A returning customer taps once. Three seconds later, her agent has a £200 fashion-only ceiling.
A returning customer opens her shopping agent on a Sunday evening. The agent suggests a new dress for a wedding in three weeks. She taps once on her phone to approve the delegation: spend up to £200, fashion retailers only, valid for seven days, single purchase. The wallet on her device signs the delegation with the passkey she already uses for her bank login. Three seconds. The agent is now scoped to act. She closes the app. That is agentic commerce verification, end to end.
The merchant on the other end of that delegation receives more than a card authorisation when the agent completes the purchase. It receives a cryptographic proof that a verified human authorised this specific action, within these specific limits, with explicit consent for the data exchanged, on this date, through a provider on the UK Digital Verification Services public register. The audit trail is produced at the moment of the transaction, not reconstructed after the fact.
Agentic commerce verification is the mechanism that produces that proof. It rests on three working parts.
Verified Intent
Verified Intent is the cryptographic binding of a signed human action to an agent's transaction. The user, verified once to a statutory level of assurance, holds a passkey-secured digital credential on their device. When they delegate authority to an agent, that credential signs the delegation. Every action the agent takes inherits a verifiable link back to the human who authorised it.
The signature is independent of the agent provider and independent of the merchant. It is held by the user and produced cryptographically, which means non-repudiation is structural. A user cannot plausibly deny an action that bears their signed credential. A merchant cannot be accused of inferring authority that was never given.
OneID operates this layer on infrastructure connected to 29 UK banks, covering 98% of UK adults with bank accounts, with bank-based and digital-wallet journeys completing at 80 to 90%. The W3C Digital Credentials API and W3C Verifiable Credentials provide the open standards the credential presentation rests on, with formal recognition of passkeys in the UK's DVSTF authentication guidance from March 2026.
Delegation Service
Within Delegation Service, Authority to Act becomes programmable. The user sets the parameters: spend ceilings, named merchants or merchant categories, time windows, single-action or recurring, named purposes. The agent inherits a bounded authority, not a general licence.
The mechanism supports three autonomy modes, and the user picks the one that suits the task.
Human in the Loop means the user approves each action. Authority to Act is granted per action, and Privacy Consent is captured explicitly for each transaction. This is the right mode for high-value purchases and regulated categories.
Under Guardrailed Autonomy, the agent acts within constraints the user defined in advance. Authority to Act is pre-authorised inside those limits, and Privacy Consent is scoped to match. This is where most ongoing agent activity sits.
Human out of the Loop covers fully pre-authorised actions inside standing limits. Blanket delegation with constraints, broad Privacy Consent recorded with an audit trail. Suits repeating utility actions like bill payments or subscription top-ups, inside an envelope the user can revoke at any time.
Revocation runs on the same path. A single tap on the device closes the delegation and every agent authority that rests on it. The user does not need to chase support tickets or wait for the agent provider to acknowledge a withdrawal.
Privacy Consent
Privacy Consent is the explicit, auditable consent artefact that travels with the transaction. The user gives consent directly to OneID at the moment of delegation. It is not inferred from the agent's behaviour and it is not bundled into a generic terms acceptance.
Under UK GDPR Article 7 and the Data (Use and Access) Act 2025, consent must be specific, informed, and freely given, with the same ease of withdrawal as it had of granting. Privacy Consent captures the purpose, the data attributes shared, the duration, and the basis on which the merchant receives the verification result. The artefact is portable, cryptographically signed, and presentable to a regulator who asks what the customer agreed to.
The seven-step agentic commerce verification flow
The mechanism stitches together as a sequence the user experiences as three seconds and a tap. The merchant and the regulator see the full chain.
A user verifies their identity through a DVSTF-certified Identity Service Provider. The user creates a delegation, setting the Authority to Act rules. The user sets Privacy Consent preferences against that delegation. The agent acts within the scope of those constraints. OneID verifies intent and authority against the credential the user signed. The merchant receives verified intent, authority proof, and required identity attributes directly. The payment is then executed via the network of the user's choice.
The seven steps map cleanly to the three pillars. Verified Intent covers steps one, five and six. Delegation Service covers steps two and four. Privacy Consent covers step three and runs as an audit layer across the others.
Where this leaves the operator
Audit-readiness moves from improvisation to infrastructure. An under-18 purchase through an agent anchors to the verified principal at the point of delegation, with Ofcom-recognised highly effective age assurance methods producing the artefact the regulator expects. A disputed transaction resolves against a cryptographic record rather than a probability score. A scope breach is visible to the merchant before the payment is initiated, because the policy engine evaluates it in real time. Each of these is a daily commercial event for any merchant running agent traffic on UK rails.
OneID is the Authority Layer for Agentic Commerce. The infrastructure has carried 10 million+ identity verifications across 37 authoritative data sources. OneID holds three first-in-UK certifications under the Digital Verification Services Trust Framework: Identity Service Provider, Orchestration Service Provider, and Holder Service Provider. FCA regulated under FRN 928911. Aligned with the Data (Use and Access) Act 2025.
