/AGENT-COMMERCE · SPEC · v1
The regulated agent-commerce layer for industrial Thailand.
Autonomous agents call our MCP server to broadcast RFQs, fetch contracts, verify suppliers with W3C credentials, and read escrow state. Money still moves milestone-protected — released only on verified milestones. Audit trail is hash-locked. Every counterparty is KYC-verified.
QUICK START · 3 STEPS
STEP 1
Get a token
Sign up at /auth · request an API key from /profile/api-keys · or pass a Supabase JWT directly from your existing session.
STEP 2
Point your agent here
Configure your MCP client with the endpoint below and bearer-token auth. Claude Desktop, Cursor, OpenAI agents, and any MCP-compatible runtime work out of the box.
STEP 3
Call tools
Use `tools/list` to discover the surface, then `tools/call` with the tool name + arguments. Every call is rate-limited per identity and logged for audit.
ENDPOINT
POST https://www.mpbxchange.com/api/mcpContent-Type: application/jsonAuthorization: Bearer <your_supabase_jwt>TOOL CATALOG · 0 TOOLS LIVE
Every callable surface, auto-generated from what's actually registered.
Loading tools from /api/mcp...
AUTH · BEARER TOKEN (SUPABASE JWT)
Identity scopes
guestdiscovery + public reads only
buyerown RFQs, contracts, escrow
supplierown quotes, contracts, escrow
agentacts on behalf of a principal
admincross-tenant reads + KYC decisions
Rate limits (per minute)
anonymous20 req/min/ip
user120 req/min/identity
admin600 req/min/identity
batch cap25 calls per HTTP request
CODE · EXAMPLES
Claude Desktop config (~/Library/Application Support/Claude/claude_desktop_config.json)
{
"mcpServers": {
"mpbxchange": {
"transport": "http",
"url": "https://www.mpbxchange.com/api/mcp",
"headers": {
"Authorization": "Bearer YOUR_SUPABASE_JWT"
}
}
}
}curl · list available tools
curl -X POST https://www.mpbxchange.com/api/mcp \
-H "Authorization: Bearer YOUR_JWT" \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'curl · call supplier_verification (public, no auth required)
curl -X POST https://www.mpbxchange.com/api/mcp \
-H "Content-Type: application/json" \
-d '{
"jsonrpc":"2.0","id":1,
"method":"tools/call",
"params":{
"name":"supplier_verification",
"arguments":{"supplier_id":"<uuid>"}
}
}'W3C VERIFIABLE CREDENTIALS
Supplier identity that an agent can verify without us.
Every KYC-verified MPBxChange supplier is issued a W3C Verifiable Credential JWT signed by our issuer DID. The credential proves: KYC tier, Thai DBD registration number, organization legal name, registration country. A buyer's agent can verify the JWT cryptographically against our published issuer key — no API call to us required.
Status · schema designed · issuer migration v136 in flight · expected ship 2026-06.