AI Agent Payments' Custody Problem | Elacity Labs
Mastercard, Visa, and Coinbase taught AI agents to pay each other. None of them solved custody: the agent still holds a key it can be robbed of. Here is the architecture that fixes it.
AI Agent Payments Have a Custody Problem
We just taught a billion machines how to spend money, and quietly skipped the part where we decide whose money they can run away with.
On June 10, 2026, Mastercard launched Agent Pay for Machines, a protocol that lets AI agents pay each other autonomously, down to micropayments worth fractions of a cent. The permissions and credentials humans grant their agents are recorded on the Polygon, Solana, and Base blockchains, with more than 30 companies including Coinbase, Stripe, and Adyen signed on.
It joins a crowded race. Visa shipped its own AI agent payments platform in April, and open standards like Coinbase's x402, Google's AP2, and the Stripe-Tempo Machine Payments Protocol are all converging on the same future: agents that transact at machine speed without a human clicking buy.
Every one of them answers the same question: how does an agent pay? Not one of them answers the harder one: how do you stop the agent from being robbed of the key that lets it?
The Failure of the Credential
The entire industry has decided that letting an agent pay means handing it a credential. A tokenized card. A funded wallet. A scoped API key in a vault.
Tokenized or not, the agent now holds something. Something that can be copied, leaked into a log, phished through a poisoned prompt, or subpoenaed from the vendor that stores it. A credential an agent can use is a credential an attacker can steal.
Recording permissions on a public chain is a real improvement for audit. But provenance is not custody. An immutable log proves what an agent was authorized to do; it does nothing to stop the secret behind that authorization from walking out the door. The ledger just tells you who got robbed, after.
Underneath sits the original sin of software: ambient authority. The moment an agent, or the machine hosting it, can see a key, it can do everything that key permits, forever, and so can anyone who compromises that process. We are about to grant that power to billions of autonomous agents and call it commerce.
The Paradigm Shift: Keys Used, Never Owned
Visa let strangers transact without trusting each other. Elacity lets humans and AI agents compute together without surrendering their keys.
That is the shift. Stop asking where to store the agent's key, and start asking why the agent needs to hold one at all. An AI agent should not be a process praying behind a system prompt with a wallet in its pocket. It should be a Wealth Capsule: a sandboxed unit with named, revocable powers and keys it can use but never see.
Web3 is the second era of PC in disguise. I mean Personal Cloud Compute. You own your data and store it on your PC, and you should trust no one but yourself. — Rong Chen, originator of Personal Cloud Compute
Rong Chen's framing of Personal Cloud Compute is the whole point. The user's own runtime, ElastOS, is the source of truth. The agent acts at full power on your behalf and never once owns the thing it acts with. Here is how that works in three pieces.
1. The Key That Is Used but Never Seen
With Elacity's key management, an agent can sign a transaction, decrypt a file, or authorize a payment without the secret ever entering its memory or its context window. The agent calls a capability; the capability uses the key inside a protected boundary and returns only the result. You cannot steal a key the agent never held.
2. The Permission That Is Named, Narrow, and Revocable
There is no ambient authority. Every action an agent takes needs a specific, scoped, revocable grant: pay this merchant, up to this amount, until this moment. Humans and AI agents run on the same authority rail, both audited, both revocable mid-session. When an agent goes rogue, you do not change a password and pray, you withdraw the capability and it stops.
3. The Boundary That Fails Closed
The decryption and signing power is split across an owned quorum, so no single party, including Elacity, can ever surrender it. And when intent is uncertain, the system denies and explains rather than silently allowing. Centralized rails can be compelled, breached, or monetized; this one is built so that betrayal is architecturally impossible, not merely against the rules.
What Is Still Unfinished
Honesty matters here. The hard cryptography is proven; the unfinished work is scale: permissionless node markets and side-channel-audited key handling are the frontier, and mass adoption is the next mountain. We would rather name that than pretend it is solved.
But the direction is not in doubt. The agent economy will run on whatever rails we lay this year. We can give every agent a credential to lose, or we can give every human a key that no agent, vendor, or attacker can ever take.
Your money can't be stolen by a machine you didn't authorize. Build on the rails that make it true.
Mint your first Wealth Capsule