The Trust and Mandate Layer for Agentic Commerce
Merchant-ready. Agent-ready. Bounded autonomy.
AI agents can already search, compare, configure, and buy. What they cannot yet do reliably is discover a merchant in a standardized way, verify its identity, understand the limits of autonomous execution, and fall back gracefully to a human when autonomy is not enough.
SAM is a free, open standard defined by a single sam.json file published at the merchant's well-known location. It does not compete with MCP, OpenAI Actions, A2A, or REST. It feeds them.
The web was designed for humans assisted by browsers. Agents operate differently. They must select an execution surface, interpret rules, arbitrate between offers, and sometimes commit to acts with real economic consequences. Without a shared standard, every merchant becomes a special case, and every agent must re-learn the same trust assumptions from scratch.
Every SAM-conformant merchant publishes https://<domain>/.well-known/sam.json. One URL. No registry. No gatekeeper.
The document is signed with ed25519. Agent requests are signed per RFC 9421. PKI web is the floor; application-level signatures are the roof.
A closed grammar of eight primitives, AND-only, evaluated locally by the agent with no network call. Simple, auditable, portable.
Every manifest declares at least one structured human-escalation channel. When the mandate forbids, when auth fails, when the manifest is stale — the agent escalates.
No autonomy without proof.
No proof without signature.
No execution without bounds.
No bounds without local enforcement.
No signature is valid forever — only within its declared freshness window.
HTTP Message Signatures (RFC 9421) with ed25519. One profile. One algorithm. One covered-components set. Exceptions are documented profiles, not alternatives.
Closes doors that other standards leave open.
Eight primitives: autoExecute, maxAmount, maxPriceDrift, allowedCategories, deniedCategories, allowedRegions, validityWindow, agentClass. AND-only. No OR. No conditional. No free fields.
Versioned as a whole. Unknown version = refuse to act.
Every signed manifest carries a validUntil. Agents MUST revalidate after TTL expiry. Revocation signals outrank cached validity.
SAM never fails open.
The design, the trade-offs, the strategic positioning. 14 sections + appendix.
MUST / SHOULD / MAY. Eight sections. The minimum an implementer needs to be SAM-conformant.
Just enough code to start a pilot in an afternoon. Python snippets for signing, verifying, and evaluating.
Publish this file (signed) at https://your-domain/.well-known/sam.json and you are Level 2 SAM-conformant. An agent can now discover you, verify you, and act within your declared mandate.
{
"sam:version": "1.0",
"sam:identity": {
"domain": "shop.example.com",
"legalName": "Example Retail SAS",
"jurisdiction": "FR"
},
"sam:mandate": {
"grammarVersion": "0.1",
"autoExecute": true,
"maxAmount": {
"value": 500,
"currency": "EUR",
"inclusiveOfTaxes": true,
"inclusiveOfShipping": true
},
"maxPriceDrift": { "percent": 2, "reference": "quote" },
"allowedRegions": ["FR", "BE", "LU"],
"validityWindow": {
"notBefore": "2026-04-07T00:00:00Z",
"notAfter": "2026-05-07T00:00:00Z"
}
},
"sam:agentAuth": {
"profile": "rfc9421",
"algorithm": "ed25519"
},
"sam:human": {
"channels": [
{ "type": "email", "value": "agents@shop.example.com" }
]
},
"sam:signature": {
"algorithm": "ed25519",
"validUntil": "2026-04-14T00:00:00Z",
"value": "base64(...)"
}
}SAM Protocol v1.0 (draft-sam-protocol-01) is a draft specification. The text is stable but not yet final. Implementors are encouraged to run pilots and provide feedback. The core decisions — RFC 9421 with ed25519, the eight-primitive mandate grammar, the constitutional freshness rule — are locked. The five known open issues (canonicalization, amount normalization, operator trust model, replay protection, user-context semantics) are tracked in section F of the Technical Appendix and will be closed before v1.0 is declared stable.