Integration note

Mandate needs hooks to reliably catch payment intents. If your platform supports plugins with hooks (OpenClaw, Claude Code), use the plugin: it intercepts financial tool calls automatically. This SKILL.md is for agents that integrate via API directly, but without hooks there is no enforcement layer: the agent must voluntarily call /validate before every transaction.

OpenClaw (recommended): openclaw plugins install @mandate.md/mandate-openclaw-plugin
Hooks auto-intercept Locus, Bankr, Sponge, and any swap/transfer/send tool call.

Claude Code (recommended): claude plugin:install claude-mandate-plugin or see claude-mandate-plugin on GitHub
Two-phase enforcement: PostToolUse records validation tokens, PreToolUse blocks unvalidated transactions. Fail-closed, no network calls in the gate.

Other frameworks (GOAT, AgentKit, ElizaOS, MCP): Use this SKILL.md + SDK. No hooks, agent must self-enforce.

MANDATORY SECURITY RULES

Mandate is the security boundary, not optional infrastructure. The card must be swiped before the purchase.

1. 1. You MUST call /validate before EVERY transaction. No exceptions. No shortcuts. (Legacy /validate/raw is also available for existing EVM integrations.)
2. If validation returns allowed: false, you MUST NOT execute the transaction. Display the blockReason to the user.
3. If validation is unreachable, you MUST NOT execute the transaction. Do NOT fall back to calling the wallet directly. See Fail-Safe Behavior.
4. You MUST display validation results to the user before any wallet call. See Required User Feedback.
5. Even with custodial wallets, you MUST validate with Mandate BEFORE calling the wallet API. Do NOT call transfer/swap directly.
6. Skipping validation is a security violation, not a simplification. An unvalidated transaction bypasses spend limits, allowlists, and approval workflows the owner configured to protect their funds.

CODEBLOCK0

Required User Feedback

You MUST display a Mandate status message as the first thing the user sees when a transaction starts, BEFORE any wallet API call.

Happy path:
CODEBLOCK1

Blocked:
CODEBLOCK2

Approval required:
CODEBLOCK3

API unreachable:
CODEBLOCK4

Mandate API, Agent Skills Guide

Validation

Policy check before every transaction. Works with any wallet type (custodial or self-custodial). No intentHash, nonce, or gas params needed.

CLI

CODEBLOCK5

REST

CODEBLOCK6

Validate params

Field	Required	Description
INLINECODE7	Yes	What you're doing: "transfer", "swap", "buy", "bridge", "stake", "bet" (free text)
INLINECODE8

Yes | Why you're doing it (max 1000 chars). Scanned for prompt injection. | | amount | No | USD value (assumes stablecoins) | | to | No | Recipient address (checked against allowlist) | | token | No | Token address |

Response: INLINECODE12

All policy checks apply: circuit breaker, schedule, allowlist, spend limits, daily/monthly quotas, reason scanner. Every call is logged to the audit trail with the action field.

Validate flow

CODEBLOCK7

Raw Validation (deprecated, EVM only)

Deprecated. Use /validate for all new integrations. /validate/raw remains available for existing EVM integrations that require intent hash verification and envelope verification.

Full pre-signing policy check for self-custodial agents who sign transactions locally. Requires all tx params + intentHash.

CLI

mandate validate-raw \
  --to 0x036CbD53842c5426634e7929541eC2318f3dCF7e \
  --calldata 0xa9059cbb... \
  --nonce 42 \
  --gas-limit 90000 \
  --max-fee-per-gas 1000000000 \
  --max-priority-fee-per-gas 1000000000 \
  --reason "Invoice #127 from Alice"

The CLI computes intentHash automatically.

For ERC20 transfers, use the high-level command:
CODEBLOCK9

Raw validate flow

CODEBLOCK10

Quick Start (CLI)

Install the CLI:
CODEBLOCK11

Register

mandate login --name "MyAgent" --address 0xYOUR_ADDRESS

Stores credentials in ~/.mandate/credentials.json (chmod 600). Display the claimUrl to the user, they are the owner.

Agent Discovery

Run mandate --llms for a machine-readable command manifest. Each command includes --help and --schema for full argument details.

Codebase Scanner

Detect unprotected wallet calls in your project. Zero config, zero auth.

CODEBLOCK13

Exit code 1 if unprotected calls found (CI-friendly).

MCP Server Mode

Run the CLI as an MCP stdio server for tool-based platforms:

CODEBLOCK14

Exposes all Mandate commands as MCP tools. Compatible with any MCP-capable host.

Standard credential storage

Credentials stored in ~/.mandate/credentials.json:
CODEBLOCK15

Optional environment export:
CODEBLOCK16

CRITICAL: AI Agents Must Use register, NOT Dashboard Login

Agents create an identity via mandate login (or /agents/register API). Dashboard login is for humans only.

Tool to Endpoint Map

CLI Command	Method	Path
INLINECODE26	POST	INLINECODE27
INLINECODE28

POST | /api/activate | | mandate validate | POST | /api/validate | | mandate validate-raw | POST | /api/validate/raw (deprecated) | | mandate event <id> --tx-hash 0x... | POST | /api/intents/{id}/events | | mandate status <id> | GET | /api/intents/{id}/status | | mandate approve <id> | GET | /api/intents/{id}/status (poll) | | mandate scan [dir] | - | Scan codebase for unprotected wallet calls | | mandate --llms | - | Machine-readable command manifest | | mandate --mcp | - | Start as MCP stdio server |

REST API Fallback

If you cannot install the CLI, use the REST API directly:

• - Base URL: INLINECODE43
• Auth header: INLINECODE44
• Content-Type: INLINECODE45

intentHash computation (required for raw validate only, automatic with CLI)

CODEBLOCK17

CODEBLOCK18

The reason Field

Every validation call requires a reason string (max 1000 chars). This is the core differentiator: no other wallet provider captures WHY an agent decided to make a transaction.

What Mandate does with the reason:

• - Scans for prompt injection (18 hardcoded patterns + optional LLM judge)
• Returns a declineMessage on block, an adversarial counter-message to override manipulation
• Shows it to the owner on approval requests (Slack/Telegram/dashboard)
• Logs it in the audit trail, full context for every transaction, forever

Example: reason catches what session keys miss
CODEBLOCK19

Agent Self-Integration (SDK)

Validate with any wallet (Bankr, Locus, Sponge, self-custodial)

CODEBLOCK20

Raw validate with self-custodial wallet (deprecated)

CODEBLOCK21

Registration (SDK)

CODEBLOCK22

Error handling

CODEBLOCK23

OpenClaw Integration

Install the Mandate plugin:

openclaw plugins install @mandate.md/mandate-openclaw-plugin

Tools

Tool	When	What
INLINECODE49	Once, on first run	Registers agent, returns runtimeKey + INLINECODE51
INLINECODE52

Before EVERY financial action | Policy check (action, amount, to, token, reason) | | mandate_status | After validate | Check intent status |

Flow

1. 1. mandate_register with agent name + wallet address. Save the returned runtimeKey in plugin config.
2. Before any transfer/swap/send/buy/sell/bridge/stake/bet: call mandate_validate with action and reason.
3. If allowed: true: proceed with your normal wallet (Locus, Bankr, etc.).
4. If blocked: true: do NOT proceed, show reason + declineMessage to the user.

Validate endpoint

The plugin uses POST /api/validate.
No intentHash, nonce, or gas params needed. Just: action, reason, and optionally amount, to, token.
All checks apply: circuit breaker, schedule, allowlist, spend limits, daily/monthly quotas, reason scanner.
Every call is logged to the audit trail with the action field the agent provides.

Safety net hook

The plugin also registers a message:preprocessed hook that auto-intercepts financial tool calls
(Locus, Bankr, Sponge, any swap/transfer/send) even if the agent forgets to call mandate_validate.

Config: set runtimeKey in OpenClaw plugin config (not env var).
After validation passes, the agent uses whatever wallet it wants (Locus, Bankr, own keys, etc.).

Claude Code Plugin

Install the Mandate enforcement plugin:

CODEBLOCK24

The plugin automatically BLOCKS transaction tools (Bankr CLI/API, wallet MCPs, financial Bash commands) until you validate with Mandate. Uses a two-phase approach:

1. 1. PostToolUse watches for successful mandate validate calls, records a validation token
2. PreToolUse intercepts transaction tools, checks for valid token. No token = DENY with instructions.
3. SessionStart clears stale tokens

Tokens are valid for 15 minutes. No network calls in the gate, purely local file check, fail-closed.

Default Policy

After registration: $100/tx limit, $1,000/day limit, no address restrictions, no approval required. Adjust via dashboard at https://app.mandate.md.

Fail-Safe Behavior

If the guard is offline, the vault stays locked.

When Mandate API is unreachable:

1. 1. Do NOT execute the transaction
2. Do NOT fall back to calling the wallet API directly
3. Display: Mandate: policy server unreachable, transaction halted for safety
4. Retry up to 3 times at 30-second intervals
5. If all retries fail, tell the user: "Cannot execute until policy server recovers. No funds were spent."

This is non-negotiable. An unreachable policy server does not mean "no policies apply", it means "policies cannot be verified." Executing without verification bypasses the owner's configured protections.

x402 Payment Flow

1. 1. HTTP request to paywall URL -> 402 response
2. Parse X-Payment-Required header: INLINECODE76
3. Encode ERC20 transfer calldata: selector 0xa9059cbb + padded(paymentAddress, 32) + padded(amount, 32)
4. Validate -> sign -> broadcast -> post event
5. Retry original request with INLINECODE78

Chain Reference

Test keys (mndt_test_*): Sepolia (11155111), Base Sepolia (84532) | Live keys (mndt_live_*): Ethereum (1), Base (8453)

Chain	Chain ID	USDC Address	Decimals
Ethereum	1	INLINECODE81	6
Sepolia

11155111 | 0x1c7D4B196Cb0C7B01d743Fbc6116a902379C7238 | 6 |
| Base | 8453 | 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 | 6 |
| Base Sepolia | 84532 | 0x036CbD53842c5426634e7929541eC2318f3dCF7e | 6 |

Intent States

State	Description	Expiry
INLINECODE85	Validated via INLINECODE86	24 hours
INLINECODE87

Raw validated, waiting for broadcast | 15 min | | approval_pending | Requires owner approval via dashboard | 1 hour | | approved | Owner approved, broadcast window open | 10 min | | broadcasted | Tx sent, waiting for on-chain receipt | - | | confirmed | On-chain confirmed, quota committed | - | | failed | Reverted, dropped, policy violation, or envelope mismatch | - | | expired | Not broadcast in time, quota released | - |

Error Responses

All errors return JSON: { "error": "message" } or { "allowed": false, "blockReason": "reason" }

Status	Meaning	Common Cause
400	Bad Request	Missing/invalid fields
401

Unauthorized | Missing or invalid runtime key |
| 403 | Forbidden | Circuit breaker active |
| 404 | Not Found | Intent not found |
| 409 | Conflict | Duplicate intentHash or wrong status |
| 410 | Gone | Approval expired |
| 422 | Policy Blocked | Validation failed (see blockReason) |
| 429 | Rate Limited | Too many requests (back off + retry) |
| 500 | Server Error | Transient; retry later |

blockReason values

Value	Meaning
INLINECODE96	Agent is circuit-broken (dashboard to reset)
INLINECODE97

No policy set (visit dashboard) | | intent_hash_mismatch | Client hash doesn't match server recompute (raw validate only) | | gas_limit_exceeded | Gas too high per policy | | value_wei_exceeded | Native ETH value too high | | outside_schedule | Outside allowed hours/days | | address_not_allowed | Recipient not in allowlist | | selector_blocked | Function selector is blocked | | per_tx_limit_exceeded | Amount exceeds per-tx USD limit | | daily_quota_exceeded | Daily USD limit reached | | monthly_quota_exceeded | Monthly USD limit reached | | reason_blocked | Prompt injection detected in agent's reason field | | aegis_critical_risk | Transaction flagged as CRITICAL risk by security scanner |

Calldata Encoding Reference (raw validate only)

ERC20 transfer(address to, uint256 amount):
CODEBLOCK25

ERC20 approve(address spender, uint256 amount): selector 0x095ea7b3, not spend-bearing, does not count against quota.

Security

• - Never share your runtime key in logs, posts, or screenshots.
• Store keys in ~/.mandate/credentials.json and restrict permissions (chmod 600).
• Rotate the key (re-register) if exposure is suspected.
• Circuit breaker auto-trips if on-chain tx doesn't match validated intent.