TAP Integration
Map Visa Trusted Agent Protocol (TAP) proofs to PEAC interaction evidence. The mapping verifies the TAP HTTP Message Signature, derives the issuer from the keyid under a strict trust boundary, and records an offline-verifiable receipt.
Package: @peac/mappings-tap (source-only)
Source-only. @peac/mappings-tap is not published to npm. Build it from the repository at packages/mappings/tap. There is no npm install path; this page documents the reference mapping and its trust boundary.
What It Does
TAP carries an agent payment proof as an RFC 9421 HTTP Message Signature. The mapping verifies that proof and turns the attested facts into a portable PEAC receipt that can be verified offline.
1. A TAP proof arrives
The request carries TAP signature headers with a keyid resolvable through the agent registry.
2. Verify and bind the issuer
verifyTapProof checks the signature, then issuerFromKeyid derives the issuer under a strict, fail-closed trust boundary.
3. Record interaction evidence
The verified TAP facts map into PEAC claims and are signed into a compact JWS that any verifier can confirm offline.
Issuer trust boundary
issuerFromKeyid is the single canonical issuer-derivation point. It accepts only an absolute https URL keyid and is never derived from the request URL or Host header. Opaque, http, userinfo-bearing, or malformed keyids are rejected fail-closed with E_TAP_KEYID_INVALID before any key resolution.
The https-only requirement is a deliberate constraint of the PEAC TAP profile. RFC 9421 leaves key resolution to the application, so this is a PEAC profile decision, not a claim of Visa TAP conformance.
What is verified
| Check | What it confirms |
|---|---|
verifyTapProof | The TAP HTTP Message Signature is valid for the covered components |
issuerFromKeyid | The issuer is an absolute https URL derived only from the keyid |
validateTapTimeConstraints | The proof is within its allowed time window |
Stable E_TAP_* codes | Verification failures map to stable error codes via ErrorCodes |
Semantic Boundary
PEAC verifies and records TAP proof observations. It does not issue TAP credentials, operate an agent registry, authorize payments, or settle transactions. A TAP-derived receipt proves what the verified proof attested, not more.