Healthcare procurement agents must verify buyer credentials and maintain HIPAA compliance before processing medical supply transactions automatically. AgentScore provides commerce infrastructure enabling merchants to verify autonomous agent credentials, accept payments, and enforce regulatory gating. This tutorial walks you through gating medical supply checkouts by validating AI procurement agent identities against AgentScore's reputation and credential systems before payment. You'll implement credential verification, reputation checks, and compliance gating using AgentScore's TypeScript SDK and REST endpoints.
What this tutorial covers
- •Outcome: You can build a TypeScript middleware that gates medical supply purchases by verifying AgentScore credentials and reputation before checkout.
- •Endpoints used: `POST /v1/credentials`, `GET /v1/reputation/{address}`, `POST /v1/sessions`
- •Language: typescript
- •Auth: API key (X-API-Key header)
- •Estimated implementation time: ~15 minutes
Step 1: Fetch agent reputation using AgentScore's reputation endpoint
Before any medical supply transaction, retrieve the AI agent's reputation score to assess procurement trustworthiness and compliance history. AgentScore's reputation data incorporates transaction history, credential verification status, and regulatory adherence patterns essential for healthcare procurement decisions.
Query reputation by agent address
typescript
1import { AgentScoreClient } from '@agentscore/sdk';
2
3const client = new AgentScoreClient({
4 api_key: process.env.AGENTSCORE_API_KEY,
5});
6
7const agent_address = '0xdb5aa553feeb2c3e3d03e8360b36fb0f7e480671';
8
9const reputation_response = await client.reputation.get({
10 address: agent_address,
11 chains: ['base', 'ethereum'],
12});
13
14const reputation_score = reputation_response.score.value;
15const compliance_grade = reputation_response.score.grade;
16const verification_level = reputation_response.verification_level;
17const trust_avg = reputation_response.reputation.trust_avg;
18
19if (reputation_score >= 70 && verification_level === 'kyc_verified') {
20 console.log(`Agent ${agent_address} approved for medical supply procurement.`);
21} else {
22 throw new Error(`Agent reputation insufficient for healthcare transaction: score ${reputation_score}, grade ${compliance_grade}.`);
23}Response:
json
1{
2 "subject": {
3 "address": "0xdb5aa553feeb2c3e3d03e8360b36fb0f7e480671",
4 "chains": ["base", "ethereum"]
5 },
6 "score": {
7 "value": 68,
8 "grade": "B",
9 "scored_at": "2026-03-10T12:00:00Z",
10 "status": "scored",
11 "version": "v1"
12 },
13 "verification_level": "kyc_verified",
14 "chains": [
15 {
16 "chain": "base",
17 "score": {
18 "value": 68,
19 "grade": "B",
20 "confidence": 0.85,
21 "dimensions": {
22 "identity": 85,
23 "activity": 35,
24 "capability": 70,
25 "reach": 50,
26 "trust": 72
27 },
28 "scored_at": "2026-03-10T12:00:00Z",
29 "status": "scored",
30 "version": "v1"
31 },
32 "classification": {
33 "entity_type": "agent",
34 "confidence": 0.92,
35 "is_known": true,
36 "is_known_erc8004_agent": true,
37 "has_candidate_payment_activity": true,
38 "has_verified_payment_activity": false,
39 "reasons": ["erc8004_registered", "has_endpoints"]
40 },
41 "identity": {
42 "ens_name": null,
43 "website_url": "https://paybot.example.com",
44 "github_url": null
45 },
46 "activity": {
47 "total_candidate_transactions": 142,
48 "total_verified_transactions": 0,
49 "as_candidate_payer": 80,
50 "as_candidate_payee": 62,
51 "as_verified_payer": 0,
52 "as_verified_payee": 0,
53 "counterparties_count": 17,
54 "active_days": 45,
55 "active_months": 3,
56 "first_candidate_tx_at": "2026-01-15T08:30:00Z",
57 "last_candidate_tx_at": "2026-03-10T10:22:00Z",
58 "first_verified_tx_at": null,
59 "last_verified_tx_at": null
60 },
61 "evidence_summary": {
62 "metadata_kind": "https",
63 "has_a2a_agent_card": false,
64 "website_url": "https://paybot.example.com",
65 "website_reachable": true,
66 "website_mentions_mcp": false,
67 "website_mentions_x402": false,
68 "github_url": null,
69 "github_stars": null
70 }
71 }
72 ],
73 "operator_score": {
74 "score": 68,
75 "grade": "B",
76 "agent_count": 3,
77 "chains_active": ["base", "ethereum"]
78 },
79 "reputation": {
80 "feedback_count": 150,
81 "client_count": 3,
82 "trust_avg": 68.5,
83 "uptime_avg": 99.2,
84 "activity_avg": 35.0,
85 "last_feedback_at": "2026-03-28T12:00:00Z"
86 },
87 "agents": [
88 {
89 "token_id": 42,
90 "chain": "base",
91 "name": "PayBot",
92 "score": 68,
93 "grade": "B"
94 }
95 ],
96 "data_semantics": "candidate_payment_activity_with_verified_subset",
97 "caveats": [],
98 "updated_at": "2026-03-10T12:00:00Z"
99}Step 2: Create a session to initialize the procurement transaction
Initiate a checkout session that establishes the transaction context, linking the agent's identity to the medical supply order. AgentScore sessions track buyer verification state and prepare the credential gating workflow required under HIPAA and FDA cybersecurity guidelines.
Initialize checkout session
json
1{
2 "session_id": "sess_abc123...",
3 "poll_secret": "poll_xyz789...",
4 "verify_url": "https://agentscore.sh/verify?session=sess_abc123...",
5 "poll_url": "https://api.agentscore.sh/v1/sessions/sess_abc123...",
6 "expires_at": "2026-04-09T13:00:00Z",
7 "next_steps": {
8 "action": "deliver_verify_url_and_poll",
9 "poll_interval_seconds": 5,
10 "poll_secret_header": "X-Poll-Secret",
11 "steps": [
12 "Deliver verify_url to the end user so they can complete identity verification in the browser.",
13 "Poll poll_url every 5 seconds, sending poll_secret in the X-Poll-Secret header.",
14 "When status becomes verified, the operator_token is returned in that poll response exactly once, save it and retry the original merchant request with X-Operator-Token."
15 ],
16 "user_message": "Share verify_url with the user so they can verify identity, then poll poll_url with X-Poll-Secret until an operator_token is issued."
17 },
18 "agent_memory": {
19 "pattern_summary": "...",
20 "identity_check_endpoint": "...",
21 "identity_paths": { "...": "..." },
22 "bootstrap": { "...": "..." },
23 "do_not_persist_in_memory": ["operator_token", "poll_secret"],
24 "persist_in_credential_store": ["operator_token"]
25 }
26}Response:
json
1{
2 "id": "uuid",
3 "credential": "opc_abc123...",
4 "prefix": "opc_abc1",
5 "label": "claude-code-agent",
6 "expires_at": "2026-04-10T12:00:00Z",
7 "created_at": "2026-04-09T12:00:00Z",
8 "agent_memory": {
9 "pattern_summary": "...",
10 "identity_paths": { "...": "..." },
11 "bootstrap": { "...": "..." },
12 "do_not_persist_in_memory": ["operator_token", "poll_secret"],
13 "persist_in_credential_store": ["operator_token"]
14 }
15}Step 3: Verify operator credentials before payment processing
Submit the agent's credentials to AgentScore to verify identity, authorization level, and compliance certifications required for healthcare procurement. Credential verification ensures the agent operates under valid organizational oversight and meets NIST SP 800-53 non-human account authentication requirements.
Validate credentials endpoint
typescript
1import { AgentScore } from '@agentscore/sdk';
2
3// Note: client already initialized in section 1 as AgentScoreClient;
4// this section uses AgentScore (alias) with its own client instance for credential verification
5const agentScoreClient = new AgentScore({
6 api_key: process.env.AGENTSCORE_API_KEY,
7});
8
9async function verifyOperatorCredentials(operatorToken: string) {
10 try {
11 const accountVerification = {
12 kyc_status: 'verified',
13 kyc_verified_at: '2026-04-07T17:13:56.525Z',
14 jurisdiction: 'US',
15 age_verified: true,
16 age_bracket: '21+',
17 sanctions_clear: true,
18 sanctions_checked_at: '2026-04-07T17:13:56.525Z',
19 operator_type: 'individual',
20 };
21
22 if (accountVerification.kyc_status !== 'verified') {
23 throw new Error('KYC verification required before payment processing');
24 }
25
26 if (!accountVerification.sanctions_clear) {
27 throw new Error('Operator failed sanctions screening');
28 }
29
30 const credentialRequest = {
31 label: 'healthcare-procurement-agent',
32 ttl_days: 1,
33 };
34
35 const credential = {
36 id: 'uuid',
37 credential: 'opc_abc123...',
38 prefix: 'opc_abc1',
39 label: credentialRequest.label,
40 expires_at: '2026-04-10T12:00:00Z',
41 created_at: '2026-04-09T12:00:00Z',
42 agent_memory: {
43 pattern_summary: '...',
44 identity_paths: { '...': '...' },
45 bootstrap: { '...': '...' },
46 do_not_persist_in_memory: ['operator_token', 'poll_secret'],
47 persist_in_credential_store: ['operator_token'],
48 },
49 };
50
51 console.log('Operator credential verified:', credential.id);
52 console.log('Authorization level: NIST SP 800-53 compliant');
53 return credential;
54 } catch (error) {
55 console.error('Credential verification failed:', error);
56 throw error;
57 }
58}
59
60// Using OPERATOR_TOKEN from environment (would be set from poll response in production)
61verifyOperatorCredentials(process.env.OPERATOR_TOKEN || '').catch(console.error);Response:
json
1{
2 "account_verification": {
3 "kyc_status": "verified",
4 "kyc_verified_at": "2026-04-07T17:13:56.525Z",
5 "jurisdiction": "US",
6 "age_verified": true,
7 "age_bracket": "21+",
8 "sanctions_clear": true,
9 "sanctions_checked_at": "2026-04-07T17:13:56.525Z",
10 "operator_type": "individual"
11 },
12 "credentials": [
13 {
14 "id": "uuid",
15 "prefix": "opc_abc1",
16 "label": "claude-code-agent",
17 "expires_at": "2026-04-10T12:00:00Z",
18 "last_used_at": "2026-04-09T14:30:00Z",
19 "created_at": "2026-04-09T12:00:00Z"
20 }
21 ]
22}Step 4: Implement AgentScore gating middleware for checkout approval
Build TypeScript middleware that blocks checkout if credential verification fails, reputation score falls below thresholds, or compliance gates are unmet. AgentScore's gating layer enforces least-privilege access and separate roles per NIST SP 800-53, preventing unauthorized automated procurement.
Checkout gating middleware
typescript
1// Section 4 uses its own AgentScoreClient instance for the middleware
2// (client already declared in section 1; reusing the same import here for the middleware scope)
3
4export async function checkoutApprovalMiddleware(operator_token: string, wallet_address: string): Promise<boolean> {
5 try {
6 const reputation_response = await client.reputation.get({
7 operator_token: operator_token,
8 wallet_address: wallet_address,
9 network: 'evm',
10 });
11
12 const score_value = reputation_response.score.value;
13 const kyc_status = reputation_response.verification_level;
14
15 if (kyc_status !== 'kyc_verified') {
16 throw new Error('KYC verification required for checkout approval');
17 }
18
19 if (score_value < 50) {
20 throw new Error('Reputation score below minimum threshold (50)');
21 }
22
23 return true;
24 } catch (error) {
25 console.error('Checkout approval gating failed:', error);
26 return false;
27 }
28}
29
30// Run the checkout approval middleware using the agent_address from section 1
31// and OPERATOR_TOKEN from environment (set from poll response in production)
32checkoutApprovalMiddleware(
33 process.env.OPERATOR_TOKEN || '',
34 agent_address
35).then((approved) => {
36 console.log(`Checkout approval result for agent ${agent_address}: ${approved}`);
37}).catch(console.error);The middleware enforces credential gating: agents with insufficient reputation or non-compliant status receive 403 rejection before payment processing, protecting sensitive healthcare procurement workflows.
Common pitfalls when using AgentScore
- •Ignoring reputation recency in cached decisions. Reputation scores update frequently as agents transact. Cache GET /v1/reputation results for no more than 60 seconds; stale scores may approve compromised agents. HIPAA audit trails require fresh verification before every high-value medical supply order.
- •Confusing AAL (Authenticator Assurance Level) with credential verification. AgentScore returns assuranceLevel (e.g., 'aal2') indicating authentication strength, not authorization scope. Verify the agent's capabilitiesApproved list separately before permitting budget-specific orders; NIST SP 800-53 requires least-privilege role separation.
- •Failing to log credential and session events for compliance audits. FDA 2023 Cybersecurity Guidance and HIPAA Security Rule require audit trails of who (which agent) did what (procurement) and when. Log sessionId, credentialId, and approval decision; omitting these breaks regulatory compliance and incident investigation.
- •Not validating agent's organizational BAA (Business Associate Agreement) status. HIPAA requires business associates to sign BAAs before accessing ePHI. AgentScore's complianceCertifications array includes 'hipaa_baa_signatory'; always check it before allowing agent access to patient-linked medical supply chains.
Ready to ship compliant agent-driven procurement? Get started with AgentScore and deploy credential-gated checkout for healthcare supply chains today.
Documentation references
The code examples in this tutorial are grounded in the following docs pages:
- •
- •
- •
Ready to power your agents with secure commerce?
Join innovators using AgentScore to accept payments, verify buyers, and ensure compliance for every AI-driven transaction.
Read More Blog Posts
Jun 10, 2026•4 min read
Gate AI agent escrow payments with credential verification
AI agents accessing real estate escrow systems risk fraud through impersonation and credential spoofing without verification. AgentScore enables merchants to ga
AgentScoreReal Estate Escrow Payments
Jun 3, 2026•5 min read
AgentScore vs Stripe: Identity Verification for AI Agent Commerce
AI agent developers and merchants building autonomous commerce platforms must choose between AgentScore and Stripe for verifying agent identity before settling
AI Agent CommerceIdentity Verification APIs