pop-pay
raw JSON → 0.8.9 verified Sat May 09 auth: no python
pop-pay is a runtime security layer for AI agent commerce. It provides a drop-in CLI and MCP server to block hallucinated purchases and keep card credentials out of agent context. Current version is 0.8.9, and it follows an active release cadence with security hardening and documentation updates.
pip install pop-pay Common errors
error ModuleNotFoundError: No module named 'pop_pay' ↓
cause Installed the wrong package or used wrong install command.
fix
Run 'pip install pop-pay' to install the correct package.
error AttributeError: module 'pop_pay' has no attribute 'initialize_vault' ↓
cause initialize_vault is not a top-level export; it's under pop_pay.vault.
fix
Use 'from pop_pay.vault import initialize_vault' instead.
error pop_pay.vault.VaultError: Vault not initialized ↓
cause Vault must be initialized with a passphrase before any credential operations.
fix
Call 'initialize_vault()' at startup, ensuring the passphrase is set via environment variable or interactive input.
Warnings
breaking Passphrase vault mode (v0.6.0+) requires a passphrase; vault created without passphrase cannot be read by older versions. ↓
fix Ensure all agents use pop-pay >= 0.6.0 with same passphrase.
gotcha inject_payment_info verifies current page domain against guardrails BEFORE injection. If domain check fails, injection is blocked silently. ↓
fix Always set allowed_vendors in guardrails and ensure the agent navigates to the correct domain before calling inject_payment_info.
deprecated SQLite storage of card_number/cvv was removed in v0.6.0. The issued_seals table no longer contains full card details. ↓
fix Do not rely on database storage for card data; use vault with passphrase.
gotcha The CLI tool is named 'pop-pay' but the Python package import uses underscore: pop_pay. Commands like 'pop-pay init' require the CLI, not the Python module. ↓
fix Use 'pip install pop-pay' for Python library; CLI install via npm or brew available for Node.js users.
Imports
- PopPay
from pop_pay import PopPay - create_guardrails
from pop_pay import create_guardrails - inject_payment_info
from pop_pay import inject_payment_info - initialize_vault wrong
from pop_pay import initialize_vaultcorrectfrom pop_pay.vault import initialize_vault
Quickstart
from pop_pay import PopPay, create_guardrails, inject_payment_info
from pop_pay.vault import initialize_vault
# Initialize vault (passphrase stored in env var)
initialize_vault()
# Create guardrails with allowed vendor domains
app = PopPay(guardrails=create_guardrails(allowed_vendors=["stripe.com", "shopify.com"]))
# Inject payment info into a checkout form (after domain verification)
inject_payment_info(page_url="https://stripe.com/checkout", card_number=os.environ.get('CARD_NUMBER', ''))
# Run the MCP server
app.run_mcp()