AP2 V0.2 · SIGNED REAPP PROFILE · PUBLIC NPM RELEASE

Validate the mandate before the contract.

Run the published @reapp-sdk/ap2 validator against a fresh signed mandate. The server returns only public keys and hashes; ephemeral signing keys never leave the request.

Choose a check

AP2 validation console

0.2.1
Each run uses a fresh one-process replay store. Production integrations replace it with durable atomic storage.
validator output
Real package code, server-side, no mocked decisions.
ready
Ready to validate

Select one boundary or run the complete visual suite. Every rejection must return its exact typed code.

Published package gate

Complete AP2 test matrix

The console above runs six representative checks live. The published package gate runs every named case below.

59 / 59 PASSING

Binding & canonicalization

12 cases
  1. 01canonical JSON is independent of object key insertion order
  2. 02binds the supported AP2 v0.2.0 intent to a 32-byte REAPP vc_hash
  3. 03pins a canonical AP2 hash vector
  4. 04provided nonce makes the full binding reproducible across key order
  5. 05secure default nonces keep identical intents distinct
  6. 06fails closed for AP2 constraints MandateRegistry cannot enforce
  7. 07rejects ambiguous expiry and invalid Stellar authorization
  8. 08fails closed on unknown intent and Stellar authorization fields
  9. 09rejects impossible calendar expiries instead of normalizing them
  10. 10signer and validator share the same canonical UTC year range
  11. 11signer and validator share the same decimal range
  12. 12agent authorization requires an Ed25519 G-address

Credential, signature & identity

27 cases
  1. 13valid signed AP2 mandate succeeds
  2. 14returned mandate hash equals the recomputed REAPP id
  3. 15fixed seed and nonce produce a deterministic signature digest and signature
  4. 16exact signed maximum amount succeeds
  5. 17one-stroop positive amount succeeds
  6. 18signing key must match the payload user
  7. 19trusted expected user mismatch is rejected
  8. 20tampered natural-language intent is rejected by binding
  9. 21tampered merchant is rejected by binding
  10. 22tampered maximum amount is rejected by binding
  11. 23tampered decimals are rejected by the full-payload signature
  12. 24tampered expiry is rejected by binding
  13. 25tampered agent is rejected by binding
  14. 26tampered asset is rejected before signature verification
  15. 27malformed base64 signature is rejected
  16. 28non-canonical base64 signature is rejected
  17. 29signature with the wrong decoded length is rejected
  18. 30signature created by another Ed25519 key is rejected
  19. 31unsupported signature algorithm is rejected
  20. 32unsupported credential version is rejected
  21. 33unsupported AP2 version is rejected
  22. 34unsupported REAPP binding version is rejected
  23. 35wrong AP2 data key is rejected
  24. 36envelope mandate hash mismatch is rejected
  25. 37unknown top-level credential field fails closed
  26. 38unknown intent field fails closed
  27. 59invalid user, agent, and asset identities fail closed

Scope & amount

7 cases
  1. 39trusted merchant outside signed scope is rejected
  2. 40zero amount is rejected
  3. 41negative amount is rejected
  4. 42scientific-notation amount is rejected
  5. 43excess fractional precision is rejected
  6. 44one stroop over the signed maximum is rejected as overspend
  7. 45amount beyond contract i128 is rejected

Expiry & trusted clock

4 cases
  1. 46expired signed mandate is rejected
  2. 47expiry exactly equal to the trusted clock is rejected
  3. 48future expiry succeeds under the injected clock
  4. 49impossible calendar expiry fails closed

Replay & storage isolation

9 cases
  1. 50replayed mandate hash is rejected on second admission
  2. 51100 concurrent admissions yield exactly one success
  3. 52replay store exception fails closed
  4. 53unsupported replay store result fails closed
  5. 54bad signature does not poison the replay store
  6. 55wrong merchant does not poison the replay store
  7. 56overspend does not poison the replay store
  8. 57expired credential does not poison the replay store
  9. 58explicit replay namespaces isolate independent registries
59 / 59
package tests passing

Valid mandates, tampering, scope, amount, expiry, replay, and concurrency.

@reapp-sdk/ap2
public npm package · 0.2.1

Installable, typed, documented, and verified from a clean project.

Source + test suite
review every check

The validator is an adapter. Contract enforcement remains the money boundary.

Admission replay is consumed once here. Multi-purchase budget and payment replay remain atomically enforced by MandateRegistry.execute_payment on every spend.