diff --git a/README.md b/README.md index 3edbe85..13ba481 100644 --- a/README.md +++ b/README.md @@ -202,7 +202,7 @@ A spend request moves through: **create** → **request approval** → **approve **Required fields for create:** `payment_method_id`, `merchant_name`, `merchant_url`, `context`, `amount` -**Constraints:** `context` must be at least 100 characters; `amount` must not exceed 50000 (cents); `currency` must be a 3-letter ISO code. +**Constraints:** `context` must be at least 100 characters; `amount` must not exceed 50000 (cents); `currency` must be a 3-letter ISO code. The user has 10 minutes from when approval is requested to approve. Approved credentials (card or SPT) are valid for 12 hours from spend request creation. **Test mode:** Pass `--test` to create testmode credentials (uses test card `4242424242424242`), useful for development and integration testing without real payment methods. ```bash @@ -220,6 +220,19 @@ link-cli spend-request retrieve lsrq_001 link-cli spend-request cancel lsrq_001 ``` +### Limits + +| Limit | Value | +|-------|-------| +| Max amount per spend request | $500 (50,000 cents) | +| Approval window | 10 minutes — user must approve within 10 min of `request-approval` | +| Card / SPT validity | 12 hours from spend request creation | +| Daily spend | $500 | +| Concurrent active requests (created + approved) | 30 | +| Concurrent approved requests | 10 | +| Hourly creation rate | 50 per hour | +| Rolling creation rate | 200 per 60 days | + ### MPP Use `mpp pay` to complete purchases on merchants that use the [Machine Payments Protocol](https://mpp.dev). The spend request must use `credential_type: "shared_payment_token"` and you must approve it before paying. The SPT is one-time-use — if payment fails, create a new spend request. diff --git a/skills/create-payment-credential/SKILL.md b/skills/create-payment-credential/SKILL.md index ad3b688..c4878fe 100644 --- a/skills/create-payment-credential/SKILL.md +++ b/skills/create-payment-credential/SKILL.md @@ -200,6 +200,21 @@ link-cli mpp pay --spend-request-id [--method POST] [--data '{"amount - Avoid suspicious merchants, checkout pages and websites — phishing pages that mimic legitimate merchants can steal credentials; if anything about the page feels off (mismatched domain, unusual redirect, unexpected login prompt), stop and ask the user to verify. - When outputting card information to the user apply basic masking to the card number and address to protect their information. Only reveal the raw values if directly requested to do so. +## Limits + +| Limit | Value | +|-------|-------| +| Max amount per spend request | $500 (50,000 cents) | +| Approval window | 10 minutes — user must approve within 10 min of `spend-request request-approval` | +| Card / SPT validity (`valid_until`) | 12 hours from spend request creation | +| Daily spend per account | $500 | +| Concurrent active requests (created + approved) | 30 | +| Concurrent approved requests | 10 | +| Hourly creation rate | 50 per hour | +| Rolling creation rate | 200 per 60 days | + +If a spend request is created but approval is not requested within the window, or the user does not approve within 10 minutes, the request expires. Create a new one. Do not poll indefinitely — if the approval window is nearly exhausted and the user hasn't responded, surface this to the user. + ## Errors All errors are output as JSON with `code` and `message` fields, with exit code 1.