Ovra is EU-native, API-first payment infrastructure for AI agents. We provide virtual Visa cards, programmable spending policies, and tokenized credentials so agents never see raw card data. GDPR-compliant with EU data residency.

How do I integrate Ovra with my AI agent?

The fastest way is to connect to our Model Context Protocol (MCP) server at https://api.getovra.com/api/mcp from Claude, GPT, Cursor, or any MCP-compatible agent. 10 tools are available out of the box. You can also use the REST API: a single call creates an agent with a virtual card and spending policy. No SDK install required.

Do AI agents see real card numbers when they pay?

Never. Ovra uses tokenized card credentials (DPAN, also known as Visa Network Tokens). When an agent needs to pay, we issue a scoped credential bound to the specific intent. Even if the agent's context is compromised, there is nothing useful to steal. Real PAN/CVV is encrypted server-side with AES-256-GCM and never reaches the agent.

Is Ovra GDPR-compliant?

Yes. Ovra is EU-native, built in Berlin, hosted in EU data centers, and engineered GDPR-compliant by design. Enterprise customers receive a Data Processing Agreement (DPA) and audit log access.

Is there a free tier?

Yes. The Free plan includes 1 agent, 1 virtual card, €150/month transaction volume, and full API and MCP access including sandbox mode. Paid plans start at €39/month for teams that need more agents and higher volume.

Which AI frameworks work with Ovra?

Any framework that speaks Model Context Protocol or HTTP. We test against OpenAI Agents SDK, Claude Desktop, Cursor, Vercel AI SDK, LangChain, LlamaIndex, and OpenClaw. The MCP endpoint is one URL: point your model at https://api.getovra.com/api/mcp with a Bearer token and 10 payment tools become available.

Where does Ovra operate and is the company a bank?

Ovra is a German company serving customers across the European Union (EUR-only, fiat). Ovra is not a bank. When our regulated card-issuer partnership ships, the licensed EMI (Electronic Money Institution) is the entity-of-record. Ovra is the developer-facing infrastructure layer.

What is attestation-before-access for AI agent payments?

Attestation-before-access means the agent must declare what it intends to buy and get policy approval before any payment credential exists. Standard payment APIs accept a credential and run policy checks afterward — by then the money has moved. Ovra inverts the order: intent → policy check → grant → issue → redeem. No credential is created if policy denies. This is the same architectural principle as Google's AP2 Intent Mandate and Stripe's ACP Shared Payment Token.

What are the six states of an Ovra payment?

Intent → Grant → Issue → Redeem → Charge → Verify. Intent declares what the agent wants to buy. Grant is a time-limited authorization issued only if policy approves. Issue creates a scoped credential (a fill token referencing an encrypted DPAN). Redeem submits the credential at checkout. Charge is the actual card authorization. Verify confirms post-charge that amount, merchant, and timing match the original intent. Every state is logged into an immutable audit trail.

How does Ovra prevent stale or replayed authorizations?

Three controls. Grants have a TTL (typically 30 minutes) — expire if unused. Fill tokens are single-use and scoped to a specific grant. Each authorization is bound to a specific intent ID, so a grant from one intent cannot be redeemed for another. This eliminates the entire class of attacks where an attacker reuses a previously valid credential.

What does an Ovra spending policy contain?

Per-transaction max, daily/weekly/monthly limits, auto-approve threshold, merchant allowlists and blocklists, MCC (merchant category code) restrictions, country restrictions, time-of-day windows, cooldown intervals, and max usage count. Each rule has an enforcement level: Enforce (hard block), Approve (held for human approval), or Warn (proceeds with advisory log). Multiple policies can stack — most restrictive wins.

How does Ovra's defense-in-depth work?

Policy is enforced at two independent layers. (1) Ovra's policy engine runs application-level checks before any credential exists. (2) The card network enforces the same constraints at the Visa network token level (BIN-level controls, MCC restrictions, amount caps). If the policy engine has a bug, the network catches it. If the network misses something, post-charge verification flags it. Neither layer trusts the other.

Intent → Grant → Issue: How Ovra Controls Agent Spend

Bottom line: Most payment APIs accept credentials and run fraud checks afterward — by which time the money has moved. Ovra inverts this with attestation-before-access: every payment passes through Intent → Grant → Issue → Redeem → Charge → Verify, with policy evaluated synchronously before any credential exists. It's the same architectural principle Google's AP2 standardized for cryptographic mandates and Stripe's ACP standardized for Shared Payment Tokens — running today in private beta on a sandbox card issuer, with the same interface flipping to real Visa rails on our regulated EMI partnership.

Most payment APIs work like this: create a charge, pass credentials, done. That works when a human is clicking "Buy Now." It falls apart when an autonomous agent is making the decision.

The problem isn't authorization — it's the lack of pre-authorization. By the time a charge hits your card, the money is already gone. Any policy check that runs after the fact is damage control, not prevention.

Ovra flips this. Every payment follows a strict state machine where the agent must declare its intent before it gets access to any payment credentials. We call this attestation-before-access.

What is the Ovra payment state machine?

Every Ovra payment moves through six states, in order. No state can be skipped.

Intent → Grant → Issue → Redeem → Charge → Verify

Each transition is a checkpoint. Each checkpoint enforces rules. If any check fails, the flow stops.

1. Intent

The agent declares what it wants to buy.

POST /intents
{
  "purpose": "Monthly Notion Team subscription",
  "expectedAmountEuros": 79,
  "expectedMerchant": "Notion"
}

This is a declaration, not a payment. No money moves. No credentials are issued. The agent is saying: "I want to spend €79 at Notion." The system records this as an auditable event.

If the intent violates policy — amount too high, merchant blocked, daily limit exceeded — it's rejected immediately. The agent never gets further. This maps almost 1:1 to Google's AP2 Intent Mandate primitive: a structured, signed declaration of what the agent is authorized to do.

2. Grant

If the intent passes policy evaluation, Ovra issues an authorization grant. The grant confirms: "Yes, this agent is allowed to spend up to €79 at Notion within the next 30 minutes."

The grant has an expiration. If the agent doesn't act within the window, the authorization expires and the agent must start over. This prevents stale authorizations from accumulating — and is the same scope-and-TTL principle Stripe's Shared Payment Token uses for its ACP-issued credentials.

3. Issue

With a valid grant, the agent can request payment credentials. Ovra returns a fill token — an opaque, encrypted reference to a one-time DPAN and cryptogram.

The agent never sees the card number. The fill token is scoped to this specific transaction and expires with the grant.

4. Redeem

The agent uses the fill token at checkout. The checkout system (whether a browser form or an API) decrypts the token server-side and submits the actual card data to the payment processor.

The agent's involvement ends here. It provided the token. It never touched the PAN, CVV, or expiry date.

5. Charge

The payment processor charges the card. Ovra receives the authorization webhook from the card issuer, matches it against the original intent, and records the transaction.

6. Verify

Post-payment verification checks three things:

Amount match — Does the charged amount match the intent (within tolerance)?
Merchant match — Is the merchant descriptor consistent with the expected merchant?
Timing — Did the charge happen within the grant's validity window?

If all three pass, the transaction is marked as verified. If any fail, it's flagged for review. This verification step is the application-level analog of Mastercard's Verifiable Intent audit trail — open-sourced March 2026 — which links instruction to outcome with cryptographic proof.

Why does the order matter?

The strict ordering prevents entire classes of attacks:

No credentials without intent — An agent can't get card data without first declaring what it's buying. This creates an audit trail before any money moves.
No intent without policy — Every intent is evaluated against the active policy. Limits, merchant rules, time windows — all checked before authorization.
No grant without approval — High-value transactions can require human approval before the grant is issued. The agent waits, or the request expires.
No reuse — Grants expire. Fill tokens expire. DPANs are one-time. Nothing from a previous transaction can be reused in a new one.

Compare this to "here's a card number, go buy stuff." The difference is architectural.

What can a spending policy express?

When an intent arrives, the policy engine evaluates it against the agent's assigned policy. A policy can include:

Rule	Example
Max per transaction	€200
Daily limit	€500
Weekly limit	€1,500
Monthly limit	€5,000
Auto-approve threshold	Under €100 = auto-approved
Merchant allowlist	Only "Notion", "GitHub", "AWS"
Merchant blocklist	Never "gambling", "crypto exchange"
MCC restrictions	Block category 7995 (gambling)
Country restrictions	Block RU, KP, IR
Time window	Mon–Fri, 06:00–22:00 CET
Cooldown	Minimum 2 minutes between transactions
Max usage count	50 transactions total

Every rule is evaluated. A single violation stops the flow. The enforcement level determines the response:

Enforce — Hard block. The intent is rejected.
Approve — Soft block. The intent is held for human approval.
Warn — The intent proceeds, but an advisory is logged.

Defense in depth

Policy enforcement happens at two layers:

Ovra's policy engine — Application-level checks before credentials are issued.
Card network — The issuer's hard limits (synced from the policy) enforce at the Visa network token level.

If the policy engine has a bug, the card network still enforces the limit. If the card network fails to catch something, the post-payment verification flags it. Two independent enforcement layers, neither trusting the other.

The result

Every transaction on Ovra has a complete, auditable chain:

Agent "demo-agent" declared intent int_abc123 for €79 at Notion
→ Policy "standard" evaluated: ALLOWED (under daily limit, merchant not blocked)
→ Grant gra_def456 issued, expires in 30 minutes
→ Credential cre_ghi789 issued with DPAN ****4521
→ Transaction txn_jkl012 charged €79 at "Notion Labs Inc"
→ Verification: amount ✓, merchant ✓, timing ✓ → VERIFIED

No step was skipped. No credential was exposed. The blast radius was €79. And if anything went wrong at any point, the flow would have stopped before money moved.

That's what attestation-before-access means in practice — and it's the architectural pattern the entire agentic payments stack is converging on, from Google's AP2 to Stripe's ACP to Mastercard's Verifiable Intent. Ovra is in private beta today on a sandbox card issuer, behind one MCP URL — the same interface that flips to real Visa rails on our regulated EMI partnership.

Frequently asked questions

What is attestation-before-access for AI agent payments?: Attestation-before-access means the agent must declare what it intends to buy and get policy approval before any payment credential exists. Standard payment APIs accept a credential and run policy checks afterward — by then the money has moved. Ovra inverts the order: intent → policy check → grant → issue → redeem. No credential is created if policy denies. This is the same architectural principle as Google's AP2 Intent Mandate and Stripe's ACP Shared Payment Token.
What are the six states of an Ovra payment?: Intent → Grant → Issue → Redeem → Charge → Verify. Intent declares what the agent wants to buy. Grant is a time-limited authorization issued only if policy approves. Issue creates a scoped credential (a fill token referencing an encrypted DPAN). Redeem submits the credential at checkout. Charge is the actual card authorization. Verify confirms post-charge that amount, merchant, and timing match the original intent. Every state is logged into an immutable audit trail.
How does Ovra prevent stale or replayed authorizations?: Three controls. Grants have a TTL (typically 30 minutes) — expire if unused. Fill tokens are single-use and scoped to a specific grant. Each authorization is bound to a specific intent ID, so a grant from one intent cannot be redeemed for another. This eliminates the entire class of attacks where an attacker reuses a previously valid credential.
What does an Ovra spending policy contain?: Per-transaction max, daily/weekly/monthly limits, auto-approve threshold, merchant allowlists and blocklists, MCC (merchant category code) restrictions, country restrictions, time-of-day windows, cooldown intervals, and max usage count. Each rule has an enforcement level: Enforce (hard block), Approve (held for human approval), or Warn (proceeds with advisory log). Multiple policies can stack — most restrictive wins.
How does Ovra's defense-in-depth work?: Policy is enforced at two independent layers. (1) Ovra's policy engine runs application-level checks before any credential exists. (2) The card network enforces the same constraints at the Visa network token level (BIN-level controls, MCC restrictions, amount caps). If the policy engine has a bug, the network catches it. If the network misses something, post-charge verification flags it. Neither layer trusts the other.