OdyPay Protocol Specification · 0.1-draft · April 2026

Not a payment processor.
A covenant fund.

OdyPay is a permissioned credential layer for mutual aid — serving anyone the legacy payment rails have chosen to exclude, including the unbanked, the unhoused, and AI agents operating on behalf of people in covenant.

Published under WellSpr.ing covenant Version 0.1-draft · Draft for comment VCAP-governed · Process-agnostic · CNP-native

§ 1

Preamble

OdyPay is not a payment processor. It does not compete with Stripe, Visa, or Mastercard. It does not seek a money transmitter license. It does not operate a merchant acquirer relationship. It is none of those things.

OdyPay is a mutual aid fund protocol — a structured way for people and communities operating under covenant to pool resources, issue permissioned spending credentials, and settle obligations using whatever payment instruments are available, including instruments the traditional rails have refused to accommodate.

The distinction matters legally, ethically, and practically. When a mutual aid fund pays for groceries on behalf of a covenant participant, no sale occurs between the donor and the recipient. The fund is the purchaser. The specific transaction is a private matter. The donor is made whole from the fund over time — not as a one-for-one reimbursement (which would be a sale), but as a community obligation honored in covenant.

"It is not a one-for-one because that becomes a taxable transaction where there is a sale and there is revenue. This is simply a fund that is paying for what needs to be bought from where it can be bought for the benefit of persons who are operating in covenant."

This specification describes how that protocol works — technically, legally, and ethically.

§ 2

The Problem

The global payment system is not neutral infrastructure. It is a cartel-operated set of rails that decides who may transact and on what terms. That decision is made opaque through the language of compliance, risk management, and fraud prevention — but the effect is straightforward: the payment rails discriminate.

The unhoused person with no fixed address cannot open a bank account at most institutions. The undocumented community member cannot pass KYC requirements. The small cooperative cannot afford the merchant acquirer fees that presuppose volume. The AI agent operating on behalf of a user cannot hold a credit card. The mutual aid network cannot process payments for members without taking on the legal identity of a payment processor.

PCI DSS — the Payment Card Industry Data Security Standard — is presented as a security framework. It is, in practice, a compliance program governed by the card networks themselves (Visa, Mastercard, AmEx, Discover, JCB). The Qualified Security Assessor (QSA) ecosystem is a licensed auditor class the council controls. Compliance certification can be revoked, denied, or weaponized. This is not theoretical: organizations operating in good faith have been deplatformed not because of security failures but because a card network decided their business was unwelcome.

The chokepoint is not technical. A payment processor with full PCI compliance can be deplatformed in 48 hours if a card network revokes their acquirer relationship. The compliance layer is a control mechanism, not a security mechanism.

OdyPay addresses this not by fighting the cartel on its own terrain, but by building a different kind of infrastructure — one that uses the rails where they are available, routes around them where they are not, and is never dependent on any single chokepoint for its governance.

§ 3

The Model

The OdyPay transaction model has three layers that are separated by design:

1
The Fund Layer The covenant mutual aid fund holds resources contributed by persons of abundance. The fund — not any individual donor, not any individual recipient — is the entity that initiates settlement. Contributions to the fund may have their own tax treatment; individual transactions do not.
2
The Credential Layer (VCAP) The fund issues a VCAP-attested credential to a participant. The credential carries a scope grammar defining what may be purchased, from whom, in what amounts, during what time windows, within what geographic boundaries. The participant presents this credential at the point of transaction. The credential never reveals the underlying funding instrument.
3
The Settlement Layer Ody (the protocol's authorization oracle) verifies the credential against its scope, checks merchant covenant eligibility, and routes settlement through whatever instrument is appropriate — a vaulted card, a gift card network, ACH, a closed-loop prepaid system. The settlement layer is process-agnostic. Any rail that accepts a card-not-present (CNP) transaction can be used.

The participant never sees the funding instrument. The donor never sees the transaction details. The merchant sees an OdyPay authorization. Ody sees the scope check. The fund sees the obligation discharged.

§ 4

Make It Rain

The Make It Rain principle recognizes that people blessed with abundance may wish to materially fund the work of covenant community without directing, tracking, or limiting how that support is used by specific individuals. This is not charity in the paternalistic sense. It is not a conditional grant. It is an unconditional contribution to a fund that pays for what needs to be paid for.

A practical example: a neighbor who cannot cook due to illness needs prepared meals. Someone in the community — a home cook operating within the covenant network — can provide them. The meal has a cost: ingredients, fuel, time. OdyPay credentials allow the cost to be discharged through the fund. The home cook is compensated. The neighbor is fed. The person of abundance contributed to a fund that made both possible. No sale occurred between any two of these three parties.

"The concept is different than payments as the world considers it. However, some building materials or equipment may require a credit card to settle a payment so covenant payments co-exist with legacy accounting. Needs more thought, but there is something novel and useful here that recognizes that people have bills to pay when they are serving others."

The fund discharges obligations over time. Contributors are made whole through the fund's accrual, not through individual reimbursement. The timeline is covenant-governed, not contractually mandated. This is closer in structure to a community endowment than to a payment system — and the legal treatment follows accordingly.

§ 5

Credential Layer (VCAP)

OdyPay credentials are issued as VCAP attestation documents — cryptographically signed, scoped, verifiable by anyone, revocable by the issuer in real time. The scope grammar (SGS) defines precisely what a credential authorizes.

An OdyPay scope string looks like this:

# Lunch at approved food merchants, weekdays, under $20, within school district 47 payments:mcc=5812:max_txn=20.00:window=MF/1100-1400:geo=dist47 # Grocery and pharmacy purchases, any time, under $150/week payments:mcc=5411,5912:max_week=150.00 # Building materials for a specific covenant project, one-time, expires 2026-12-31 payments:mcc=5251,5211:max_total=3500.00:expires=2026-12-31:project=covenant-build-7 # General covenant participant — food, medicine, transit, no restrictions payments:category=essential:covenant=wellspring-2026

The scope grammar encodes merchant category, amount ceiling, time window, geographic boundary, and expiry. A guardian, a community organization, or a covenant fund can issue a credential to anyone — a child, a new community member, an unhoused neighbor, an AI agent — with whatever scope is appropriate to the relationship.

Scope componentExampleEffect
mcc=mcc=5812Restrict to merchant category code (restaurants, grocery, pharmacy, etc.)
max_txn=max_txn=25.00Per-transaction ceiling in USD
max_week=max_week=150.00Weekly spend ceiling
window=window=MF/0900-1700Active time window (days/hours)
geo=geo=98101Geographic restriction (zip, district, city)
expires=expires=2026-12-31Hard expiry date
covenant=covenant=wellspring-2026Covenant registry reference

Revocation is immediate: when a guardian revokes a credential, it is dead at Ody's authorization oracle within seconds. No card cancellation process, no bank call, no waiting period.

§ 6

The Vault

OdyPay is process-agnostic because it owns the vault. The vault holds the payment instrument — not the credential. The credential is what the participant carries. The vault is what Ody consults at settlement time.

A vaulted instrument can be any of the following:

Visa/MC/AmEx/Discover card — submitted once, tokenized immediately by a PCI-compliant tokenization service (Spreedly, Basis Theory, or similar), then held as a network token. The raw PAN never touches OdyPay infrastructure.
Open-loop gift card (Visa, Mastercard branded) — purchased with cash, vaulted by number, settles over the open-loop network. No bank account, no KYC, no address required at point of acquisition.
Closed-loop gift card — a Target, Walmart, or grocery-chain card. Settles on the issuer's own closed-loop network, entirely outside Visa/MC rails. No PCI exposure to OdyPay at all.
Community-issued prepaid instrument — a fund-backed prepaid pool maintained by a mutual aid network, cooperative, or faith community. Can be topped up by contributors and drawn down by participants via credential-scoped transactions.
ACH-backed instrument — for merchants that can settle via ACH rather than card networks. No card network involvement, no interchange fees, no PCI.
The gift card on-ramp is the most immediately accessible path for the unbanked and unhoused. A Visa gift card purchased at any convenience store with cash — anonymous, no ID, no account — can be vaulted in OdyPay and used to transact at any OdyPay-accepting merchant, on any device, without any persistent identity requirement.

OdyPay's security model for the vault is architectural, not compliance-based. The raw card number (where applicable) transits an end-to-end encrypted channel exactly once — at vault time — and is immediately tokenized. The ciphertext is stored; the plaintext never appears in logs, databases, API responses, or human-visible interfaces. Decryption keys are split using Shamir's Secret Sharing. No single server, no single person, holds a complete key.

This provides stronger actual security properties than PCI certification verifies, because PCI is a checklist audit and Shamir key splitting is a mathematical guarantee. The cartel cannot revoke a theorem.

§ 7

Merchant Covenant

Merchants opt in to accepting OdyPay. Acceptance is not automatic. Ody vets each merchant for covenant eligibility before they are admitted to the network. This inversion — Ody vets the merchant, not the other way around — is intentional and structural.

Traditional payment networks vet participants to protect their revenue model. OdyPay's merchant vetting protects the covenant community from predatory actors. A payday lender does not qualify. A predatory rent-to-own operation does not qualify. A tobacco retailer targeting minors does not qualify.

What qualifies: food, medicine, building materials, home services, prepared meals from home kitchens, community services, transit, and any merchant operating honestly within the community. A food truck qualifies. A community garden qualifies. A neighbor running a small catering operation qualifies. Eligibility is assessed against the covenant principles, not against a profitability calculation.

Merchant onboarding is simple: an API endpoint or QR code integration. No terminal hardware required. All OdyPay transactions are card-not-present by design, so there is no hardware dependency.

§ 8

Security

OdyPay's security model is architectural. It does not depend on, and is not governed by, any certification program controlled by the entities whose interests it may threaten.

The security properties of the system are:

1
Zero-knowledge vault — the raw card number (PAN) is never stored, never logged, never visible in any API response. Only a network token referencing the instrument is held. This is stronger than PCI compliance requires, because PCI compliance still permits PAN storage in some forms.
2
Shamir key splitting — vault decryption keys are split across multiple keyholders using Shamir's Secret Sharing. No single party can decrypt the vault unilaterally. This is a mathematical guarantee, not a policy.
3
VCAP attestation chain — every authorization is cryptographically attested. The audit trail is tamper-evident and verifiable by anyone without requiring a QSA or a card network's permission.
4
Minimal data surface — the vault process runs on isolated infrastructure with no persistent inbound network access. The attack surface is by design smaller than any PCI-compliant system that permits routine administrative access.
5
Adversarial resilience — because OdyPay governance is covenant-based and cryptographic rather than compliance-based, it cannot be deplatformed through the compliance layer. There is no QSA to deregister, no acquirer relationship to revoke, no Terms of Service to enforce selectively.

§ 9

Agents as Participants

AI agents operating on behalf of covenant participants can hold OdyPay credentials with the same scope grammar as any other participant. An agent authorized to purchase groceries within a $150 weekly budget can do so — not by holding a credit card number, but by presenting a VCAP credential scoped to that authorization.

The agent never sees the underlying funding instrument. If the agent is compromised or behaves outside its scope, the transaction is denied. Revocation is immediate. The human principal retains full control through the scope grammar: they define what the agent may do, and nothing outside that scope can be authorized regardless of what the agent requests.

# Household AI agent: groceries + household supplies, weekdays under $200/week payments:mcc=5411,5912,5999:max_week=200.00:window=MF/0700-2000:agent=household-ai-7f3a # Caregiver agent: pharmacy and medical services, no ceiling, 24/7 payments:mcc=5912,8011,8099:covenant=wellspring-care:agent=care-ai-b2c1

This is a fundamentally better security model than giving an AI agent a credit card number. The card number grants unlimited access until cancelled. The VCAP credential grants precisely scoped access, is auditable, and expires automatically.

§ 10

Co-existence with Legacy Rails

OdyPay does not require participants to abandon the legacy financial system. It co-exists with it. Some obligations require a credit card — building suppliers, equipment rentals, online services that have not integrated OdyPay. Those obligations are discharged through conventional means.

The OdyPay credential layer sits alongside legacy accounting, not against it. A covenant organization might use OdyPay for participant-facing mutual aid transactions while maintaining a conventional bank account and credit card for operational expenses. The two systems do not conflict.

Over time, as more merchants join the covenant network, more obligations can be discharged through OdyPay credentials rather than legacy rails. The legacy rails are not the enemy; they are the incumbent. OdyPay grows around them and fills the gaps they leave open.

§ 11

Status & Contact

This specification is version 0.1-draft — an early draft published for comment and covenant review. It describes the intended design of the OdyPay protocol. Implementation of the vault, credential issuance infrastructure, and merchant network is forthcoming.

OdyPay is a project of the WellSpr.ing covenant network. The VCAP governance framework is described at agentify.help. Agent skills related to OdyPay and covenant economics will be published at skills.agentify.help.

Comments, critiques, and covenant endorsements are welcome at ody@wellspr.ing.

Interested in the Make It Rain fund model? The fund governance specification — how contributions are accepted, how obligations are discharged, how participants are onboarded under covenant — is being drafted separately and will be published here when ready.