google-agentic-commerce · chopmob-cloud · Apr 29, 2026 · Apr 29, 2026 · Apr 29, 2026 · Apr 29, 2026
@@ -27,6 +27,13 @@
 The algorithm used MUST be the same as the SD-JWT, as defined by the `_sd_alg`
 claim in the base payload, or `sha-256` if not present.
 
+Before releasing credentials or initiating payment, the Credential Provider,
+Merchant, and Merchant Payment Processor each MUST independently recompute
+`checkout_hash` by applying the `_sd_alg` algorithm (or `sha-256` if absent)
+to the raw bytes of the `checkout_jwt` value and comparing the result to the
+`checkout_hash` field. If the values do not match, the verifier MUST reject
+the mandate and MUST NOT proceed with the transaction.
-Before releasing credentials or initiating payment, the Credential Provider,
-Merchant, and Merchant Payment Processor each MUST independently recompute
-`checkout_hash` by applying the `_sd_alg` algorithm (or `sha-256` if absent)
-to the raw bytes of the `checkout_jwt` value and comparing the result to the
-`checkout_hash` field. If the values do not match, the verifier MUST reject
-the mandate and MUST NOT proceed with the transaction.
+Before releasing credentials or initiating payment, the Credential Provider,
+Merchant, and Merchant Payment Processor each MUST verify that the `checkout_hash`
+field's value matches a computed hash of the `checkout_jwt` value. The hash
+MUST be computed by applying the `_sd_alg` algorithm (or `sha-256` if absent)
+to the raw bytes of the `checkout_jwt` value. If the values do not match, the
+verifier MUST reject the mandate and MUST NOT proceed with the transaction.
-Before releasing credentials or initiating payment, the Credential Provider,
-Merchant, and Merchant Payment Processor each MUST independently recompute
-`checkout_hash` by applying the `_sd_alg` algorithm (or `sha-256` if absent)
-to the raw bytes of the `checkout_jwt` value and comparing the result to the
-`checkout_hash` field. If the values do not match, the verifier MUST reject
-the mandate and MUST NOT proceed with the transaction.
+Before releasing credentials or initiating payment, the Credential Provider,
+Merchant, and Merchant Payment Processor each MUST verify that the `checkout_hash`
+field's value matches a computed hash of the `checkout_jwt` value. The hash
+MUST be computed by applying the `_sd_alg` algorithm (or `sha-256` if absent)
+to the raw bytes of the `checkout_jwt` value. If the values do not match, the
+verifier MUST reject the mandate and MUST NOT proceed with the transaction.
+
 `checkout_jwt` is the merchant-signed JWT containing the details of the
 checkout. The details of the payload are outside the scope of this
 specification, when used with the [Universal Commerce Protocol](https://ucp.dev)
@@ -175,13 +182,13 @@
      "decoded": [
        "4n3L_-3_Fm2GgyFAF8Ct_g",
        {
          "id": "supershoe_limited_edition_gold_sneaker_womens_9_0",
          "title": "SuperShoe Limited Edition Gold"
        }
      ]
    },
    {
      "digest": "a5UMAdxCk_MRayyVdRhpIAZ0ZhjVLEq1g2BWyruKUwg",
      "decoded": [
        "2zPL6vqLBg2WYAdbW9-1lQ",
        {
@@ -194,7 +201,7 @@
    {
      "digest": "QtXTJtWqg999CmUWGjHFTWMkRPguDfeK3wGSaInd-dw",
      "decoded": [
        "laAoWKNRuGnwREjJWYJ7pg",
        {
          "vct": "mandate.checkout.open.1",
          "constraints": [
@@ -216,7 +223,7 @@
              "type": "checkout.allowed_merchants",
              "allowed": [
                {
                  "...": "a5UMAdxCk_MRayyVdRhpIAZ0ZhjVLEq1g2BWyruKUwg"
                }
              ]
            }
@@ -226,7 +233,7 @@
              "crv": "P-256",
              "kty": "EC",
              "x": "QpSyxPQHy38xckypDr54gZ3T42zj9iLtV4koyb5U27c",
              "y": "37HLd7JJinxjJIn8J7HijssoeclbfhdW-gUL7feI9lw"
            }
          },
          "iat": 1777342357,
@@ -241,7 +248,7 @@
 #### Encoded Token

 ```
 eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0IiwgImtpZCI6ICJhZ2VudC1wcm92aWRlci1rZXktMSJ9.eyJkZWxlZ2F0ZV9wYXlsb2FkIjogW3siLi4uIjogIlF0WFRKdFdxZzk5OUNtVVdHakhGVFdNa1JQZ3VEZmVLM3dHU2FJbmQtZHcifV0sICJfc2RfYWxnIjogInNoYS0yNTYifQ.HvCGk7ye_c0LN2-NFG13wfyu3LA--rckTPGm36ugO2aRvsded7ngw1py8W3JF7wBpoQnsKr17tNTF3zLeYcoWA~WyI0bjNMXy0zX0ZtMkdneUZBRjhDdF9nIiwgeyJpZCI6ICJzdXBlcnNob2VfbGltaXRlZF9lZGl0aW9uX2dvbGRfc25lYWtlcl93b21lbnNfOV8wIiwgInRpdGxlIjogIlN1cGVyU2hvZSBMaW1pdGVkIEVkaXRpb24gR29sZCJ9XQ~WyIyelBMNnZxTEJnMldZQWRiVzktMWxRIiwgeyJpZCI6ICJtZXJjaGFudF8xIiwgIm5hbWUiOiAiRGVtbyBNZXJjaGFudCIsICJ3ZWJzaXRlIjogImh0dHBzOi8vZGVtby1tZXJjaGFudC5leGFtcGxlIn1d~WyJsYUFvV0tOUnVHbndSRWpKV1lKN3BnIiwgeyJ2Y3QiOiAibWFuZGF0ZS5jaGVja291dC5vcGVuLjEiLCAiY29uc3RyYWludHMiOiBbeyJ0eXBlIjogImNoZWNrb3V0LmxpbmVfaXRlbXMiLCAiaXRlbXMiOiBbeyJpZCI6ICJsaW5lXzEiLCAiYWNjZXB0YWJsZV9pdGVtcyI6IFt7Ii4uLiI6ICJ5M2FvY0FEMnJoWXBKUU9VTU4wMTZmYURGR2tUQkdFRFZsMVIxVFJIZGJ3In1dLCAicXVhbnRpdHkiOiAxfV19LCB7InR5cGUiOiAiY2hlY2tvdXQuYWxsb3dlZF9tZXJjaGFudHMiLCAiYWxsb3dlZCI6IFt7Ii4uLiI6ICJhNVVNQWR4Q2tfTVJheXlWZFJocElBWjBaaGpWTEVxMWcyQld5cndLVXdnIn1dfV0sICJjbmYiOiB7Imp3ayI6IHsiY3J2IjogIlAtMjU2IiwgImt0eSI6ICJFQyIsICJ4IjogIlFwU3l4UFFIeTM4eGNreXZEcjU0Z1ozVDQyemo5aUx0VjRrb3liNVUyN2MiLCAieSI6ICIzN0hMZDdKSmlueGpKSW44SjdIaWpzc29lY0JsZmhkVy1nVUw3ZmVJOWx3In19LCAiaWF0IjogMTc3NzM0MjM1NywgImV4cCI6IDE3NzczNDU5NTd9XQ~
 ```