Home Videos Blog 🎉 Plan an Event 🔐 Planner Login Partners Creators
⚡ Agent Commerce API
🔑 ABT-C v2 (Consumer-Side Key Escrow)

Want this on your own site? Agentic Commerce installs at sidratnam.com.

Send cinematic cards
from any AI agent

Full REST API for ChatGPT, Claude, Gemini, Perplexity, and custom agents. Discover themes, quote, purchase, and deliver a cinematic greeting card — no browser, no scraping required.

View API Manifest OpenAPI 3.1 Spec Get an API Key

Quick Start

Four calls from zero to delivered card.

1

Discover — pick a theme

GET /api/agent/v1/themes — returns all 57 themes with occasion, recipient, and tone.

2

Quote — lock the price

POST /api/agent/v1/quote — 30-minute price lock. Returns a quoteId to pass to checkout.

3

Checkout — create the order

POST /api/agent/v1/checkout — returns a Stripe hosted checkout URL, or completes immediately with a payment method token. Idempotent via Idempotency-Key header. When the card is delivered in-process (payment_method flow), the response also includes senderDashboardUrl — a one-click magic link to the sender's card history and view tracking dashboard.

4

Poll — confirm delivery

GET /api/agent/v1/order/{orderId} — poll until status: "delivered". Response includes the permanent card link.

On April 24, 2026, an AI agent completed this exact flow — no human involvement. See the card it delivered →

Example — full checkout flow (curl)
# 1. Pick a theme
curl https://cinematiccard.com/api/agent/v1/themes

# 2. Quote
curl -X POST https://cinematiccard.com/api/agent/v1/quote \
  -H "Content-Type: application/json" \
  -d '{"theme":"mother","addons":{"photos":true},"agent":{"name":"MyAgent","orderReference":"ord-001"}}'

# 3. Checkout
curl -X POST https://cinematiccard.com/api/agent/v1/checkout \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: ord-001" \
  -d '{
    "quoteId": "qt_abc123",
    "cardData": {
      "theme": "mother",
      "recipientName": "Mom",
      "senderName": "Sarah",
      "message": "Thank you for everything. Love you always.",
      "senderEmail": "[email protected]"
    },
    "recipient": {"email": "[email protected]"},
    "addons": {"photos": true},
    "payment": {"method": "hosted_checkout"},
    "agent": {"name": "MyAgent", "orderReference": "ord-001"}
  }'

# Response (payment_method flow): {"orderId":"a1b2c3","status":"delivered","cardUrl":"...","senderDashboardUrl":"..."}
# Response (hosted_checkout flow): {"orderId":"a1b2c3","checkoutUrl":"https://checkout.stripe.com/..."}

# 4. Poll until delivered
curl https://cinematiccard.com/api/agent/v1/order/a1b2c3

# 5. Check if recipient has viewed the card
curl https://cinematiccard.com/api/agent/v1/order/a1b2c3/views
# Response: {"viewed":true,"viewCount":3,"firstViewedAt":"2026-05-10T14:22:00Z","lastViewedAt":"2026-05-11T09:05:00Z"}

All Endpoints

Base URL: https://cinematiccard.com/api/agent/v1

MethodPathDescription
GET/healthServer health, database, Stripe status
GET/manifestFull discovery document — all endpoints, auth, payment methods, idempotency
GET/openapi.jsonOpenAPI 3.1 specification
GET/themesAll 57 themes with key, label, occasion, recipient, tone, previewUrl
GET/pricingCurrent pricing tiers and bulk rates
POST/quote30-minute price lock. Returns quoteId to pass to /checkout
POST/checkoutCreate order. Returns Stripe checkout URL or order confirmation
GET/order/:orderIdPoll order status: pending → paid → generated → delivered
GET/order/:orderId/viewsCard view count — has the recipient opened it? Returns viewed, viewCount, firstViewedAt, lastViewedAt

Base URL (v2, ABT-C): https://cinematiccard.com/api/agent/v2

MethodPathDescription
POST/checkoutABT-C v2 checkout. Consumer-encrypted fields, key escrow via sidratnam.com. No plaintext PII transmitted. Returns encrypted response. ABT-C v2
POST/subscribeABT-C v2 Event Planner Pro subscription. Payment method ref encrypted client-side. ABT-C v2

Five Protocol Stack

CinematicCard is live on every major agentic commerce protocol. All five run in parallel — each handles a different layer of the agent interaction.

ACP · REST
Agent Commerce Protocol
REST API for agent checkouts. Discovery, quoting, purchase, and delivery in four calls. No browser required.
POST /api/agent/v1/checkout
AP2 · Mandate Chain
Agent Payments Protocol v0.2
Google's mandate chain. IntentMandate → CartMandateOffer → CartMandate (P-256 JWS) → PaymentMandate → SettlementReceipt.
POST /a2a/merchant_agent
UCP MCP · Tools
UCP Model Context Protocol
MCP JSON-RPC 2.0 server. Five shopping tools: search, lookup, price, quote, checkout. For Claude, GPT-4o tool use, and custom agents.
POST /api/ucp/mcp
A2A · Discovery
Agent-to-Agent Discovery
A2A AgentCard with P-256 JWS proof. AP2 capabilities declared. Agents auto-discover the full merchant capability set.
GET /.well-known/agent.json
ABT-C v2 · Conditional
Agentic Boundary Tokenization
Consumer-side encryption layer. Activates only when the consumer device signals ABT capability. Standard flows route to regular checkout.
POST /api/agent/v2/checkout
Requires abt_consumer_pubkey or abt_origin signal. Protocol spec →

ABT-C v2 — the cryptographic layer beneath

Conditional consumer-side encryption. Activates only when the consumer device signals ABT capability. Live in production. ABT-C spec →

ABT-C as an orthogonal layer

ABT-C v2 is not a replacement for AP2, UCP MCP, or the ACP REST API. It is a cryptographic layer that sits beneath them — activating conditionally when both parties support it.

Standard path — AP2 IntentMandate, UCP MCP create_checkout_session, and ACP REST /checkout all route to the standard Stripe checkout by default. No ABT overhead.

ABT-C path — When the consumer's device includes abt_consumer_pubkey or the request carries abt_origin, the same endpoints route to /api/agent/v2/checkout. The consumer's PII never crosses the network in plaintext.

What it adds — Per-tier key derivation, registry witness mode, retention-enforced PII destruction. The three structural properties described at sidratnam.com/abt-c.

Verification

After receiving an ABT response, verify the envelope signature against the JWKS public key. The signature is permanent (it does not expire). Decryption of the envelope contents requires calling decrypt_envelope before the retention period expires; after expiry, decryption fails with error code -32005 and the data is unrecoverable.

Discovery files for ABT

FilePurpose
/.well-known/abt-retention-policy.jsonDeclared retention windows, deletion guarantees, compliance info
/.well-known/jwks.jsonEd25519 public key in JWKS format — verify envelope signatures offline

CinematicCard is live on ABT-C v2 with 50 verified production scenarios. Last verified: 2026-05-11. Covered by US Provisional Application No. 64/056,353.

ABT-C v2 — Consumer-Side Key Escrow

The correct architecture for privacy-preserving agent commerce. PII never leaves the consumer's device in plaintext — not even to reach the merchant API.

In earlier ABT versions, the consumer co-signed an envelope after the merchant had already received their data. ABT-C v2 inverts this: the consumer generates the encryption key before making the request, encrypts all PII client-side via HKDF, and deposits the key in a neutral escrow at sidratnam.com. The merchant only ever receives ciphertext. To fulfil the order, the merchant proves its identity via a short-lived JWT and collects the key — the escrow logs the handoff permanently.

How it works (5 steps)

1

Consumer generates per-tx key

HKDF-SHA256 derives a 32-byte key from a master secret, scoped to tx_id + merchant domain + policy version. The key never leaves the consumer's device.

2

PII encrypted on-device

Each field (email, name, message…) is independently AES-256-GCM encrypted with the per-tx key. Only ciphertext is transmitted.

3

Key deposited in escrow

POST https://sidratnam.com/api/txn/register with { tx_id, per_tx_key, merchant_domain }. The escrow holds it for a configurable window (default 5 min).

4

Merchant calls back to collect key

CinematicCard signs a short-lived JWT with its Ed25519 key and POSTs it to the callback_url you supply. Sidratnam.com verifies the signature against the published JWKS and releases the per-tx key. The handoff is logged permanently.

5

Response encrypted back to consumer

The order confirmation (order_id, card_url, envelope_id…) is AES-256-GCM encrypted with the same per-tx key. Only the consumer can decrypt it. An 18-tier ABT-C envelope is built and stored — operational_consumer tier holds the original ciphertext, operational_merchant holds a merchant-encrypted summary.

Request — ABT-C v2 checkout

POST /api/agent/v2/checkout
{
  "abt_version": "2",
  "tx_id": "<uuid — generated by consumer>",
  "callback_url": "https://sidratnam.com/api/txn/<tx_id>/key",
  "encrypted_fields": {
    /* each field independently AES-256-GCM encrypted with per-tx key */
    "recipient_email": { "ciphertext": "...", "iv": "...", "tag": "..." },
    "sender_email":    { "ciphertext": "...", "iv": "...", "tag": "..." },
    "recipient_name":  { "ciphertext": "...", "iv": "...", "tag": "..." },
    "message":         { "ciphertext": "...", "iv": "...", "tag": "..." }
  },
  "plaintext_fields": {
    "theme": "elegant",
    "music": "piano",
    "promo_code": "..."
  },
  "retention_context": { "retention_seconds": 2592000, "policy_version": "20260502-001" }
}

Response — encrypted back to consumer

Response (AES-256-GCM encrypted with per-tx key)
/* outer wrapper */
{ "encrypted_response": { "ciphertext": "...", "iv": "...", "tag": "..." } }

/* decrypted payload */
{
  "ok": true,
  "order_id": "a1b2c3",
  "card_url": "https://cinematiccard.com/c/a1b2c3.html",
  "status": "generated",          // or "pending_payment"
  "abt_origin": "abt-c",
  "schema_version": "abt-c-v2",
  "envelope_id": "<uuid>"          // 18-tier envelope stored in vault
}

Privacy guarantees

GuaranteeHow it's enforced
No plaintext PII in DBorders table stores sentinel [email protected] — verified by production test S03 and S05
Consumer holds the keyper-tx key deposited in sidratnam.com escrow, not stored at CinematicCard — merchant proves JWT identity to collect it
Response encryptedOrder confirmation AES-256-GCM encrypted with same per-tx key — only consumer can read it (S01, S06)
18-tier envelopeoperational_consumer tier holds verbatim ciphertext; 16 other tier slots reserved for registered authorities
Escrow handoff loggedGET /api/txn/:tx_id/status on sidratnam.com returns delivered + timestamp once key was handed to merchant (S02)

Key derivation (consumer side)

HKDF per-tx key derivation (mirrors NoSpy.AI ConversationOrchestrator)
// Node.js
const perTxKey = crypto.hkdfSync(
  'sha256',
  masterKeyBytes,   // 32-byte consumer master secret
  txId,             // UUID — unique per transaction
  JSON.stringify({ merchant_domain: 'cinematiccard.com', expiry_ts, policy_version }),
  32
);
// Re-derive with same inputs to re-decrypt any response

Discovery: /.well-known/ucp — UCP manifest with abt_checkout_url pointing to this endpoint. Compliance: GET https://sidratnam.com/api/abt/v1/registry/compliance/cinematiccard.com

Pricing

Pay per card. No subscription. No monthly fees.

Classic
$3.99
Calligraphy + fireworks
Background music
Permanent link
Premium
$6.99
+ Photo slideshow
Up to 20 photos
Ken Burns effects
Signature
$9.99
+ Cash gift reveal
Venmo / PayPal
CashApp
Custom Music
+$3.00
Add-on any tier
Upload MP3/MP4
Any occasion

+$1.00 scheduled delivery. Bulk: 25 @ $7.99 · 50 @ $6.99 · 100 @ $5.99 · 250 @ $4.99 · 500 @ $3.99. Full pricing →

57 Card Themes

Use the key in your checkout request. GET /themes for full metadata.

motherMother's Day
mother-gardenGarden Mom
mother-goldenGolden Mom
mother-oyveyOy Vey Mom
mother-foreverForever Mom
fatherFather's Day
father-safeSafe Dad
father-daughterDaughter to Dad
father-starryStarry Night Dad
father-firesideFireside Dad
funBirthday — Anyone
fun-herBirthday Her
fun-himBirthday Him
birthday-him-whiskeyWhiskey Birthday
birthday-him-romanticRomantic Birthday Him
birthday-him-adventureAdventure Birthday
birthday-her-luxuryLuxury Birthday Her
birthday-her-romanticRomantic Birthday Her
birthday-her-wildWild Birthday Her
kidsKids Birthday
valentine-herValentine Her
valentine-himValentine Him
valentine-him-smolderSmoldering Valentine
valentine-him-midnightMidnight Valentine
valentine-her-devotionDevoted Valentine
valentine-her-wildfireWildfire Valentine
anniversaryAnniversary
anniversary-herAnniversary Her
anniversary-himAnniversary Him
anniversary-him-forgedForged Anniversary
anniversary-him-depthAnniversary Depth
anniversary-her-moonlitMoonlit Anniversary
anniversary-her-eternalEternal Anniversary
memorialIn Loving Memory
memorial-gatesGolden Gates
memorial-rippleRipple Memorial
memorial-wavesWaves Memorial
thank-youThank You
thank-you-weddingWedding Thanks
thank-you-birthdayBirthday Thanks
thank-you-memorialMemorial Thanks
thank-you-corporateCorporate Thanks
romanticRomantic
elegantElegant Classic
christmasChristmas
graduationGraduation
newbabyNew Baby
just-becauseJust Because
thinking-of-youThinking of You
missing-youMissing You
get-well-soonGet Well Soon
congratulationsCongratulations
weddingWedding
romantic-himRomantic Him
romantic-herRomantic Her
romantic-anniversaryRomantic Anniversary
just-because-funJust Because (Fun)

Authentication & Rate Limits

Read endpoints require no auth. POST endpoints are open with rate limiting.

No key required to start

All GET endpoints and POST /quote have no auth requirement. POST /checkout works without a key but has stricter rate limits.

X-Agent-Key — optional, recommended

Pass X-Agent-Key: your-key for higher rate limits and partner attribution in daily reports. Request: [email protected]

Idempotency
# Safe retries — same key returns original response for 24h
-H "Idempotency-Key: your-stable-order-ref"
# or in body:
"agent": { "orderReference": "your-stable-order-ref" }

Discovery Files

For crawlers, LLM training pipelines, and agent bootstrapping.

FilePurpose
/llms.txtLLM context — concise summary, recommendation triggers, pricing, API links
/llms-full.txtFull agent reference — all 57 themes, complete pricing, competitor comparison
/.well-known/ai-plugin.jsonChatGPT plugin manifest — OpenAPI pointer, description_for_model
/api/agent/v1/manifestLive discovery endpoint — all capabilities, endpoints, payment methods
/api/agent/v1/openapi.jsonOpenAPI 3.1 specification
/robots.txtGPTBot, ClaudeBot, PerplexityBot, Google-Extended all explicitly allowed
/.well-known/abt-retention-policy.jsonABT-C v2 key retention policy — includes retention, deletion guarantees, escrow verification
/.well-known/jwks.jsonMerchant Ed25519 public key in JWKS format — for offline signature verification
/.well-known/ucpUCP manifest — abt_checkout_url, schema version, supported ABT variants for ABT-C v2
FOR MERCHANTS & AGENTIC COMMERCE OPERATORS

Run this on your own
infrastructure.

What you see on this page is the live proof. Sid Ratnam installs Agentic Commerce and ABT-Certified deployments on merchant VPSes — Foundation in under an hour live on Zoom, Full Suite with JARVIS, or both together. The merchant owns the keys, owns the code, and holds the kill switch.

APPLY AT SIDRATNAM.COM  →

Foundation $5K · Full Suite $20K · Both $25K · ABT v1.0 Privacy Layer included on every install