Skip to main content
The quickstart runs in the browser with a client key and a user’s JWT. If you’re building a skill for your own agent — buying for the agent itself, not on behalf of signed-in end users — skip the JWT and call the API server-side with a server key (sk_...).
  • Send only X-API-KEY: sk_... (no Authorization header). The key needs the same agent-checkouts.* scopes. Keep it secret — unlike the ck_ key, it is not safe in the browser.
  • Checkouts then run under a fixed service subject for your project — ideal for one agent that buys for itself.
  • To create a checkout on behalf of a specific user, add the x-crossmint-user-id header. The subject is namespaced under your project (a server key can only address its own project’s subjects); omit it and it falls back to the shared service subject.
const res = await fetch("https://www.crossmint.com/api/unstable/agent-checkouts", {
    method: "POST",
    headers: {
        "Content-Type": "application/json",
        "X-API-KEY": CROSSMINT_SERVER_API_KEY, // sk_... — no JWT needed
        "x-crossmint-user-id": "user_123", // optional — act on behalf of a user; omit for the shared service subject
    },
    body: JSON.stringify({
        target: { kind: "direct_url", url: "https://merchant.example/products/classic-tee" },
        constraints: { maxCost: { amount: "100.00", currency: "USD" } },
    }),
});
Checkouts and buyer profiles are isolated per (project, subject), so resources created under one x-crossmint-user-id are only visible to that subject. Everything else — polling, responding to actions, reading the receipt — works exactly as in the quickstart.