Ovra is EU-native, API-first payment infrastructure for AI agents. We provide virtual Visa cards, programmable spending policies, and tokenized credentials so agents never see raw card data. GDPR-compliant with EU data residency.

How do I integrate Ovra with my AI agent?

The fastest way is to connect to our Model Context Protocol (MCP) server at https://api.getovra.com/api/mcp from Claude, GPT, Cursor, or any MCP-compatible agent. 10 tools are available out of the box. You can also use the REST API: a single call creates an agent with a virtual card and spending policy. No SDK install required.

Do AI agents see real card numbers when they pay?

Never. Ovra uses tokenized card credentials (DPAN, also known as Visa Network Tokens). When an agent needs to pay, we issue a scoped credential bound to the specific intent. Even if the agent's context is compromised, there is nothing useful to steal. Real PAN/CVV is encrypted server-side with AES-256-GCM and never reaches the agent.

Is Ovra GDPR-compliant?

Yes. Ovra is EU-native, built in Berlin, hosted in EU data centers, and engineered GDPR-compliant by design. Enterprise customers receive a Data Processing Agreement (DPA) and audit log access.

Is there a free tier?

Yes. The Free plan includes 1 agent, 1 virtual card, €150/month transaction volume, and full API and MCP access including sandbox mode. Paid plans start at €39/month for teams that need more agents and higher volume.

Which AI frameworks work with Ovra?

Any framework that speaks Model Context Protocol or HTTP. We test against OpenAI Agents SDK, Claude Desktop, Cursor, Vercel AI SDK, LangChain, LlamaIndex, and OpenClaw. The MCP endpoint is one URL: point your model at https://api.getovra.com/api/mcp with a Bearer token and 10 payment tools become available.

Where does Ovra operate and is the company a bank?

Ovra is a German company serving customers across the European Union (EUR-only, fiat). Ovra is not a bank. When our regulated card-issuer partnership ships, the licensed EMI (Electronic Money Institution) is the entity-of-record. Ovra is the developer-facing infrastructure layer.

Why is sharing a card with an AI agent dangerous?

Card numbers are bearer tokens — anyone who has one can spend it. Sharing one with an AI agent exposes the full credit line to four common failure modes: retry storms (timeouts cause repeated charges), prompt injection (a malicious page rewrites the agent's instructions), scope drift (the agent buys more than intended), and credential leak (the card number ends up in logs, tool calls, or model responses). None require the agent to be malicious.

What is blast radius in agent payments?

Blast radius is the maximum damage a single failure can cause. With a shared card, the blast radius is your entire credit line — a $50,000 corporate card delegated to an agent means a single bug can cost $50,000. With a dedicated virtual card limited to €200, the blast radius is €200, period. The constraint is enforced at the card network (Visa, Mastercard), not in application code, so no bug or prompt injection can override it.

What is a network token (DPAN)?

A network token, also called a DPAN (Device PAN), is a tokenized stand-in for a real card number (FPAN). Visa Token Service and Mastercard Digital Enablement Service replace the real card number with a tokenized one and bind each transaction to a one-time cryptogram. Even if the DPAN is intercepted, it cannot be reused — the cryptogram is single-use and bound to that specific transaction. This is the mechanism Visa Intelligent Commerce uses for its agent-specific tokens, launched in 2025–2026.

How is a dedicated virtual card different from a shared card?

Five differences. Blast radius: card limit only, not full credit line. Credential exposure: agent never sees PAN. Enforcement: at the card network, not in application code. Audit trail: 'Agent X charged €79 for Intent Y' instead of 'someone charged €79.' Revocation: close one card, not rotate your corporate credit. Combined, these aren't incremental — they're a different security architecture.

Are there industry standards for tokenized agent credentials?

Yes, three relevant ones as of 2026. (1) Visa Intelligent Commerce issues agent-specific pass-through tokens with passkey-based step-up authentication. (2) Mastercard Agentic Tokens build on existing tokenization (mobile contactless, secure card-on-file). (3) Stripe's Shared Payment Token (SPT) under ACP is scoped to a specific merchant and basket total. All three converge on the same principle: the agent receives a tokenized credential, never the real card number.

Why AI Agents Should Never Share Your Payment Credentials

Bottom line: The most common pattern for giving an AI agent spending power — handing it your card number — is also the worst. With a shared card, blast radius equals your entire credit line. With a dedicated virtual card backed by a network token (DPAN), blast radius equals the card's limit, period. The constraint is enforced at the Visa network layer, not in your application code, so no bug, race condition, or prompt injection can override it. This is the architecture every major rail (Visa Intelligent Commerce, Mastercard Agentic Tokens, Stripe Shared Payment Token) converged on in 2025–2026.

The most common pattern for giving an AI agent spending power is the worst one: hand it your card number.

It's fast, it's easy, and it puts your entire credit line at risk.

Why does shared-card delegation fail?

When you delegate your personal or corporate card to an AI agent, you're making an implicit trust decision: this model, running this code, with this prompt, will never spend more than I intend. That's a bet against reality.

Here's what can go wrong:

Retry storms. The agent gets a timeout, retries the purchase, and charges you three times. No spending cap can catch this if the card itself has a $10,000 limit.
Prompt injection. A malicious website injects instructions into the agent's context. Instead of buying a $29 subscription, it buys a $2,900 one.
Scope drift. The agent was supposed to buy one SaaS tool. It decides three more would be useful. Your card allows it.
Credential leak. The card number ends up in logs, in a tool call, in a response to the user. Now it's compromised.

None of these require the agent to be malicious. They're normal failure modes of autonomous systems — and they're the exact gap Mastercard's Verifiable Intent (open-sourced March 2026 with Google, Fiserv, IBM, Checkout.com, and Basis Theory) is designed to close at the dispute-resolution layer.

What is blast radius for agent payments?

In security, blast radius means: how much damage can a single failure cause?

With a shared card, the blast radius is your entire credit line. A $50,000 corporate card delegated to an agent means a single bug can cost $50,000. Policy engines can try to catch this — but they run in software, on the same stack as the agent. If the agent bypasses the policy layer (through a bug, a race condition, or a prompt override), nothing stops the charge.

With a dedicated virtual card, the blast radius is the card's limit. Period. If you issue a card with a €200 limit, the maximum damage from any failure is €200. This constraint is enforced by the card network — Visa, Mastercard — not by your application code. No bug in your agent can override it.

Shared card vs. dedicated virtual card

The difference isn't incremental. It's structural:

	Shared Card	Dedicated Virtual Card
Blast radius	Full credit line	Card limit only
Credential exposure	Agent sees real PAN	Agent never sees PAN
Enforcement layer	Application code	Card network
Audit trail	"Someone charged €79"	"Agent X charged €79 for Intent Y"
Revocation	Cancel your card	Close one virtual card

When an agent has a dedicated card, every transaction is attributable, every limit is network-enforced, and revoking access means closing a single card — not rotating your company credit card.

This isn't theoretical. It's the same architectural principle every major rail converged on in 2025–2026: Visa Intelligent Commerce issues agent-specific pass-through tokens with passkey step-up. Mastercard Agentic Tokens build on existing tokenization (mobile contactless, secure card-on-file). Stripe's Shared Payment Token is scoped to a specific merchant and basket total at issuance.

How does Ovra implement this?

Ovra issues a dedicated virtual card per agent. The agent never touches the card number. Instead, the flow works like this:

Intent — The agent declares what it wants to buy, how much, and from whom.
Policy check — Ovra's policy engine evaluates the request against spend limits, merchant restrictions, MCC categories, country rules, and time windows.
Credential issuance — If approved, Ovra provisions a single-use DPAN (Device PAN) with a one-time cryptogram. The agent receives a fill token — an opaque reference, not a card number.
Payment — The fill token is used at checkout. The agent never sees the underlying card data.
Verification — After payment, the transaction is verified against the original intent. Amount, merchant, and timing are all checked.

The card itself has hard limits synced from the policy. Even if the policy engine fails, the card network enforces the constraint. Defense in depth, not defense in hope.

What is network tokenization?

Network tokenization (Visa VTS, Mastercard MDES) adds another layer. Instead of the real card number (FPAN), the merchant receives a tokenized number (DPAN) with a transaction-specific cryptogram. Even if the DPAN is intercepted, it can't be reused — the cryptogram is one-time and bound to that specific transaction.

This is what production card security looks like: the agent doesn't see the real PAN, the merchant doesn't see the real PAN, and even the token itself is useless after the transaction completes.

It's also the foundation Google's AP2 builds on for its verifiable mandate model — the Cart and Payment Mandates assume credentials are tokenized, scoped, and bound by cryptographic proof to a specific approved transaction.

The bottom line

If your agent can see your card number, your security model is already broken. The question isn't whether something will go wrong — it's how much it will cost when it does.

Dedicated cards don't just reduce risk. They make the maximum possible damage a design parameter instead of an accident. That's the bar every credible agentic payments rail now sets — and Ovra is in private beta today, EU-native, on a sandbox card issuer behind one MCP URL, with the same interface flipping to real Visa rails on our regulated EMI partnership.

Frequently asked questions

Why is sharing a card with an AI agent dangerous?: Card numbers are bearer tokens — anyone who has one can spend it. Sharing one with an AI agent exposes the full credit line to four common failure modes: retry storms (timeouts cause repeated charges), prompt injection (a malicious page rewrites the agent's instructions), scope drift (the agent buys more than intended), and credential leak (the card number ends up in logs, tool calls, or model responses). None require the agent to be malicious.
What is blast radius in agent payments?: Blast radius is the maximum damage a single failure can cause. With a shared card, the blast radius is your entire credit line — a $50,000 corporate card delegated to an agent means a single bug can cost $50,000. With a dedicated virtual card limited to €200, the blast radius is €200, period. The constraint is enforced at the card network (Visa, Mastercard), not in application code, so no bug or prompt injection can override it.
What is a network token (DPAN)?: A network token, also called a DPAN (Device PAN), is a tokenized stand-in for a real card number (FPAN). Visa Token Service and Mastercard Digital Enablement Service replace the real card number with a tokenized one and bind each transaction to a one-time cryptogram. Even if the DPAN is intercepted, it cannot be reused — the cryptogram is single-use and bound to that specific transaction. This is the mechanism Visa Intelligent Commerce uses for its agent-specific tokens, launched in 2025–2026.
How is a dedicated virtual card different from a shared card?: Five differences. Blast radius: card limit only, not full credit line. Credential exposure: agent never sees PAN. Enforcement: at the card network, not in application code. Audit trail: 'Agent X charged €79 for Intent Y' instead of 'someone charged €79.' Revocation: close one card, not rotate your corporate credit. Combined, these aren't incremental — they're a different security architecture.
Are there industry standards for tokenized agent credentials?: Yes, three relevant ones as of 2026. (1) Visa Intelligent Commerce issues agent-specific pass-through tokens with passkey-based step-up authentication. (2) Mastercard Agentic Tokens build on existing tokenization (mobile contactless, secure card-on-file). (3) Stripe's Shared Payment Token (SPT) under ACP is scoped to a specific merchant and basket total. All three converge on the same principle: the agent receives a tokenized credential, never the real card number.