Request a Shared Payment Token (SPT) for purchasing from an ACP-compatible merchant. SPTs are scoped, time-limited tokens minted from a user's saved card that can be used at any merchant supporting Stripe's Agentic Commerce Protocol (ACP). The token is issued instantly if the user's agent rules a...
AI agents use request_spt to commit financial operations through Tru — usually the final step of a payment, billing, or trading workflow. A call moves real money.
| Parameter | Type | Required | Description |
|---|---|---|---|
email | string | Yes | Email address of the tru user who will be charged |
action | string | — | The action being performed (e.g. 'purchase products'). Used to evaluate action permission rules. |
app_id | string | — | The tru app ID to charge as (required when using shared API key) |
currency | string | — | Currency code (default: 'usd') |
description | string | — | What this purchase is for (shown to the user) |
amount_cents | integer | Yes | Amount in cents (e.g. 4999 for $49.99) |
source_label | string | — | Label identifying the source of this personal charge (e.g. 'Claude Code — David's MacBook Pro'). Required for personal charges without an app_id. |
target_merchant | string | — | ACP merchant domain or identifier (e.g. 'etsy.com', 'shop.app') |
Parameters from the server's own tool schema.
This tool directly initiates a payment flow by minting tokens from a user's saved payment card to enable purchases at merchants. Even though the token is time-limited and may require approval for large amounts, it represents a direct financial commitment mechanism. Misuse could result in unauthorized purchases from a user's saved card, making this a critical financial risk.
From the tool's definition Request a Shared Payment Token (SPT) for purchasing from an ACP-compatible merchant... minted from a user's saved card... used at any merchant supporting Stripe's Agentic Commerce Protocol (ACP)
Attacks that exploit this kind of access
Request a Shared Payment Token (SPT) for purchasing from an ACP-compatible merchant. SPTs are scoped, time-limited tokens minted from a user's saved card that can be used at any merchant supporting Stripe's Agentic Commerce Protocol (ACP). The token is issued instantly if the user's agent rules allow it. If the amount exceeds the user's spending limits, the request is escalated for manual approval in the user's tru dashboard. The token auto-expires after 30 minutes. It is categorised as a Financial tool in the Tru MCP Server, which means it involves financial transactions. Block by default and require explicit approval.
request_spt accepts 8 parameters: email, action, app_id, currency, description, amount_cents, source_label, target_merchant. Required: email, amount_cents. The full parameter table on this page comes from the server's own tool schema.
Register the Tru MCP server in PolicyLayer and add a rule for request_spt: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Tru. Nothing to install.
request_spt is a Financial tool with critical risk. Critical-risk tools should be blocked by default and only enabled with explicit human approval.
Yes. Add a rate_limit block to the request_spt rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for request_spt. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
request_spt is provided by the Tru MCP server (tru-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →