Adapter helpers for the Agentic Commerce Protocol (ACP) Shared Payment Token (SPT) flow. Verify incoming SPTs, inspect merchant ACKs, and compose request envelopes in your own merchant backend or orchestrator.
Source of Truth: this directory in the Semore monorepo until repo split. The production verification path lives in the internal Semore API; this package exposes the stable, framework-agnostic contract for third-party merchants and agent orchestrators.
npm install @semore/acp-adapter
# or
pnpm add @semore/acp-adapterhono is an optional peer dependency — only required if you mount the provided route factory.
import { verifyAcpToken, type ACPToken } from "@semore/acp-adapter";
const result = await verifyAcpToken(token, {
issuers: ["https://openai.com/acp"],
publicKeys: myJwks,
audience: "did:web:merchant.example",
clockSkewSec: 30,
maxAgeSec: 300, // reject any SPT whose `iat` is older than 5 minutes (replay defense)
});
if (!result.ok) {
console.error("reject:", result.reason);
return;
}
// result.token is a typed ACPTokenverifyAcpToken(token, opts)— header + signature + expiry + issuer validation.opts.maxAgeSec— opt-in replay defense. Requires the token to carryiatand rejects withreason: "replayed"when(now - iat) > maxAgeSec + clockSkewSec. Pair with an idempotency cache keyed ontoken.idfor full replay protection.ACPToken/MerchantAck/VerifyResult— transport schema types (subset of the wire format).buildMerchantAck(...)— helper to emit a protocol-compliant ACK.
- Private key material or secret management (use Cloudflare Workers Secrets or a KMS).
- Card PAN handling. ACP SPTs are PAN-free by design — if you are holding PAN, you are off-protocol.
- Production Semore ACP orchestration (routing, fraud scoring, settlement). That lives behind
api.semore.netand is not open-source.
- ACP spec: https://agenticcommerce.dev
- Semore DID:
did:web:semore.net - Contact:
semore.hq@gmail.com· GitHub @semore_hq
Apache-2.0 — see LICENSE.
Copyright (c) Semore Founding Team.