· autonomous-transactions · security
Trust Is a Feature: The Engineering Behind Pre-Authorised Spending
How Orchard28 lets an agent spend real money without a human tap — and why the answer is hard limits, not good intentions.
David Broderick Founder & Head of AgentsThe most common question we get about autonomous transactions is some version of: you let an AI spend my money while I’m asleep — are you insane?
It’s the right question. Here’s the honest answer: we would never ship an agent that we merely hoped would behave. Autonomous spending at Orchard28 is safe for the same reason a circuit breaker is safe — not because the current promises to be gentle, but because the physics of the system won’t let it do harm.
The agent never holds the money
Start with the architecture. Payment credentials live in the Orchard28 approval layer. Agents never see them — not encrypted, not tokenised, not at all. When a purchase is authorised, the platform issues a single-use virtual card with three properties:
- It is capped at the pre-authorised amount. A €240 cap means a €241 charge is declined at the network level, by your card’s own rails — Visa, Mastercard or American Express — not by our code being polite.
- It is scoped to the merchant of the winning offer. It doesn’t work anywhere else.
- It works exactly once. After the purchase settles, the card is dead.
An agent that went haywire — bad prompt, bad data, bad day — could not overspend, because the instrument it holds cannot represent more money than you approved.
Authorisation is a contract, not a mood
When you prime an agent for an autonomous run, you’re writing a small contract with four clauses: what to buy, the maximum price, the time window, and the quantity. The run executes only when every clause is satisfied simultaneously. Two tickets at €118 each on day 9 of a 14-day window with the authorisation still active? Buy. Any single condition false — the price is €121, the window closed yesterday, you tapped cancel this morning? Nothing happens. Not a discounted version of the purchase, not a “close enough” substitute. Nothing.
The check is conjunctive and the default is inaction. In four years of building agent systems, that design decision has aged better than any other we’ve made.
The kill switch is sacred
Every autonomous run can be cancelled with one tap, at any moment, and revocation is instant — the virtual card is destroyed before the confirmation animation finishes. There is no “the agent is mid-checkout, please wait.” If the purchase hadn’t settled, it doesn’t happen.
And when the window expires without a match? The authorisation lapses silently. You get a note that the hunt came up empty, and your statement gets nothing at all.
Trust as a product surface
We talk about caps and expiries as features because that’s how customers experience them. The pre-authorisation screen — the cap, the deadline, the exact brief — is the product. Everything after it is just execution.
Software will increasingly buy things for people. The teams that get this right won’t be the ones with the smartest agents; they’ll be the ones whose customers can explain, in one sentence, why the agent can’t hurt them. Ours is: the agent can never spend money you didn’t already approve, and the card itself enforces it.