SAM Protocol v2.2: One Signed Envelope for the Whole Agentic Commerce Stack
In January we published the first draft of SAM, a signed envelope a merchant puts at /.well-known/sam.json so an agent can verify who they are before acting. Four months and a lot of feedback later, v2.2 is a much more complete thing. It no longer just asserts identity — it composes the entire agentic commerce stack behind one signed, time-bounded entry point. The original idea held; the surface around it grew.
From identity to composition
The shift in v2.2 is the word compose. A merchant in 2026 may publish a UCP capability document, an AP2 checkout endpoint, an MCP tool manifest, an ACP catalog feed, and speak A2A to other agents. That is five surfaces, five discovery paths, and no single place that says which of them are genuine and current. SAM v2.2 is that place: one file that references all of them and signs the references along with itself, so verifying the envelope verifies the whole set.
How SAM composes the stack
Each layer keeps its job. SAM only adds the signed entry point on top:
- SAM — signed entry. Who is this merchant, what do they publish, is it current and genuine, within which bounds may I act?
- UCP — capabilities. What can be browsed, quoted, ordered?
- AP2 (FIDO) — user authorization. Did the user authorize this purchase?
- MCP — tool invocation. How does the agent call a specific function?
- ACP — catalog feed. What is in stock, at what price?
- A2A — agent-to-agent. How do two agents collaborate?
SAM replaces none of them. It makes any combination of them verifiable in one place.
How it works
- Discover — the agent fetches
/.well-known/sam.json. - Verify — an ed25519 signature over the entire envelope, including every reference, following RFC 9421.
- Compose — the agent follows the references to UCP, AP2, MCP, ACP and A2A as published.
- Bound — the merchant policy mandate declares what the agent may and may not do autonomously, evaluated locally with no network call.
- Fallback — when the bounds are exceeded or a referenced standard is unreachable, control returns to a human via
sam:human.
The v2.2 envelope
{
"sam:version": "2.2",
"sam:identity": { "domain": "example.com", "legalName": "Example Inc." },
"sam:signature": { "alg": "ed25519",
"validUntil": "2026-08-13T00:00:00Z",
"value": "base64(...)" },
"sam:composes": {
"ucp": { "href": "/.well-known/ucp", "version": "1.0" },
"ap2": { "supported": true, "endpoint": "/ap2/checkout",
"mandateTypes": ["cart","payment","intent"] },
"mcp": { "href": "/.well-known/mcp", "version": "2025-11-25" }
},
"sam:mandate": {
"grammarVersion": "0.1",
"autoExecute": true,
"maxAmount": { "value": 200, "currency": "EUR",
"inclusiveOfTaxes": true,
"inclusiveOfShipping": true },
"validityWindow": { "notBefore": "2026-05-13T00:00:00Z",
"notAfter": "2026-08-13T00:00:00Z" },
"agentClass": "any"
},
"sam:agentAuth": { "profile": "rfc9421", "algorithm": "ed25519" },
"sam:human": { "channels": [
{ "type": "email", "value": "agents@example.com" }
]}
}
Compared with the January draft, the signature now covers the references explicitly (RFC 9421), the mandate gained a versioned grammar and an agentClass selector, and the composition list grew to the full stack.
Three conformance levels
Not every merchant needs full autonomy on day one, so v2.2 defines a ladder:
- L0 — merchant-ready.
versionpluscapabilitiesorcomposes, plus a human channel. - L1 — agent-ready. L0 plus a verifiable identity and signature.
- L2 — bounded autonomy. L1 plus a policy mandate and agent authentication.
Each level is useful on its own, and the rule that matters is simple: a conformant agent must not perform autonomous economic action against a merchant below L2. No signed bounds, no autonomous spend.
Ten lines to adopt
A merchant already on UCP adopts SAM by adding a sam:composes.ucp entry, a signature, and a freshness window — about ten lines. No rewrite, no duplication, no fork. The existing agent surface simply becomes verifiable from one place.
Status and where it is going
SAM is a draft specification, v2.2 as of May 2026, and we have submitted it for consideration at the W3C Agent Identity Registry Protocol Community Group. The spec and reference material are open on GitHub, and a live example sits at sam-protocol.org.
We build SAM at MerchantStamp for the same reason we opened the UCP mandate-evaluation proposal and wrote about the three layers agentic commerce needs: the discovery layer gets the headlines, but trust and identity are what make autonomous transactions safe. Run a free MerchantStamp audit to check the layer underneath — whether your catalog is legible to agents in the first place.