The agentic card: scoped, revocable spending cards for AI agents, built on the MetaMask Smart Accounts Kit.
remit is an MCP-native card issuer for AI agents, built on the MetaMask Smart Accounts Kit. A user mints scoped, revocable spending cards from their own wallet and hands them to any agent. The agent spends within strict, on-chain-enforced limits, never holds the user’s keys or funds, and stops the instant a card is revoked. It applies the model the card industry settled on decades ago, delegated authority with tight scope and instant revocation, to autonomous agents.
A card is a scoped ERC-7710 delegation signed by the user’s MetaMask Smart Accounts Kit (Stateless7702) smart account, wrapped in on-chain caveat enforcers: budget per period, lifetime cap, expiry, usage count, and contract target/method scope, with server-side carve policy for per-transaction max and merchant allowlist. The user keeps custody; funds never leave their wallet until the moment of payment. The agent receives only an MCP endpoint URL. When it spends, the server validates the card’s terms and redeems the delegation on-chain through the 1Shot Permissionless Relayer, gasless and with fees paid in USDC, on Base mainnet.
Only the user’s account ever adopts smart-account code; agent keys remain bare EOAs. The user’s Privy embedded wallet signs an EIP-7702 authorization at onboarding over the Stateless7702 delegator implementation. On the first spend, that authorization is attached as the authorizationList (a single entry) on the relayer transaction, so the smart-account code deploys in the same atomic redemption that moves the funds. It is omitted on every spend after.
The same card pays the open web via x402 (real USDC on Base mainnet) and pays Visa merchants via Stripe Issuing. Both rails are metered against the same card budget; when on-chain settlement is enabled, an approved Visa charge settles as a real delegated USDC transfer through the same caveat enforcers as a crypto spend. The Visa rail runs in Stripe test mode and is labelled as simulated wherever it appears.
An agent can redelegate a tighter child card to a sub-agent via ERC-7710 redelegation. Caps only nest downward: the attenuator rejects any child term that exceeds its parent, and contract scope must be an explicit subset. Revoking the parent, or nuking, brings down the entire subtree in one signature.
Cards can be drafted in plain English. Venice AI (model GLM-5) produces a plan of named tokens, protocols, and merchants plus numeric limits only; the server resolves every name to an address from its own on-chain-verified registry, and a model-emitted address the user did not type is discarded with a warning. The user reviews labelled, human-readable terms and signs through the standard client-signed issuance flow. Venice is the drafting layer only: it never signs, never issues, and is not used for inference or x402.
remit serves agents over MCP (Streamable HTTP, stateless, with the card credential as identity). The tool list is the permission surface: tools register conditionally on each card’s terms, so a pay-only card never exposes contract execution and a card with sub-cards disabled never exposes issuance. Refusals are typed (over_period_limit, merchant_not_allowed, exceeds_parent_terms, and others) so agents relay them honestly. Connecting a card is one line, with path-secret, bearer, and OAuth 2.1 card-picker lanes.
The MetaMask Smart Accounts Kit (v1.6.0) integration is the main flow: every card is an ERC-7710 delegation signed by a Privy-provisioned embedded Stateless7702 smart account (Smart Accounts are signer-agnostic), and every spend redeems that delegation on-chain through the 1Shot relayer. Everything runs on Base mainnet with real USDC; the only simulated component is the Visa rail (Stripe test-mode Issuing), labelled honestly throughout.
remit was conceived and named on June 4, 2026 and built to the Cook Off deadline on June 15. The whole product, the engine, the MCP server, the payment rails, the natural-language compiler, and the dashboard, was designed and shipped inside that window, as iterative releases v0.1.0 through v0.17.1. Each release was a real, live-validated increment, not a roadmap entry. What follows is the milestone-by-milestone build, honest about what runs on Base mainnet with real USDC versus the one deliberately simulated leg.
An agent should never hold your private key or a standalone funded wallet. It should hold a card: a scoped, revocable ERC-7710 delegation, signed by your wallet, that any agent plugs into over MCP and that can spend only what its caveats allow. Your funds stay in your wallet until the moment of payment; revoke and the card (and its whole sub-card tree) dies instantly. Every milestone below was about making that card real, capable, and safe.
The first sealed release was the entire product loop end to end. The engine shipped a caveat compiler (human terms into delegation-framework enforcers), root-card issuance in two lanes (server-signed and client-signed prepare/finalize), spend via the 1Shot Public Relayer with EIP-7702 authorization attached on first spend, sub-card redelegation with narrowing-only terms, the freeze/revoke/nuke revocation layers, and encrypted-at-rest agent keys and card secrets. The server exposed a stateless Streamable-HTTP MCP endpoint with five tools (card, pay, paid_fetch, issue_subcard, revoke_subcard), the management REST API, an x402 facilitator plus demo seller, and the Stripe Issuing real-time auth webhook. The dashboard shipped Privy Google login with silent embedded-wallet creation, automatic EIP-7702 onboarding, and client-signed card issuance where the user's wallet signs the delegation in the browser.
Validated live on Base mainnet at this point: the full issue → connect → spend → sub-card → cascade-revoke lifecycle through a real MCP client; the first-spend path deploying the wallet's 7702 smart-account code and transferring USDC in one atomic gasless transaction; an x402 paid fetch (402 challenge → automatic payment → on-chain settlement → content); and instant revocation (a revoked sub-card URL 401s immediately). 75 engine tests, 29 server tests, all green.
v0.2.0 changed the auth model so the dashboard authenticates as the user: per-user Privy session auth verified offline against the app's JWKS, an onboard proof binding the wallet to that specific login, and per-user scoping on every card route (foreign cards are indistinguishable from nonexistent ones). The browser bundle stopped carrying any shared secret.
v0.3.0 added client-signed on-chain revoke and nuke (the user's embedded wallet signs the admin leaf in the browser, the relayer executes it gaslessly), per-card connect panels, MCP surface hardening (rate limits, Host allowlist, body cap, tool annotations), a per-card-tree spend mutex that closes the fiat/crypto double-spend race without locking the 2-second Stripe webhook, and a reconcile sweep that settles timed-out charges against chain logs. It also fixed a real on-chain bug: sub-cards issued after a nuke were being born dead because their nonce caveat compiled against the wrong delegator.
A self-hosted OAuth 2.1 authorization server (RFC 9728 + 8414 discovery, RFC 7591 dynamic client registration, PKCE S256, RFC 8707 resource binding, rotating refresh tokens, RFC 7009 revocation) so OAuth-only clients (notably ChatGPT) can connect. Consent is a card-picker: the user signs in with the existing Privy session and grants a specific card; the agent gets an opaque, short-lived, card-scoped token, never the raw secret. Revoking or nuking a card cascades to every OAuth grant it issued.
Cards became more than USDC budgets. A card can now scope an agent to specific contract targets and method selectors, and the new execute tool runs those calls (ABI-encoded from {target, method, args} or raw {target, data} for tuple/multicall methods like Uniswap exactInputSingle), with multiple calls redeeming atomically in one transaction (e.g. approve + swap). Contract sub-cards narrow scope subset-only. Validated live on Base mainnet across Uniswap swaps, Aave supply/withdraw, ERC20 transfers, contract sub-cards, and composite pay+contract cards. This release also closed a scope-escape (the fee leg had been unioning USDC.transfer into every contract card) and fixed a maxUses miscount caused by fee-leg executions.
The Venice natural-language card compiler landed: describe a card in plain language and a draft prefills the composer. Critically, the model only ever names entities (tokens, protocols, merchants) and numbers; every address is resolved server-side from a verified registry, so model output can never place an address into a signed draft, and the user still reviews and signs. Alongside it, contract cards gained an allowance-token list and a USDC per-trade ceiling, both narrowing subset-only on sub-cards, validated with a pinned approve+swap on mainnet. The dashboard caught up to the full engine surface.
remit's endpoint was verified against the live protocol fingerprints of 13 real agent harnesses (Claude Code, claude.ai, Codex, ChatGPT, OpenClaw, Hermes, Cursor, VS Code, Windsurf, Gemini CLI, Goose, opencode, Amp, Factory Droid). The sweep surfaced and fixed two real transport bugs (GET hung headerless on both lanes; a keep-alive socket desync after early-exit responses), added an auth-code-on-consent screen for clients with no callback listener, and pinned the whole surface with a permanent 39-test conformance suite.
The simulated Visa leg became triggerable and spendable, and (the new part) settled on-chain. With settlement enabled, an approved Visa authorization settles as a real delegated USDC transfer from the user's wallet through the same delegation and relayer as the crypto leg, so the on-chain enforcers count both rails against one budget. New tools fiat_pay and card_credentials let an agent buy over Visa rails and reveal the card's test-mode virtual Visa. A demo merchant ("s0nder supply co.") accepts the test card. Honest framing: the Visa leg is Stripe test-mode Issuing, simulated by design and labeled as such everywhere; the settlement it triggers is real USDC on Base mainnet. Validated live with three real mainnet settlement transactions and a 6/6 decline-beat drill.
The dashboard was rebuilt and then refined round by round against a studio-grade design reference, each round shipped through a multi-reviewer pre-release pass. v0.9.0 rebuilt it as a single one-screen cockpit (card bay, dossier, spend chart, ledger). v0.10.0 added the card-deck hero, a real INK dark mode, and a guarded delete lane for dead cards. v0.11.0 brought a real test-mode Visa onto every card face (every delegation lazily links its own card), full mobile support, and fixed an iPhone loading stall at its two roots. v0.12.0 made the boot screen a brand moment, moved the shop to its own domain, and turned the README judge-facing. v0.13.0 turned the sign-in into the landing page, replaced the forced first-card composer with a welcome + funding flow (live balance), and added a five-step guided spotlight tour over a specimen card.
v0.14.0 came out of a full end-to-end production test sweep. Its headline fix closed a cross-deployment nonce-cache drift that could brick every freshly issued card's on-chain spends (the NonceEnforcer nonce is global per account, but each deployment cached its own copy); issuance now re-syncs the authoritative on-chain nonce before signing. The OAuth consent pages were restyled onto the design system. v0.15.0 was a compiler-robustness pass: the NL compiler learned Aave and multi-protocol cards, stopped inventing or dropping limits, and rides out Venice latency spikes; the compiler model was settled on GLM-5 (zai-org-glm-5), chosen from a head-to-head benchmark of intelligence-peer models on the real compile task (highest quality, tightest latency).
v0.16.0 shipped an in-app /docs reference built in the dashboard's own design system, grounded line-by-line against the actual engine and server code (verified by a 7-agent cross-check: 176 claims confirmed, 9 discrepancies fixed), and gave the README the same grounding pass. v0.16.1 fixed an agent-legibility bug (the card tool was returning raw Unix epochs, which led a consuming model to misread an expiry date) by emitting ISO-8601 in the agent-facing tool, and added a real favicon. v0.17.0 added native ETH/WETH balances and a self-custody private-key export (through Privy's secure modal) to the account menu. v0.17.1, found while re-recording the demo, made the card tool surface the card's on-chain account so an agent running a swap can set the output recipient itself instead of guessing or stopping to ask.
Real on Base mainnet: all card issuance (ERC-7710 delegations signed by the user's wallet), the 1Shot relayer spend path, EIP-7702 first-spend deploy, x402 paid_fetch with on-chain receipts, contract execute calls (Uniswap, Aave, ERC20), sub-card redelegation and cascade revoke/nuke, and the USDC settlement that an approved fiat authorization triggers. Every payment moves real USDC, which is why the demo catalog is capped at $5.
Simulated, by design and labeled honestly: only the Visa card-network leg, which uses Stripe test-mode Issuing (no live card-network charge). What that leg settles into on-chain is real. We chose this deliberately rather than mocking anything on our own side of the rail.
remit is deployed and live: the dashboard at remit.s0nderlabs.xyz (with in-app docs), the demo merchant at shop.s0nderlabs.xyz, and the API + MCP endpoint at remit-api.s0nderlabs.xyz, all GitHub-connected push-to-deploy. The hard Cook Off gate, a working MetaMask Smart Accounts Kit integration in the main flow, is the product itself: every card is a SAK delegation, signed by a Privy-provisioned embedded smart account, and every spend redeems that delegation on-chain through the 1Shot relayer. Everything in the README, including the mainnet transactions, is reproducible end to end.
Self-funded by s0nderlabs. No external investment or grants raised to date.