draft-sam-protocol-v2.2

The signed envelope for agent-ready merchants.

Publish one signed file. Reference everything else. SAM composes UCP, AP2, MCP, ACP, and A2A into a single, verifiable, time-bounded entry point for AI agents.

View on GitHub See a sam.json

What SAM is — and is not

SAM is not another commerce protocol. The agentic commerce stack of 2026 already has plenty: UCP for capabilities, AP2 for user authorization, MCP for tools, ACP for catalogs, A2A for agent-to-agent. What it lacks is a single, signed, time-bounded entry point that tells an agent which of those a given merchant publishes — and within which bounds autonomous action is permitted.

SAM is that entry point. A merchant publishes one signed sam.json at /.well-known/. Agents read it, verify an ed25519 signature over the entire envelope including its references (RFC 9421), and act only within the merchant-issued policy mandate declared inside.

SAM does not replace UCP, AP2, MCP, ACP, or A2A. SAM is the signed envelope that makes any combination of them verifiable in one place.

How SAM composes with the rest

Layer	Standard	Question it resolves
Signed entry	SAM	Who is this merchant, what do they publish, is it current, is it genuine, within which bounds may I act?
Capabilities	UCP	What can be browsed, quoted, ordered?
User authorization	AP2 (FIDO)	Did the user authorize this purchase?
Tool invocation	MCP	How does the agent call a specific function?
Catalog feed	ACP	What is in stock, at what price?
Agent-to-agent	A2A	How do two agents collaborate?

A merchant already on UCP adopts SAM in ten lines: a sam:composes.ucp entry, a signature, a freshness window. No rewrite. No duplication. No fork. The merchant's existing agent surface becomes verifiable from one place.

How it works

Discover — agent fetches /.well-known/sam.json.
Verify — ed25519 signature over the entire envelope, including every sam:composes reference (RFC 9421).
Compose — agent follows the references to UCP, AP2, MCP, ACP, A2A as published.
Bound — the merchant policy mandate declares what an agent may and may not do autonomously. Evaluated locally. No network call.
Fallback — when bounds are exceeded or a referenced standard is unreachable, control returns to a human via sam:human.

Minimal example — composing envelope

{
  "sam:version": "2.2",
  "sam:identity": { "domain": "example.com", "legalName": "Example Inc." },
  "sam:signature": { "alg": "ed25519",
                     "validUntil": "2026-08-13T00:00:00Z",
                     "value": "base64(...)" },
  "sam:composes": {
    "ucp": { "href": "/.well-known/ucp", "version": "1.0" },
    "ap2": { "supported": true, "endpoint": "/ap2/checkout",
             "mandateTypes": ["cart","payment","intent"] },
    "mcp": { "href": "/.well-known/mcp", "version": "2025-11-25" }
  },
  "sam:mandate": {
    "grammarVersion": "0.1",
    "autoExecute": true,
    "maxAmount": { "value": 200, "currency": "EUR",
                   "inclusiveOfTaxes": true,
                   "inclusiveOfShipping": true },
    "validityWindow": { "notBefore": "2026-05-13T00:00:00Z",
                        "notAfter":  "2026-08-13T00:00:00Z" },
    "agentClass": "any"
  },
  "sam:agentAuth": { "profile": "rfc9421", "algorithm": "ed25519" },
  "sam:human": { "channels": [
    { "type": "email", "value": "agents@example.com" }
  ]}
}

Conformance levels

Level	Content	Claim
L0	`version` + `capabilities` or `composes` + `human`	merchant-ready
L1	L0 + `identity` + `signature`	agent-ready
L2	L1 + `mandate` + `agentAuth`	bounded autonomy

Each level is useful on its own. Conformant agents must not perform autonomous economic action against a merchant below L2.

Status

Draft specification v2.2 (May 2026). Submitted for consideration at the W3C Agent Identity Registry Protocol Community Group. Contributions welcome on GitHub.