Top of Mind Questions After Implementing AP2 with an Actual Credential Provider (Skyfire KYA+PAY)

[skyfire-ammar]

Hello!

Thank you for putting this repo together. I've implemented an actual credential provider and merchant to buy from and have some questions from the experience.

1. In the demo, multiple cart mandates are returned by the merchant to the user. What if the user wanted items from two different carts? Generally, in e-commerce one adds items to a single Cart at the Merchant. We would have expected a workflow like this: search for products, add products to the cart, and then when the cart is final, the merchant would generate the cart mandate and the user would sign it. Why are multiple cart mandates being returned?

2. When sending the raw payment credentials to the merchant or payment processor to complete the payment, how do you know what fields are required by that merchant for that form of payment? Currently all information for the user under the selected payment method is sent from the mocked account db to the PSP / merchant (code)

3. What is the normative, minimal data structure for each mandate type (Intent, Cart, Payment) to create a valid VDC? What fields are required to be present for the hash, signature, and validation? Can we add custom metadata to any VDC?

4. Are device passkeys the only valid way for the user to sign mandates? Or are other signing solutions supported that produce verifiable signatures and identity bindings? Which ones? How will agents obtain the necessary public keys for each party to validate signatures (on the intent mandate and cart mandate)?

5. Are the user and merchant supposed to be uniquely identified in the intent and cart mandates respectively? Isn't this necessary in order to verify the signatures on the mandates. Or will this be done at the A2A / MCP level?

Help answering any one of these questions would be great! Thanks again!