request_spt

Request a Shared Payment Token (SPT) for purchasing from an ACP-compatible merchant. SPTs are scoped, time-limited tokens minted from a user's saved card that can be used at any merchant supporting Stripe's Agentic Commerce Protocol (ACP). The token is issued instantly if the user's agent rules a...

Server Tru tru-mcp
Category Financial
Risk class Critical
Parameters 82 required

What request_spt does on Tru

AI agents use request_spt to commit financial operations through Tru — usually the final step of a payment, billing, or trading workflow. A call moves real money.

ParameterTypeRequiredDescription
email string Yes Email address of the tru user who will be charged
action string The action being performed (e.g. 'purchase products'). Used to evaluate action permission rules.
app_id string The tru app ID to charge as (required when using shared API key)
currency string Currency code (default: 'usd')
description string What this purchase is for (shown to the user)
amount_cents integer Yes Amount in cents (e.g. 4999 for $49.99)
source_label string Label identifying the source of this personal charge (e.g. 'Claude Code — David's MacBook Pro'). Required for personal charges without an app_id.
target_merchant string ACP merchant domain or identifier (e.g. 'etsy.com', 'shop.app')

Parameters from the server's own tool schema.

Why request_spt needs a policy

This tool directly initiates a payment flow by minting tokens from a user's saved payment card to enable purchases at merchants. Even though the token is time-limited and may require approval for large amounts, it represents a direct financial commitment mechanism. Misuse could result in unauthorized purchases from a user's saved card, making this a critical financial risk.

From the tool's definition Request a Shared Payment Token (SPT) for purchasing from an ACP-compatible merchant... minted from a user's saved card... used at any merchant supporting Stripe's Agentic Commerce Protocol (ACP)

Questions about request_spt

What does the request_spt tool do? +

Request a Shared Payment Token (SPT) for purchasing from an ACP-compatible merchant. SPTs are scoped, time-limited tokens minted from a user's saved card that can be used at any merchant supporting Stripe's Agentic Commerce Protocol (ACP). The token is issued instantly if the user's agent rules allow it. If the amount exceeds the user's spending limits, the request is escalated for manual approval in the user's tru dashboard. The token auto-expires after 30 minutes. It is categorised as a Financial tool in the Tru MCP Server, which means it involves financial transactions. Block by default and require explicit approval.

What parameters does request_spt accept? +

request_spt accepts 8 parameters: email, action, app_id, currency, description, amount_cents, source_label, target_merchant. Required: email, amount_cents. The full parameter table on this page comes from the server's own tool schema.

How do I enforce a policy on request_spt? +

Register the Tru MCP server in PolicyLayer and add a rule for request_spt: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Tru. Nothing to install.

What risk level is request_spt? +

request_spt is a Financial tool with critical risk. Critical-risk tools should be blocked by default and only enabled with explicit human approval.

Can I rate-limit request_spt? +

Yes. Add a rate_limit block to the request_spt rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.

How do I block request_spt completely? +

Set action: deny in the PolicyLayer policy for request_spt. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.

What MCP server provides request_spt? +

request_spt is provided by the Tru MCP server (tru-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.

// LOOK UP ANOTHER SERVER

Every MCP server has a record like this.

Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.

Teams ship this data inside their own products. See what a licence covers →

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.