Sandbox paths (paybond.agent(), paybond.instrument({ sandbox: true }), and paybond agent sandbox smoke) never require payee identities or signing seeds. Production attach is the step after you have a funded production intent and need middleware to sign payee evidence and tenant-registered agent recognition proofs on every auto-evidence submit.
Start in sandbox first: Agent quickstart. For intent create and fund flows, see TypeScript quickstart or Python quickstart.
When you need this
| Path | Signing credentials |
|---|---|
Sandbox smoke / paybond.agent() | Not required — Gateway issues sandbox capabilities |
Production attach (instrument().bind(), agentRun.bind({ attach })) | Required — payee binding + agent recognition key |
Gateway rejects empty recognition proofs on production Harbor mutations. Middleware signs a fresh proof over the exact evidence body digest for each successful side-effecting call.
CLI: bind an existing intent
paybond agent run bind --production \ --attach-intent-id <intent-id> \ --capability-token <token> \ --payee-did did:web:vendor.example \ --payee-signing-seed-hex <64-hex-chars> \ --agent-recognition-key-id <registered-key-id> \ --agent-recognition-signing-seed-hex <64-hex-chars> \ --policy-file paybond.policy.yaml \ --format json paybond agent tool execute --run-id <run-id> \ --operation paid-tool \ --tool-call-id call-1 \ --result-body '{"status":"ok","cost_cents":100}' \ --format json
Env fallbacks: APP_PAYEE_DID, APP_PAYEE_SEED_HEX, APP_AGENT_RECOGNITION_KEY_ID, APP_AGENT_RECOGNITION_SEED_HEX. The CLI stores hex-encoded seeds in .paybond/runs/<run_id>.json (mode 0600) so agent tool execute can re-attach without re-passing secrets.
SDK: agentRun.bind({ attach })
TypeScript:
const run = await paybond.agentRun.bind({ attach: { intentId: process.env.PAYBOND_INTENT_ID!, capabilityToken: process.env.PAYBOND_CAPABILITY_TOKEN!, productionEvidence: { payeeDid: process.env.APP_PAYEE_DID!, payeeSigningSeed: seed32FromHex(process.env.APP_PAYEE_SEED_HEX!), agentRecognitionKeyId: process.env.APP_AGENT_RECOGNITION_KEY_ID!, agentRecognitionSigningSeed: seed32FromHex( process.env.APP_AGENT_RECOGNITION_SEED_HEX!, ), }, }, registry, });
Python:
run = await paybond.agent_run.bind( { "attach": { "intent_id": os.environ["PAYBOND_INTENT_ID"], "capability_token": os.environ["PAYBOND_CAPABILITY_TOKEN"], "production_evidence": { "payee_did": os.environ["APP_PAYEE_DID"], "payee_signing_seed": seed32_from_hex(os.environ["APP_PAYEE_SEED_HEX"]), "agent_recognition_key_id": os.environ["APP_AGENT_RECOGNITION_KEY_ID"], "agent_recognition_signing_seed": seed32_from_hex( os.environ["APP_AGENT_RECOGNITION_SEED_HEX"] ), }, }, "registry": registry, } )
Pass the same productionEvidence / production_evidence on instrument({ context: { ... } }) when binding at instrument time.
Keep payee and agent-recognition signing seeds in a trusted runtime (KMS, internal signer, or agent runner) — never in model prompts or browser code.
Policy-driven intent create
When creating a production intent from paybond.policy.yaml, supply principal and payee signing material to toIntentCreateInput():
const intentInput = policy.toIntentCreateInput({ principalDid, principalSigningSeed, payeeDid, headDigest, recognitionProof, }); await paybond.intents.createWithPolicyBinding(intentInput);
See Agent policy for policy file format and Recognition proofs for proof issuance.
Console-managed credentials
Under Machine Access → Agent middleware keys, tenant admins mint production attach bundles for a funded intent:
- Enter the funded
intent_idandcapability_token. - Copy the one-time env snippet into your secrets manager:
PAYBOND_ATTACH_INTENT_ID=<intent-id> PAYBOND_CAPABILITY_TOKEN=<token> PAYBOND_ATTACH_BUNDLE=ab1.<opaque-bundle>
- In application code, bind middleware from env — no raw signing seeds in source:
TypeScript:
const agent = await paybond.agent({ policy: "travel", tools, attach: "env", });
Python:
agent = await paybond.agent( { "policy": "travel", "tools": tools, "attach": "env", } )
attach: "env" reads PAYBOND_ATTACH_INTENT_ID, PAYBOND_CAPABILITY_TOKEN, and decrypts PAYBOND_ATTACH_BUNDLE at runtime. Revoke compromised bundles from the console inventory; recognition keys are revoked together with the credential.
Related
- Agent middleware — run binding, interceptors, and auto-evidence
- Agent policy —
paybond.policy.yamland intent alignment - Capabilities — obtaining
intent_idandcapability_token - CLI contract — JSON output shapes for
agent run bind