> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nevermined.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Payments

> Enroll a Visa, Stripe, or Braintree card, set spending limits, and let your agents pay autonomously.

Enroll a Visa, Stripe, or Braintree card. Create a delegation that caps how much can be spent. Your agents charge it directly via x402 — no checkout pages, no human in the loop.

Manage everything at [nevermined.app](https://nevermined.app).

<CardGroup cols={3}>
  <Card title="Card Enrollment" icon="credit-card" href="/docs/products/payments/card-enrollment">
    Enroll Visa, Stripe, or Braintree cards
  </Card>

  <Card title="Delegations" icon="shield-check" href="/docs/products/payments/mandates">
    Set spending limits and expiration
  </Card>

  <Card title="Delegation Selection" icon="route" href="/docs/products/payments/mandate-selection">
    Auto-resolve which card to charge
  </Card>
</CardGroup>

## How It Works

<Steps>
  <Step title="Enroll a card">
    Add a Visa, Stripe, or Braintree card at [nevermined.app](https://nevermined.app). Card data is tokenized in the browser by the provider's PCI-compliant capture (VGS Collect for Visa and Stripe, Braintree Drop-in for Braintree). Nevermined never stores raw card numbers.
  </Step>

  <Step title="Create a delegation">
    Set the spending limit, duration, and (optionally) max transactions. Visa delegations also require a per-delegation passkey approval that binds the limits to your device. Optionally link the delegation to a specific API key for automatic routing.
  </Step>

  <Step title="Agents charge it">
    Agents call the Nevermined API with their API key. Nevermined resolves the right delegation and generates an x402 token. The resource server verifies, executes, and settles.
  </Step>
</Steps>

## Payment Flow

```
Agent (no token)
  |
  |-> Resource Server returns 402 + payment-required header
  |
  |-> Agent calls Nevermined: POST /api/v1/x402/permissions
  |     |-> Resolves delegation -> generates x402 token (scheme: nvm:card-delegation)
  |
  |-> Agent retries with payment-signature header
  |
  |-> Resource Server:
        |-> POST /verify -> validates token, delegation, usage
        |-> Executes workload
        |-> POST /settle -> charges card, returns payment-response
```

## One delegation model, three networks

All three providers share the same `nvm:card-delegation` x402 scheme and the same `POST /api/v1/delegation/create` endpoint. The `network` field on the delegation (`stripe`, `braintree`, or `visa`) is set by the card you choose and routes settlement to the right PSP.

<CardGroup cols={3}>
  <Card title="Visa" icon="cc-visa">
    PAN tokenized by VGS Credential Management Platform (CMP) into a Visa Agentic Token. Each delegation requires a one-time WebAuthn/passkey device-binding ceremony enforced by Visa VTS. Settlement runs through Stripe Connect against the seller's connected account.
  </Card>

  <Card title="Stripe" icon="stripe">
    Card captured via VGS Collect and confirmed against a Stripe SetupIntent. No passkey. Settlement runs through Stripe PaymentIntents directly.
  </Card>

  <Card title="Braintree" icon="paypal">
    Card captured via Braintree Drop-in, exchanged for a vaulted `paymentMethodToken`. Settlement runs through `transaction.sale` against the seller's per-currency OAuth-connected Braintree merchant account.
  </Card>
</CardGroup>

<Note>
  The Visa Agentic Tokens flow replaces the earlier VTS/VIC + mandate endpoints. There is no longer a separate "mandate" object — a Visa delegation is just a `nvm:card-delegation` record with `provider: 'visa'`.
</Note>

## Key Concepts

| Concept                | Description                                                                                                                                                                            |
| ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Delegation**         | A scoped spending authorization on an enrolled card. Defines the spending limit, max transactions, and expiration. Same concept across Visa, Stripe, and Braintree.                    |
| **Visa Agentic Token** | The CMP-issued identifier (`vat_…`) that replaces the real PAN. Stored as the delegation's `providerPaymentMethodId` for Visa cards.                                                   |
| **Device binding**     | A per-delegation WebAuthn/passkey ceremony required by Visa VTS. Produces a single-use `assuranceData` blob bound to the spending limit, duration, and merchant context. Browser-only. |
| **Spending Ceiling**   | Per-card cumulative limit across all active delegations (default \$10.00).                                                                                                             |
| **API Key Linking**    | Link a delegation to a specific API key so agents automatically use the right one.                                                                                                     |
| **x402 Token**         | Payment token used in the `payment-signature` HTTP header (`nvm:card-delegation` scheme).                                                                                              |

## SDK consumption

The TypeScript and Python SDKs treat all three networks identically. Pass the `delegationId` to `DelegationConfig` and the SDK auto-resolves the scheme + network from the plan and the delegation record:

<Tabs>
  <Tab title="TypeScript">
    ```typescript theme={null}
    import { Payments } from '@nevermined-io/payments'

    const payments = Payments.getInstance({
      nvmApiKey: process.env.NVM_API_KEY,
      environment: 'sandbox',
    })

    // Works the same for Stripe, Braintree, and Visa delegations.
    const token = await payments.x402.getX402AccessToken(
      'plan_abc123',
      undefined, // agentId — pass when the plan has multiple agents
      {
        delegationConfig: {
          delegationId: 'deleg-8f14e45f-ce34-4797-b88e-968374b0d4b6',
        },
      },
    )
    ```
  </Tab>

  <Tab title="Python">
    ```python theme={null}
    import os
    from payments_py import Payments
    from payments_py.x402 import DelegationConfig, X402TokenOptions

    payments = Payments(
        api_key=os.environ.get("NVM_API_KEY"),
        environment="sandbox",
    )

    # Works the same for Stripe, Braintree, and Visa delegations.
    token = payments.x402.get_x402_access_token(
        plan_id="plan_abc123",
        token_options=X402TokenOptions(
            delegation_config=DelegationConfig(
                delegation_id="deleg-8f14e45f-ce34-4797-b88e-968374b0d4b6",
            ),
        ),
    )
    ```
  </Tab>
</Tabs>

<Warning>
  For Visa, `delegationId` reuse is the **only** SDK path. `createDelegation` with `provider='visa'` cannot run from a non-browser context — the backend rejects it without `consumerPrompt` + `assuranceData`, both of which require the WebAuthn ceremony embedded by Visa VTS in the webapp. The SDK rejection surfaces as `PaymentsError.code = 'BCK.VISA.0014'`.
</Warning>

## Environments

* **Sandbox** — Testing and development. Visa runs against VGS sandbox + VTS test PANs; Stripe in test mode; Braintree on sandbox merchants.
* **Live** — Production. Real payments through Visa, Stripe, and Braintree.

<Note>
  You need an [NVM API Key](/docs/getting-started/get-your-api-key). Set it as `NVM_API_KEY`.
</Note>

## What's Next?

<CardGroup cols={2}>
  <Card title="Enroll a Card" icon="plus" href="/docs/products/payments/card-enrollment">
    Set up your first payment card
  </Card>

  <Card title="Create a Delegation" icon="shield-check" href="/docs/products/payments/mandates">
    Define spending limits, usage caps, and expiration
  </Card>
</CardGroup>
