Rust library and MCP server for Visa's Trusted Agent Protocol (TAP), enabling AI agents to securely authenticate with merchants and execute payment transactions.
| Crate | Type | Description |
|---|---|---|
tap-mcp-bridge |
Library | RFC 9421 signatures, JWE encryption, TAP protocol |
tap-mcp-server |
Binary | MCP server exposing TAP tools for Claude and other AI agents |
[dependencies]
tap-mcp-bridge = "0.2"cargo install --path tap-mcp-serverConfigure your MCP client (Claude Desktop, etc.):
{
"mcpServers": {
"tap": {
"command": "tap-mcp-server",
"env": {
"TAP_AGENT_ID": "your-agent-id",
"TAP_AGENT_DIRECTORY": "https://your-agent-directory.com",
"TAP_SIGNING_KEY": "64-hex-characters-ed25519-key"
}
}
}
}Important
Requires Rust 1.85+ (Edition 2024).
use ed25519_dalek::SigningKey;
use tap_mcp_bridge::tap::{InteractionType, TapSigner};
let signing_key = SigningKey::from_bytes(&[0u8; 32]);
let signer = TapSigner::new(signing_key, "agent-123", "https://agent.example.com");
let signature = signer.sign_request(
"POST",
"merchant.example.com",
"/checkout",
b"request body",
InteractionType::Checkout,
)?;
println!("Signature: {}", signature.signature);
println!("Signature-Input: {}", signature.signature_input);The server exposes tools for AI agents:
| Tool | Description |
|---|---|
checkout_with_tap |
Execute payment with TAP authentication |
browse_merchant |
Browse merchant catalog with verified identity |
verify_agent_identity |
Health check and agent verification |
get_products |
Browse product catalog with filters |
get_product |
Get single product details |
add_to_cart |
Add item to shopping cart |
get_cart |
Get current cart state |
update_cart_item |
Update item quantity |
remove_from_cart |
Remove item from cart |
create_order |
Create order from cart |
get_order |
Get order status |
process_payment |
Complete payment with APC encryption |
- RFC 9421 HTTP Message Signatures with Ed25519
- RFC 7516 JWE encryption for payment data (A256GCM + RSA-OAEP-256)
- RFC 7638 JWK Thumbprints for key identification
- ID Tokens (JWT) for consumer authentication
- ACRO β Agentic Consumer Recognition Object
- APC β Agentic Payment Container with JWE encryption
Flexible merchant API integration with trait-based abstraction:
use tap_mcp_bridge::{DefaultMerchant, MerchantApi};
// Standard TAP merchant
let merchant = DefaultMerchant::new();
// Custom merchant from TOML configuration
let merchant = DefaultMerchant::from_toml(r#"
name = "ACME Store"
base_url = "https://api.acme.com"
api_prefix = "/api/v2"
[endpoints]
products = "/catalog/items"
cart = "/basket"
[field_mappings.request]
consumer_id = "customerId"
product_id = "sku"
"#)?;Tip
See examples/merchants/ for TOML configuration examples.
Pluggable transport layer supporting multiple protocols:
use tap_mcp_bridge::transport::{HttpTransport, HttpConfig, HttpVersion};
// Default HTTP transport with connection pooling
let transport = HttpTransport::new();
// HTTP/2 with custom configuration
let config = HttpConfig {
http_version: HttpVersion::Http2,
timeout_secs: 60,
pool_max_idle_per_host: 50,
..Default::default()
};
let transport = HttpTransport::with_config(&config)?;Supported protocols:
- HTTP/1.1 (default)
- HTTP/2 with multiplexing
- HTTP/3 (QUIC) β planned
- gRPC β planned
- JSON-RPC β planned
- Retry with backoff β Exponential backoff with jitter for transient failures
- Circuit breaker β Protection against cascading failures
- Rate limiting β Token bucket algorithm for request throttling
- Audit logging β Structured security events with sensitive data redaction
- Prometheus metrics β Request counters, error rates, latency tracking
- Replay protection β UUID v4 nonce with LRU cache validation
- HTTPS enforcement (HTTP URLs rejected)
- Localhost/loopback blocking
- Path traversal prevention
- CRLF header injection prevention
- Field mapping injection protection
- Timeout bounds validation
# Basic checkout flow
cargo run --example basic_checkout
# Full e-commerce flow (products β cart β order β payment)
cargo run --example full_checkout_flow
# Browse merchant catalog
cargo run --example browse_catalog
# Error handling patterns
cargo run --example error_handling
# TAP signature generation
cargo run --example signature_generation
# JWKS for agent directory
cargo run --example jwks_generation
# ID Token (JWT) generation
cargo run --example id_token_generation
# ACRO generation
cargo run --example acro_generation
# APC encryption/decryption
cargo run --example apc_generationTip
Set AGENT_SIGNING_KEY environment variable before running examples:
export AGENT_SIGNING_KEY=$(openssl rand -hex 32)name = "My Merchant"
base_url = "https://api.merchant.com"
api_prefix = "/api/v1"
[endpoints]
products = "/products"
cart = "/cart"
checkout = "/checkout"
[field_mappings.request]
consumer_id = "customer_id"
product_id = "item_id"
[field_mappings.response]
customer_id = "consumer_id"
[auth]
type = "api_key"
header = "X-API-Key"
env_var = "MERCHANT_API_KEY"
pagination = "page_based" # or "offset_based", "cursor_based"[transport]
protocol = "http2"
[transport.http]
timeout_secs = 30
connect_timeout_secs = 10
pool_max_idle_per_host = 100
http_version = "http2" # or "http1", "auto"| Resource | Description |
|---|---|
| API Reference | Complete API documentation |
| Examples | Runnable code examples |
| Merchant Configs | TOML configuration examples |
# Install tools
cargo install cargo-nextest cargo-make cargo-deny
# Quick verification
cargo make pre-commit
# Full test suite (490+ tests)
cargo nextest run --all-features
# Security audit
cargo deny check
# Documentation
cargo doc --no-deps --openLicensed under MIT OR Apache-2.0 at your option.
- TAP Protocol β Official Visa documentation
- MCP Protocol β Anthropic's Model Context Protocol
- RFC 9421 β HTTP Message Signatures
- RFC 7516 β JSON Web Encryption (JWE)