Sandbox first: For login → smoke →
paybond.agent()with no signing keys, use Agent quickstart. This track documents the full production intent lifecycle.
This tutorial track documents the Paybond pattern for agent runtimes. The settlement pattern applies to OpenAI, Gemini, Claude/Anthropic, Google AI, local models, MCP hosts, and application-owned runtimes without requiring provider-specific guardrail adapters.
The agent can still plan and execute flexibly, but the money-moving boundary remains explicit, verified, and replayable.
What the pattern does
- Derives tenant scope from authenticated credentials.
- Verifies the capability before a tool executes.
- Submits signed evidence against the same intent lifecycle.
- Leaves the release or refund decision to Harbor's deterministic settlement rules.
Shared lifecycle
Both language paths use the same flow:
- Open a tenant-bound Paybond session with the tenant's service-account API key.
- Create an intent whose
allowed_tools/allowedToolsexactly match your tool name. - Read the
capability_tokenreturned when the intent reachesfunded. - Build a spend guard for
(tenant, intent_id, capability_token). - Verify the capability before the tool executes.
- Run the tool work.
- Submit signed evidence and inspect Harbor's predicate result.
The examples in this track support both immediate funding and the x402_usdc_base path. If create does not return a capability token immediately, the example continues through the funding handshake before the tool runs.
Choose a language
Python
Use the runtime-neutral adapter or LangGraph hook.
- Tutorial: Agent runtime tutorial (Python)
- Example:
examples/paybond-kit-runtime-agent-python - Key surfaces:
paybond_kit.agent_adapters.paybond_runtime_tool_call_adapter()andpaybond_kit.langgraph_hooks.paybond_awrap_tool_call()
TypeScript
Use @paybond/kit plus the runtime-neutral wrapper around the tool handler.
- Tutorial: Agent runtime tutorial (TypeScript)
- Example:
examples/paybond-kit-runtime-agent-typescript - Key surfaces:
paybond.spendGuard(...)andpaybondRuntimeToolCallAdapter(...)
Before you start
- A
paybond_sk_sandbox_...orpaybond_sk_live_...service-account API key for one tenant realm; the tutorials default the Kit expected-environment guard to sandbox when showing sandbox credentials - A principal signing identity and 32-byte Ed25519 seed
- A payee signing identity and 32-byte Ed25519 seed
- Request-bound recognition proofs for intent creation, funding, and evidence submission
- A Paybond environment that can fund the example intent
- For
x402_usdc_base, an x402 signer or facilitator that can answer the funding challenge