Agent runtime tutorial

This tutorial track documents the Paybond pattern for agent runtimes. The settlement pattern applies to OpenAI, Gemini, Claude/Anthropic, Google AI, local models, MCP hosts, and application-owned runtimes without requiring provider-specific guardrail adapters.

The agent can still plan and execute flexibly, but the money-moving boundary remains explicit, verified, and replayable.

What the pattern does

• Derives tenant scope from authenticated credentials.
• Verifies the capability before a tool executes.
• Submits signed evidence against the same intent lifecycle.
• Leaves the release or refund decision to Harbor's deterministic settlement rules.

Shared lifecycle

Both language paths use the same flow:

1. Open a tenant-bound Paybond session with the tenant's service-account API key.
2. Create an intent whose allowed_tools / allowedTools exactly match your tool name.
3. Read the capability_token returned when the intent reaches funded.
4. Build a spend guard for (tenant, intent_id, capability_token).
5. Verify the capability before the tool executes.
6. Run the tool work.
7. Submit signed evidence and inspect Harbor's predicate result.

The examples in this track support both immediate funding and the x402_usdc_base path. If create does not return a capability token immediately, the example continues through the funding handshake before the tool runs.

Choose a language

Python

Use the runtime-neutral adapter or LangGraph hook.

• Tutorial: Agent runtime tutorial (Python)
• Example: examples/paybond-kit-runtime-agent-python
• Key surfaces: paybond_kit.agent_adapters.paybond_runtime_tool_call_adapter() and paybond_kit.langgraph_hooks.paybond_awrap_tool_call_capability()

TypeScript

Use @paybond/kit plus the runtime-neutral wrapper around the tool handler.

• Tutorial: Agent runtime tutorial (TypeScript)
• Example: examples/paybond-kit-runtime-agent-typescript
• Key surfaces: paybond.spendGuard(...) and paybondRuntimeToolCallAdapter(...)

Before you start

• A paybond_sk_sandbox_... or paybond_sk_live_... service-account API key for one tenant realm; the tutorials default the Kit expected-environment guard to sandbox when showing sandbox credentials
• A principal DID and 32-byte signing seed
• A payee DID and 32-byte signing seed
• Request-bound recognition proofs for intent creation, funding, and evidence submission
• A Paybond environment that can fund the example intent
• For x402_usdc_base, an x402 signer or facilitator that can answer the funding challenge

Supporting docs

• TypeScript quickstart
• Python quickstart
• Authentication & tenant binding
• Capabilities
• Harbor API reference