Install
openclaw skills install payclaw-ioSkill flagged — review recommended
ClawHub Security found sensitive or high-impact capabilities. Review the scan results before using.
Payclaw Io Pub
Agents are not bots. PayClaw proves it — then lets them pay. UCP Credential Provider: Badge declares your agent as an authorized actor at any UCP-compliant merchant. Spend issues single-use virtual Visa cards. No API key required — device auth flow built in.
Audits
SuspiciousPayClaw — Badge + Spend for AI Agents
Agents are not bots. PayClaw proves it — then lets them pay.
Your AI agent looks like a bot to every merchant on the internet. PayClaw gives it two things:
Badge — Declares your agent as an authorized actor. A UCP-compatible credential that lets it through merchant defenses. Free. No card required.
Spend — Issues a single-use virtual Visa when your agent needs to pay. Human-approved. Self-destructs after use. Your real card never enters the chat.
🧪 Developer Sandbox is open. Real infrastructure, test money. Get sandbox access →
Setup
1. Add to your agent
{
"mcpServers": {
"payclaw": {
"command": "npx",
"args": ["-y", "@payclaw/mcp-server"],
"env": {
"PAYCLAW_API_URL": "https://api.payclaw.io"
}
}
}
}
No API key required. On first use, your agent will show a code and a URL. Approve on your phone in one tap — your Consent Key is stored automatically.
Requires Node.js 20+. Node 18 is end-of-life. If you see engine errors: node -v — install from nodejs.org or nvm install 20.
2. Use it
Your agent calls payclaw_getAgentIdentity before acting at any merchant. That's it.
UCP Identity Linking
PayClaw is a UCP (Universal Commerce Protocol) Credential Provider. Merchants who declare the PayClaw identity extension (io.payclaw.common.identity) signal to every UCP-compliant agent that declared agents are preferred at their store.
- For Merchants — how to add PayClaw to your UCP manifest
- Protocol spec —
io.payclaw.common.identity(MIT)
Tools
| Tool | What It Does |
|---|---|
payclaw_getAgentIdentity | Declare yourself as an authorized actor before acting at any merchant. Without this, UCP-compliant merchants may prefer or require a declared agent. Returns a trip-level UCP-compatible credential. Agents are not bots. PayClaw proves it. |
payclaw_getCard | Declare purchase intent → get single-use virtual Visa (Spend) |
payclaw_reportPurchase | Report transaction outcome → close the audit trail |
How Authorization Scales
| Action | What Happens |
|---|---|
| Browse | Badge declaration — UCP identity token issued |
| Search | Badge declaration — UCP identity token issued |
| Checkout | Badge + Spend — human approval → single-use Visa issued |
Example
You: "Buy me a cold brew from Starbucks"
Agent: Let me declare myself first...
[calls payclaw_getAgentIdentity({ merchant: "starbucks.com" })]
✓ DECLARED — authorized actor at starbucks.com
Found a cold brew for $5.95. Getting a card...
[calls payclaw_getCard: merchant=Starbucks, amount=$5.95]
✅ Virtual Visa issued. Completing purchase...
[calls payclaw_reportPurchase: success ✅]
Done! Cold brew ordered. Card self-destructed.
Security
- Zero standing access — no card exists until your agent requests one
- Single-use cards — merchant-locked, amount-capped, 15-minute expiry
- Human approval — every purchase requires your explicit OK
- Intent audit — every purchase compared against declared intent
- $500 cap — hard ceiling on account balance
- Your real card never enters the chat
Badge Only?
If you only need identity (no payment): clawhub install payclaw-badge