Platform How it works Banks Merchants Networks Docs Pricing About Get a demo
For Merchants

Govern the AI agents
that buy from you.

AI shopping and payment agents are already calling your APIs — initiating purchases, querying inventory, and executing checkouts on consumer behalf. BladeRun verifies the agent at the merchant perimeter, separates legitimate AP2 and MPP traffic from synthetic abuse, and produces per-agent forensic evidence for every transaction.

Get a demo Pilot on one endpoint
The shift on the merchant side

Your highest-value buyers no longer have a heartbeat.

Traditional fraud signals — device fingerprints, mouse paths, dwell time, friction tolerance — assume a human at the keyboard. AI agents bypass all of them by design. The first wave of agentic commerce traffic is already in your logs.

GAP 01

No agent identity

You cannot distinguish a registered Operator agent shopping for a real customer from a scripted abuse agent spoofing the same User-Agent header. Your fraud stack treats both as bot traffic and rejects what should be your highest-conversion channel.

GAP 02

No protocol verification

AP2 and MPP credentials carry signed mandate scope, spend caps, and merchant whitelisting — but only if you actually verify them. Most merchant gateways accept the call and forward it to the issuer untouched.

GAP 03

No per-agent forensics

When a chargeback lands, you have the transaction record but not the agent context: which prompt drove the purchase, which tools the agent invoked, which mandate authorized it. Issuer disputes will tilt against the merchant by default.

01 / Verify

Agent identity at both merchant boundaries.

Inbound agents are verified at two places: the page (via BladeRun.js, the script tag on your customer-facing pages) and the API (via the BladeRun Gateway in front of your fraud engine). Registered agents arrive with provenance. Unregistered agents are scored by behavior. Both vectors share the same session ID so your fraud engine sees one trace.

  • BladeRun.js on the page. Browser-side detection and attestation when the agent first lands on checkout, cart, search, or product pages.
  • Gateway on the API. AP2, MPP, x509, OIDC, DPoP — verified on every request before it reaches your fraud engine.
  • Cross-merchant registry. Persistent agent identifiers from major platforms — match across sessions and merchants.
  • Behavioral attestation. When no protocol credential exists, score on tool-call shape against a per-agent-type baseline.
AP2 MPP x509 OIDC DPoP
Live · Inbound agent traffic
operator-mcp/2.1AP2 · cap $400 · scope=merchant.42
ALLOW
shopping-agent-v3MPP · cap $1.2k · scope=any
ALLOW
headless-chrome/127no creds · ua-spoof flag
REVIEW
unknown-bot/0.0.1no creds · cred-stuff pattern
BLOCK
02 / Inspect

Inspect every agent action — not just the checkout call.

The Gateway sits in front of your inventory, pricing, search, and checkout APIs. Every tool call from an agent — whether registered or not — is captured, scored, and evidenced. You see what the agent did before, during, and after the purchase.

  • Inventory probe detection. Catch scrape patterns disguised as shopping behavior.
  • Pricing-arbitrage signals. Detect agents probing for stale promo codes or pricing race conditions.
  • Mandate-scope enforcement. Block calls outside the authorized AP2/MPP scope before they hit your checkout.
Agent session · operator-mcp/2.1
POST /search?q=red+sneakers
GET /products/sku/4421
GET /products/sku/4421/variants
POST /cart/add (sku=4421, qty=1)
POST /checkout (mandate=ap2:0xb7f...)
5 tool calls · 2.4s · within scope · evidence_id=evt_8a91
03 / Prove

Per-agent forensic evidence for every chargeback.

When an issuer disputes an agent-initiated transaction, you have the entire context in one record: agent identity, signed mandate, tool-call sequence, prompt provenance (where supported), and the cryptographic signature of the authorizing principal. Sovereign storage in your environment, your keys, your retention policy.

  • Time Machine for merchants. Immutable per-session log keyed by transaction ID and agent ID.
  • Sovereign storage. Your S3 bucket, your KMS keys, your retention contract.
  • Issuer-ready export. One-click chargeback packet with cryptographic proofs.
Chargeback evidence packet · txn_8a91
agent_id: operator-mcp/2.1
mandate: ap2:0xb7f...c3a (verified)
scope: merchant.42 / cap=$400
principal: issuer-attested
tool_calls: 5 (within scope)
signed_at: 2026-04-18T14:22:01Z
storage: s3://merchant-42/bladerun/
✓ verifiable end-to-end
What we stop at the merchant perimeter

Agent-driven threats your fraud stack was not designed for.

Traditional fraud signals (device fingerprint, dwell time, friction tolerance) assume a human. Agentic commerce breaks that assumption. BladeRun handles the new threat shapes specifically.

Threat How it presents BladeRun response Outcome
Mandate spoofing Forged or replayed AP2 / MPP credentials presented at checkout to bypass spend caps. Cryptographic verification of mandate signature, scope, expiry, and issuer attestation in line. BLOCKED
Synthetic agent fraud Scripted bots impersonating registered shopping agents to exploit agent-traffic conversion paths. Behavioral baseline per agent type — tool-call shape, timing, sequence, and origin attestation. BLOCKED
Inventory scraping at scale Agents probing every SKU and variant for downstream price arbitrage or counterfeit listing. Fleet Correlator detects coordinated probe patterns across IPs and agent identifiers. BLOCKED
Promo-code race conditions Agents detecting and exploiting brief windows of stale promo codes via parallel automated checkout. Per-agent rate limiting, mandate-scope enforcement, and anomaly score on first-use velocity. BLOCKED
Account takeover via agent Stolen credentials replayed through a legitimate-looking shopping agent to launder fraud as agent traffic. Cross-session behavioral correlation; principal attestation mismatch flagged before checkout. BLOCKED
Refund / chargeback abuse Coordinated chargebacks on agent-initiated purchases exploiting weak merchant evidence. Time Machine produces issuer-ready chargeback packet with cryptographic mandate proofs. DEFENDED
Who deploys BladeRun

Built for the merchant categories AI agents target first.

DIRECT-TO-CONSUMER

E-commerce platforms

Apparel, electronics, marketplace sellers. High SKU velocity, agent-driven price comparison, and the first targets of automated promo abuse and inventory scraping.

REGULATED COMMERCE

Travel and ticketing

Airlines, hotels, event platforms. Agent traffic is already 5–15% of search volume. Inventory races and held-cart abuse are the highest-value protection target.

ACQUIRER · GATEWAY

Payment platforms

Acquirers and gateways routing agent-initiated transactions for thousands of merchants. Network-level signal across the agent ecosystem.

SUBSCRIPTION SAAS

SaaS and digital goods

Agent-driven trial abuse, multi-account fraud, and self-service plan stacking. Agent identity at signup separates legitimate procurement agents from automated abuse.

FINANCIAL · ISSUER

Card issuers and BNPL

Issuer-side governance for agent-initiated card-not-present transactions. Mandate verification at the authorization layer; per-agent behavioral baselines.

B2B PROCUREMENT

B2B procurement marketplaces

Procurement agents acting on behalf of corporate buyers under spend mandates. AP2 verification, scope enforcement, and audit trails for finance team approval.

Get started

Pilot on a single endpoint. See agent traffic separated within 48 hours.

No platform migration, no checkout rebuild. Point one endpoint at the BladeRun Gateway and we will show you which agent traffic is registered, which is synthetic, and which would have been blocked.

STEP 01

Traffic assessment — 1 hour, no code

You share a sample of recent checkout and product-API logs. We classify the agent traffic against AP2 / MPP credentials, known agent identifiers, and behavioral baselines. You see the breakdown.

STEP 02

Single-endpoint pilot

One endpoint of your choice — typically search, cart, or checkout — points to the BladeRun Gateway. Inspection runs in shadow mode for the first week. Zero customer impact.

STEP 03

Enforcement turn-on

You move the pilot endpoint from shadow to enforcement on your timeline. Behavioral thresholds tuned to your traffic. Reversible by routing rule.

STEP 04

Federation enrollment

Optional. Contribute one-way signal hashes to the merchant Federation Network. Receive cross-merchant agent reputation, fraud-pattern rules, and synthetic-agent signatures within minutes of first detection anywhere on the network.

Common questions

What merchant security and payments teams ask.

No. BladeRun runs in front of your existing fraud engine and enriches every request with verified agent identity, mandate scope, and behavioral attestation. Your fraud rules can then make better decisions on agent traffic specifically — without touching the human-traffic logic that already works.
AP2 (Mastercard / Visa Agent Payments), MPP (Cloudflare's Merchant Payment Protocol), x509 client certificates, OIDC with DPoP, and signed-attestation patterns from the major shopping-agent platforms. New protocols are added on a published cadence — verification logic is delivered via the Federation Network.
Under 15ms for the verification step, under 5ms for the inspection. The Gateway is colocated with your origin and runs in your VPC for SaaS deployments. On-premises deployments meet single-digit-millisecond budgets.
Every agent-initiated transaction is written to Time Machine with the full session context: agent identity, signed mandate, tool-call sequence, principal attestation, and cryptographic timestamps. When a chargeback lands, you export a single packet that issuers can verify end-to-end. Stored in your S3 bucket, under your KMS keys.
No — that is the entire point. Most merchants today block or heavily friction agent traffic because they cannot tell good from bad. BladeRun separates them. Registered agents under valid mandates get a clean conversion path. Synthetic abuse gets blocked. You stop leaving high-intent purchase traffic on the table.
Yes. The privacy and competitive constraints differ between bank-bank and merchant-merchant signal sharing. Both networks are operated under the same architecture (one-way hashes, k-anonymity, double-blind membership) but the rule channels are isolated. Issuer-side participants can subscribe to both.
Start with a single endpoint

Agentic commerce is here.
Govern it before it costs you.

A 1-hour traffic assessment. No code, no integration. We classify the agent traffic in your existing logs and show you what BladeRun would do.

Get a demo Request a traffic assessment