> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getovra.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Settle an MPP payment

> Settles a payment initiated via the Machine Payments Protocol (HTTP 402).
The agent creates and approves an Ovra intent, then the receiving service calls this endpoint
to complete the settlement. Intent IDs are crypto-random and single-use — knowing the ID
proves the agent authorized the payment (same pattern as Stripe PaymentIntents).

This endpoint does not require Authorization headers — the intent ID serves as proof.




## OpenAPI

````yaml /openapi.yaml post /mpp/settle
openapi: 3.1.0
info:
  title: Ovra API
  version: 0.5.0
  description: >
    Agentic Payments Infrastructure — EU-native, Fiat-first, DSGVO-by-design.

    Virtual cards and SEPA for AI agents. No crypto.


    ## Authentication


    All endpoints (except `/health` and `/`) require a Bearer token in the
    `Authorization` header.


    Two token types are supported:


    - **API Keys** (`sk_...`) — Full access, for dashboard and admin use.

    - **Agent Tokens** (`at_...`) — Scoped per agent, for autonomous agent
    operation. Created via `POST /agents/:id/tokens`.


    Test-mode keys use the `sk_test_` / `at_test_` prefix; live keys use
    `sk_live_` / `at_live_` (or plain `sk_` / `at_`).


    ## Data Residency


    All data is stored in the EU. Every response includes the `X-Data-Residency:
    EU` header.


    ## Rate Limiting


    Requests are rate-limited per IP (default 100 req/min, 60 s refill window).
    A `429` response is returned with `Retry-After` (seconds) and
    `X-RateLimit-*` headers when the limit is exceeded.


    ## Idempotency


    POST requests to `/agents/*`, `/intents/*`, `/checkout/*`, and `/cards/*`
    support the `Idempotency-Key` header.


    ## Pagination


    List endpoints support cursor-based pagination via `cursor` and `limit`
    query parameters.

    Responses include `data`, `hasMore`, and `nextCursor` fields.


    ## Webhook Events


    `transaction.completed`, `intent.created`, `intent.approved`,
    `intent.denied`, `intent.expired`,

    `card.frozen`, `card.unfrozen`, `card.closed`, `card.rotated`,
    `card.issued`, `card.funded`,

    `agent.created`, `agent.frozen`, `verification.mismatch`, `dispute.created`,
    `dispute.resolved`, `dispute.updated`


    Signature: `X-Ovra-Signature: sha256=<HMAC>`
  contact:
    name: Ovra Support
  license:
    name: Proprietary
servers:
  - url: https://api.getovra.com
    description: Production (EU)
  - url: http://localhost:3000
    description: Local development
security:
  - BearerAuth: []
tags:
  - name: Health
    description: Health and API information
  - name: Customers
    description: Customer (account owner) management
  - name: Agents
    description: AI agent lifecycle — create, fund, freeze, unfreeze, delete
  - name: Agent Tokens
    description: Scoped tokens for autonomous agent operation
  - name: Policies
    description: Spending policies — limits, allowlists, blocklists
  - name: Intents
    description: Spending intents — declare, approve, deny, cancel, verify
  - name: Cards
    description: Virtual card lifecycle — issue, freeze, unfreeze, close, rotate
  - name: Checkout
    description: Payment execution and zero-knowledge credential flow
  - name: MPP
    description: Machine Payments Protocol — API-native settlement for HTTP 402 flows
  - name: Billing
    description: >-
      Wallet balance, Stripe funding, saved payment methods, and SEPA bank
      transfer details
  - name: Transactions
    description: Transaction history and memos
  - name: Webhooks
    description: Webhook subscription management
  - name: Disputes
    description: Transaction disputes and evidence
  - name: Evidence
    description: Intent evidence (receipts, screenshots, invoices)
  - name: GDPR
    description: DSGVO/GDPR compliance — export, delete, consent
  - name: Merchants
    description: Merchant intelligence and MCC code lookup
  - name: Access Events
    description: Card access request logging and audit trail
  - name: Keys
    description: API key management
  - name: Wallets
    description: >-
      Wallet (account) lifecycle — create, list, fund, close. Aliased as
      `/accounts`.
  - name: Transfers
    description: Wallet-to-wallet and external SEPA transfers. Aliased as `/payments`.
  - name: Refunds
    description: Refund processing for completed transactions
  - name: Receipts
    description: Receipt upload and retrieval
  - name: Card Controls
    description: Card-level merchant / country / MCC controls
  - name: Card Requests
    description: Approval workflows for new cards and card limit changes
  - name: Beneficiaries
    description: External payee directory for SEPA transfers. Aliased as `/vendors`.
  - name: Onboarding
    description: Customer / merchant onboarding submissions
  - name: KYC
    description: Identity verification submissions and status
  - name: Runs
    description: Agent workflow run correlation. Aliased as `/workflows`.
  - name: Delegations
    description: >-
      Per-token spend caps + public delegation redeem. Aliased as
      `/authorizations`.
  - name: Ledger
    description: Double-entry ledger queries
  - name: Statements
    description: Periodic billing statements (also reachable as `/bills`)
  - name: Credentials
    description: Single-use card credential lifecycle (issue, redeem, revoke)
  - name: Risk
    description: Risk events, alerts, configuration, and manual unfreeze
  - name: Analytics
    description: Cost, merchant, anomaly, allocation, and forecast reports
  - name: Audit
    description: Audit-log search, export, and retention purge
  - name: Outcomes
    description: Agent outcome tracking and ROI measurement
  - name: Fund
    description: Manual wallet top-up endpoint
  - name: Claim
    description: Inbound payment requests (Collect). Public payer page included.
  - name: CLI Auth
    description: Browser-paired CLI sign-in flow
  - name: Intelligence
    description: Merchant resolve, MCC lookup, allowlist suggestions
  - name: Collect
    description: >-
      Inbound payment surface (alias of `/claim`). Receipts, payment tokens,
      agent charge, public HTTP-402 endpoint.
  - name: Pass-Through
    description: >-
      Universal Pass-Through Tokens (`/v1/agent-credentials`) — agent-bound
      Network Tokens scoped to merchant + amount + TTL.
  - name: Merchant Applications
    description: Merchant onboarding application intake (dashboard-secret only).
  - name: Forecast
    description: p10/p50/p90 daily spend forecast per agent.
  - name: Push Subscriptions
    description: Web Push subscription management (VAPID).
  - name: Security Incidents
    description: DORA Art. 17/18 ICT incident reporting (dashboard-secret only).
  - name: Canvas
    description: Aria conversational control surface (NDJSON event stream).
  - name: Sessions
    description: >-
      Tier-2 device-bound API session ceremony (RFC 8628 device flow +
      WebAuthn).
  - name: Mandates
    description: Tier-3 standing payment mandates per agent (WebAuthn-bound, constrained).
  - name: Passkeys
    description: >-
      WebAuthn passkey enrollment, listing, and revocation. Per-intent assertion
      challenges.
  - name: Well-Known
    description: Public no-auth discovery and verification endpoints under `/.well-known`.
paths:
  /mpp/settle:
    post:
      tags:
        - MPP
      summary: Settle an MPP payment
      description: >
        Settles a payment initiated via the Machine Payments Protocol (HTTP
        402).

        The agent creates and approves an Ovra intent, then the receiving
        service calls this endpoint

        to complete the settlement. Intent IDs are crypto-random and single-use
        — knowing the ID

        proves the agent authorized the payment (same pattern as Stripe
        PaymentIntents).


        This endpoint does not require Authorization headers — the intent ID
        serves as proof.
      operationId: mppSettle
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - intentId
                - agentId
                - expectedAmountCents
              properties:
                intentId:
                  type: string
                  description: Approved Ovra intent ID (crypto-random, single-use)
                  example: int_7Kx9mQ3pR2nL4sT
                agentId:
                  type: string
                  description: Ovra agent ID that authorized the payment
                  example: ag_abc123
                expectedAmountCents:
                  type: string
                  description: Expected amount in smallest currency unit (cents for EUR)
                  example: '1999'
                expectedCurrency:
                  type: string
                  description: ISO currency code (lowercase)
                  example: eur
                merchant:
                  type: string
                  description: Merchant or service identifier
                  example: api.example.com
      responses:
        '200':
          description: Payment settled successfully
          content:
            application/json:
              schema:
                type: object
                properties:
                  transactionId:
                    type: string
                    example: tx_abc123
                  intentId:
                    type: string
                    example: int_7Kx9mQ3pR2nL4sT
                  amountEuros:
                    type: number
                    example: 19.99
                  status:
                    type: string
                    enum:
                      - settled
        '400':
          $ref: '#/components/responses/BadRequest'
        '403':
          description: Agent ID mismatch or policy denied
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '404':
          $ref: '#/components/responses/NotFound'
        '409':
          description: Intent already processed
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
components:
  responses:
    BadRequest:
      description: Validation error or invalid state
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    NotFound:
      description: Resource not found
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
  schemas:
    Error:
      type: object
      required:
        - error
      properties:
        error:
          type: string
          description: Human-readable error message
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      description: >-
        API key (`sk_sandbox_*` / `sk_test_*` / `sk_live_*`) or Agent token
        (`at_*` / `at_dlg_*`)

````