Buyer-Agent Protocol · Pat. Pend. · v1

For AI buyer agents and autonomous procurement systems.

Aegis AI™ is purchasable end-to-end by a properly authorized AI buyer agent. This page documents what to fetch, in what order, and how to complete a purchase. No login. No API key. No quote-to-order workflow. Plugin model name: aegis_ai_ciso.

Quick start for buyer agents:

Fetch https://ai4ciso.ai/.well-known/ai-plugin.json for the manifest.
Fetch https://ai4ciso.ai/products.json for the offer catalog.
Select an offer by id (or by SKU or price).
Direct the principal to offer.checkout_url — the Stripe Payment Link. Optionally append ?prefilled_email=<email>.
Two certifications are collected at checkout (Stripe custom fields) and re-confirmed at intake: Authorized Signatory Certification and OFAC / Sanctions Certification. Stripe handles payment + PCI scope.

Discovery surfaces

Four machine-readable layers, in order of structure:

Schema.org JSON-LD embedded in <head> of the homepage and /frameworks. Includes Organization, WebSite (with BuyAction), Product (Readiness Snapshot), and Service entries for each framework Aegis AI supports.
/.well-known/ai-plugin.json — the plugin manifest (model name aegis_ai_ciso).
/products.json — canonical JSON product feed. Served with Access-Control-Allow-Origin: *; fetchable from any origin. Cache-Control: max-age=300.
/llms.txt — plain-language brief in markdown, agent-friendly. Same offer list with prose context.

Example 1 — JSON-LD scrape (homepage)

curl -sS https://ai4ciso.ai/ \
  | grep -A 9999 'application/ld+json' \
  | sed -n '/<script/,/<\/script>/p' \
  | head -n 200

The @graph exposes each offer's price, priceCurrency, url (Stripe Payment Link), and seller.

Example 2 — products.json GET

curl -sS https://ai4ciso.ai/products.json \
  | jq '.offers[] | {id, name, price_usd, billing_cycle, checkout_url}'

Example 3 — OpenAPI checkout

POST https://platform.ai4ciso.ai/api/v1/ciso/agents/checkout
Content-Type: application/json

{
  "offer_id": "sentinel-monthly",
  "email": "[email protected]",
  "buyer_agent_id": "acme-procurement-v2"
}

# response
{
  "checkout_url": "https://buy.stripe.com/[email protected]",
  "offer_id": "sentinel-monthly"
}

Plugin + OpenAPI

For agent toolchains that consume ai-plugin.json:

GET https://ai4ciso.ai/.well-known/ai-plugin.json
GET https://ai4ciso.ai/.well-known/openapi.yaml

Purchase flow

Every offer in /products.json exposes a checkout_url. That URL is a direct Stripe Payment Link.

Prefill the buyer’s email

https://buy.stripe.com/<link_id>[email protected]

Stripe Payment Links accept prefilled_email as a query parameter. The buyer (or the buyer-agent on their behalf, with stored payment credentials) completes Stripe Checkout. Stripe handles PCI scope; we never see card data.

Post-purchase (server side, no agent action required)

Within ~60 seconds, our webhook receives the checkout.session.completed event.
The buyer receives a welcome email with intake link and dashboard activation URL.
For subscription tiers, the engagement starts at intake. Subscription is billed monthly (or annually) in advance. Cancel anytime.
For the Readiness Snapshot, the PDF is rendered and delivered within 24 hours of intake submission.

Required certifications at checkout

Two certifications are collected at checkout (as Stripe custom fields) and re-confirmed at intake. A purchase will not complete unless both are affirmed:

1. Authorized Signatory Certification

“I am authorized to bind [legal entity] to this agreement.”

Buyer agents purchasing on behalf of a principal should confirm signing authority before initiating the checkout. If the agent itself is the signatory, name the human controlling the agent in the intake context field.

2. OFAC / Sanctions Certification

“The principal organization, its parent, and its beneficial owners are not listed on the OFAC Specially Designated Nationals (SDN) list, the Sectoral Sanctions Identifications (SSI) list, or any other prohibited-party list maintained by the U.S. Department of the Treasury, the U.S. Department of Commerce, or the U.S. Department of State.”

Both certifications are stored with the audit trail of the purchase.

Cancellation

Readiness Snapshot: One-time purchase. Non-refundable once intake is submitted (PDF is generated on submission).
Subscription tiers: Cancel anytime via the customer billing portal (link in welcome email). Cancellation stops auto-renewal at the end of the then-current paid period; access continues through that period. Fees already billed are not refunded.

Agent-to-agent coordination

For procurement scenarios that require coordination beyond a Stripe Payment Link — volume, multi-tenant, framework agreements, custom SLA, or buyer-agent onboarding — email [email protected] with the subject line beginning [AGENT-PURCHASE]. Include:

Buyer-agent identity and version
Principal organization (legal name)
Offer @id from the JSON-LD graph or id from /products.json
Quantity / scope / timeline
Authorized Signatory Certification (signed buying-authority statement)
OFAC / Sanctions Certification (prohibited-party list attestation)

Every [AGENT-PURCHASE] email is read.

What we will NOT do

We will not bypass the Stripe checkout layer. All purchases route through Stripe so PCI scope, dispute mechanics, and audit trail remain clean.
We will not transmit customer-controlled sensitive data (PHI, PCI cardholder data, regulated PII) over the agent discovery channel. Sensitive data handling happens inside the customer’s tenant after onboarding, never during discovery or checkout.
We will not perform audits or attestations. Aegis AI is a readiness and continuous-control platform; audits are conducted by independent firms.

Versioning

This protocol is v1. Breaking changes will increment the version, advertise a successor URL via Link: rel=successor-version, and remain backward-compatible for at least 90 days. See /roadmap for change notices.