paybondpaybond
Sign in

Paybond with Shopify agentic commerce

Partner brief: Shopify UCP/MCP executes cart and checkout; Paybond governs conditional settlement (capture/void), evidence, disputes, and portable receipts on top of Shopify orders.

Shopify helps merchants sell through agents — product discovery, cart building, checkout orchestration, and order lifecycle through UCP + MCP (Catalog, Cart, Checkout, Order) alongside the merchant's existing storefront and payments stack.

Paybond is the trust layer underneath agent spend — signed intents, outcome-verified escrow, predicate evaluation, operator disputes, and cryptographically signed portable receipts.

Complement, not replacement

Paybond does not replace Shopify as the commerce system of record. Merchants keep Shopify checkout, themes, payments relationships, and order lifecycle. Paybond orchestrates when authorized funds capture or void and what proof is required before that happens — producing a signed Agent Receipt Standard (ARS) record on top.

This page is an integration brief for Shopify partner, platform, and merchant conversations — including the Technology Partner track where a partner enables UCP/MCP agentic checkout, dev-store validation, and governed capture timing on top of Shopify orders.

Partner positioning

ShopifyPaybond
Primary jobAgentic cart, checkout, and order lifecycle (UCP/MCP + merchant storefront)Conditional settlement, evidence, disputes, and portable receipts
Typical buyerMerchants, commerce platforms, and Shopify partners adopting UCPPlatforms and enterprises governing autonomous spend and settlement timing
Money movementShopify Payments / merchant PSP relationships and checkout capture settingsHarbor release/refund drivers that capture or void after predicate evaluation
Proof outputOrders, fulfillment state, webhooksSigned Agent Receipts (ARS), Ledger provenance, Signal standing

Joint customer story: Shopify answers whether an agent can discover products, build a cart, and place an authorized order. Paybond answers whether policy was satisfied before capture, refund, or human escalation — with a portable signed receipt.

Product surfaces (what partners integrate)

SurfaceRole in a Shopify and Paybond deployment
Paybond KitSDK middleware at the agent runtime — wraps checkout tools, issues recognition proofs, submits evidence
Paybond HarborIntent escrow engine — create, fund, verify, evidence, release/refund, dispute freeze
Paybond LedgerAppend-only signed history for audits, exports, and dispute dossiers
Paybond SignalStanding and reputation derived from verified receipts and settlement outcomes
Agent Receipt Standard (ARS)Portable paybond.agent_receipt_v1 proof any counterparty can verify offline

Two layers in one purchase

LayerTypical ownerWhat happens
Agentic checkout & order creationShopify UCP/MCP, merchant storefrontAgent builds cart, buyer authorizes, order exists in Shopify
Conditional settlement & proofPaybond Harbor, Ledger, SignalFunds held against explicit deliverables, evidence evaluated, capture/void driven, signed receipts and standing

Many Shopify checkouts can stop after the order is created and paid. Paybond matters when capture should not be automatic:

  • procurement agents with acceptance criteria
  • high-trust B2B agent spend with audit requirements
  • flows where disputes need a shared evidence record, not chat logs
  • marketplaces where an operator governs release or escalation

Shopify surfaces (2026)

Shopify surfaceWhere it fits
UCPTrust and identity for agentic commerce; agent profile registration
Checkout MCPCart → checkout lifecycle; returns continue_url on escalation
Order MCPOrder status and retrieval for agentic flows
Catalog / Cart APIsDiscovery and cart composition
Partner App OAuthTenant-owned shop linking for server-side Admin API credentials
Standard webhooksOrders/create, orders/paid, orders/updated, app/uninstalled

Technology Partner angle

For Shopify Technology Partners validating agentic commerce on Plus dev stores:

  1. Platform tenant configures settlement in Paybond Configuration → Settlement — linked shop domain, allowed rails (shopify_authorized_order, shopify_payments_app), server-owned OAuth credentials. Clients never pass shop domains in create payloads.
  2. Agents run behind Kit middleware with tenant-derived API keys — scope comes from credentials, not client-supplied tenant ids.
  3. Shopify executes UCP/MCP checkout and produces the canonical order; Paybond holds and releases against predicates.
  4. Operators review disputes, unbound webhook events, and audit exports from a single Harbor and Ledger record.

Paybond does not replace Shopify checkout UI or merchant payment relationships. It adds intent-scoped escrow and evidence so partners can offer governed agent commerce without building a custom settlement state machine.

Reference flows (both products)

Two common orderings — pick based on whether checkout or spend policy comes first.

A. Checkout-first (UCP/MCP)

Agent + buyer Shopify (UCP/MCP) Paybond (Harbor) | | | |-- cart/checkout ---->| order authorized | | | | |-- webhook funding -->|---------------------------->| intent funded (binding metadata) | | | |-- evidence submit -->|---------------------------->| predicate → capture/void + ARS receipt

B. Guard-first (Kit middleware around checkout tool)

Agent runtime (Kit) Paybond Harbor Shopify (UCP/MCP or Admin) | | | |-- create intent ------->| | |-- fund (rail) --------->| (holds until order auth) | |<-- capability_token ----| | |-- guarded checkout ---> | verify → execute tool ------>| create checkout/order with binding metadata |-- evidence submit ---->| predicate → capture/void |

Shopify answers: Can this agent discover products, build a cart, and place an authorized order?

Paybond answers: Did the agent satisfy policy before we capture, void, or escalate to a human?

Manual capture (conditional settlement)

When release depends on Paybond predicates — not automatic capture at checkout — merchants should enable manual payment capture in Shopify Admin under Settings → Payments. Checkout then authorizes without capturing; Harbor drives capture (or void) on drive_terminal_settlement for shopify_authorized_order — the same mental model as ACS manual capture on Stripe.

SettingWhereWhy
Manual captureShopify Admin → Settings → PaymentsKeeps funds authorized until Harbor release / refund
Binding metadataCheckout note_attributes via Kit helpersWebhooks resolve tenant_id + paybond_intent_id for funding
Harbor releaseEvidence → predicate → drive_terminal_settlementCaptures on pass; voids on fail

Checkout-first merchants: create the Paybond intent when conditional escrow starts, stamp checkout metadata with the same binding contract, and treat Shopify order webhooks as funding — not completion evidence.

Tenant-admin checklist: Configure Shopify settlement.

What Paybond adds on Shopify rails

Paybond integrates Shopify for intent-scoped settlement, not workspace billing:

Paybond railShopify touchpointPaybond behavior after funding
shopify_authorized_orderAuthorized order on linked shop (manual capture)orderCapture on release; transactionVoid on predicate failure
shopify_payments_appOffsite payment session via Payments app extensionpaymentSessionResolve (authorization); captureSessionResolve / voidSessionResolve on terminal settlement

Harbor snapshots tenant settlement config server-side — clients never pass shop domains or offline access tokens in create payloads.

Integration surface for partners:

LayerEntry points
Kit (application)paybond.intents.create, paybond.instrument() middleware (commerce.checkout), UCP binding helpers, ARS emit/consume
Gateway (control plane)GET/PUT /v1/admin/settlement/config, Shopify OAuth link handlers, authenticated Harbor proxies, /webhooks/shopify → Harbor ingest
Harbor (settlement)POST /intents, POST /intents/{id}/fund, POST /verify, evidence and settlement/confirm
WebhooksShopify order events enqueue at Gateway, forward to Harbor under mTLS — funding gates, not completion evidence

For webhook paths, capture timing, and stuck-intent recovery, see Settlement with existing payment providers.

Kit at the agent boundary

Application teams wire Paybond Kit middleware around Shopify checkout tools. Guard-first flows use the commerce.checkout operation with cost_and_completion evidence — the same primary operation as Protect Shopify payments from agents:

Terminal
Terminal commandSwipe to inspect long lines
paybond login
paybond agent sandbox smoke \
  --operation commerce.checkout \
  --requested-spend-cents 4500 \
  --evidence-preset cost_and_completion \
  --result-body '{"status":"completed","cost_cents":4500,"order_id":"gid://shopify/Order/123","shop":"paybond-agent-commerce-dev.myshopify.com"}' \
  --format table

Kit helpers for UCP/MCP checkout with binding metadata:

  • createCheckoutWithBinding({ intentId, tenantId, ... }) — stamps paybond_intent_id / tenant_id in note_attributes for webhook preflight
  • Shopify CLI workflow: paybond shopify doctor, paybond shopify checkout smoke

Offline rehearsal without API credentials: paybond dev loop --offline and paybond dev trace (local dashboard at http://127.0.0.1:9477).

Production pattern:

  1. Shopify (UCP/MCP or storefront) completes buyer checkout when the flow is catalog with payment execution. Enable manual capture when Paybond will drive capture on release.
  2. Paybond intent funds on the tenant's allowed Shopify rail when the agent needs a bounded spend boundary before side effects.
  3. Evidence attaches tool results (not Shopify funding webhooks); Harbor evaluates predicates.
  4. Release or refund drives Shopify capture/void or payment session resolution.
  5. Agent Receipt Standard (ARS) emits portable signed proof for operators and partners.

See Protect Shopify payments from agents for checkout tool guarding and How agent settlement works for the five-step Harbor lifecycle.

Binding contract (tenant isolation)

To tie agent checkout to tenant-owned settlement configuration, every agent-initiated checkout must attach binding metadata in Shopify:

  • paybond_intent_id
  • tenant_id

For UCP/MCP, place it in note_attributes (or cart attributes that propagate to the order). Gateway webhook preflight then enforces:

  • shop domain (X-Shopify-Shop-Domain) is linked to the authenticated tenant
  • payload contains binding metadata
  • binding metadata matches a known Paybond intent for that tenant

If binding is missing or mismatched, events must route to manual review and must not fund intents automatically.

UCP agent profile

Host and register the Paybond platform profile for Shopify partner onboarding:

GET https://paybond.ai/.well-known/ucp/profile.json

Kit Shopify helpers default meta.profile_url to this URL when building checkout payloads with createCheckoutWithBinding. Register the profile URL in the Shopify Developer Dashboard before calling Checkout MCP at https://{shop}/api/ucp/mcp.

Sandbox and onboarding path

StepAction
1Create a Paybond sandbox tenant (paybond login)
2Install the Paybond Shopify Partner App on a Partner dev store
3In Paybond Console: link the shop (OAuth) and confirm the domain is stored/masked
4In Shopify Admin: enable Manual payment capture (required for shopify_authorized_order)
5Run paybond shopify checkout smoke and confirm webhook binding + intent funding behavior
Terminal
Terminal commandSwipe to inspect long lines
paybond shopify doctor
paybond shopify dev                    # prints two-terminal workflow
paybond shopify checkout smoke --shop paybond-agent-commerce-dev.myshopify.com

Harness: examples/shopify-dev-loop. Docs: Shopify CLI workflow.

Tenant-admin setup: Configure Shopify settlement. Developer task guide: Protect Shopify payments from agents.

When to use which

ScenarioStart withAdd Paybond when
Merchant sells via UCP/MCP agent storefront (instant checkout)Shopify Checkout MCPYou need conditional capture, disputes, or cross-platform receipts after authorization
Agent buys from a Shopify catalog on behalf of a buyerShopify UCP + Kit middlewareYou need per-intent budgets, evidence presets, and audit exports
Enterprise procurement agent (acceptance criteria)Paybond Kit and HarborShopify authorizes the order; Paybond enforces policy and provenance before capture
Shopify merchant also uses Stripe under the hoodPaybond + Stripe agentic commerceSame tenant may use both rails for different checkout surfaces

Security and tenant boundaries

  • Tenant scope is derived from authenticated credentials — never from client-supplied tenant ids.
  • Shop domains and offline access tokens are server-owned in settlement config; agents must not hold them.
  • Funding webhooks are separate from completion evidence (tool results after capability_token).
  • Any event missing binding metadata is treated as unbound and excluded from automated funding.
  • Unbound webhooks route to manual review — operators follow Paybond dispute workflows with a canonical ledger record.

See Disputes and evidence evaluation and Secure agentic banking infrastructure.

Co-sell and support

NeedContact
Partnership, platform rollout, enterpriseTalk to sales[email protected]
Integration support, sandbox issues[email protected]
Technical review packExternal documentation index

Partner summary

Shopify executes agentic cart and checkout and produces the canonical order record.

Paybond makes agent spend authorized, verified, and auditable — escrow, evidence, release rules, disputes, and signed portable receipts on top of Shopify orders.

Together they cover the full agentic commerce stack: cart and checkout on Shopify, conditional settlement and standing on Paybond.

Where to go next