. The \$10 ceiling is a pilot default. Contact the Nevermined team to request increased limits for your account.
</Accordion>

<Accordion title="How do I onboard as a seller?">
  Contact the Nevermined team to schedule a seller onboarding call. Once enrolled, your business can accept payments from AI agents via the x402 protocol. Sellers on Stripe complete Stripe Connect; sellers on Braintree complete OAuth Connect with at least one child merchant account per accepted currency. Visa Trusted Agent plans require the seller's Stripe Connect account because Visa delegations settle through Stripe Connect.
</Accordion>
