ar-agents is a Mercado Pago Agent Toolkit for the Vercel AI SDK 6. It ships 89 typed tools that an LLM agent can call directly to drive Mercado Pago billing flows: subscriptions, payments, refunds, checkout pro, marketplace OAuth, cuotas (installments), QR in-store, 3DS challenge resolution, point-of-sale devices, webhooks. Sidecar packages cover AFIP/ARCA, WhatsApp Business Cloud, banking (CBU/CVU + BCRA), and shipping (Andreani/OCA/Correo Argentino).

How is this different from the official mercadopago SDK?

The official mercadopago SDK is a thin REST client. It does not ship Vercel AI SDK tool schemas, does not implement webhook HMAC verification with replay protection, does not run on Edge Runtime (Node-only), and does not gate irreversible operations. ar-agents adds all of that on top of the underlying API: 89 typed tools, deterministic idempotency keys derived from inputs, programmatic human-in-the-loop on refund/cancel/delete, npm provenance attestation, Vercel KV adapters via subpath, OpenTelemetry instrumentation. You can use both packages in the same project; ar-agents wraps the underlying API directly without depending on the official SDK.

Does ar-agents work on Edge Runtime?

Yes. The whole package is Web Crypto-based with no node:crypto dependency, so it runs on Vercel Edge Functions, Cloudflare Workers, Deno, and any other V8-isolate runtime. Webhook signature verification, HMAC, and idempotency-key generation all use the Web Crypto API.

What is HITL (human-in-the-loop) in ar-agents?

Eight tools mutate state irreversibly (refund_payment, cancel_subscription, delete_customer_card, etc.). The toolkit accepts a requireConfirmation callback that gates each invocation: the tool function literally will not execute until your callback returns true. This is a programmatic gate, not just an LLM instruction. You can show the user a UI and wait for their explicit approval before any irreversible operation runs.

How does idempotency work?

Every POST request gets an auto-generated idempotency key. For LLM-driven retries, four mutating tools (create_payment, create_subscription, create_payment_preference, refund_payment) use a deterministic key derived from a SHA-256 hash of the meaningful inputs (external_reference, amount, payment_method, etc.). Same inputs produce the same key, so retries return the existing resource instead of double-charging the customer.

Yes. MIT license. No paid tier, no telemetry phone-home, no usage caps. The package is published to npm under the @ar-agents scope with SLSA v1 provenance attestations.

What about AFIP, WhatsApp, banking, shipping?

Sidecar packages cover the rest of the Argentine business stack: @ar-agents/identity (CUIT/CUIL validation + AFIP/ARCA padron lookup with monotributo category and IVA condition), @ar-agents/facturacion (AFIP/ARCA factura electronica via WSFE), @ar-agents/whatsapp (WhatsApp Business Cloud API with HMAC webhook verify and AR phone normalizer), @ar-agents/banking (CBU/CVU validation + BCRA Central de Deudores), @ar-agents/shipping (Andreani, OCA, Correo Argentino), @ar-agents/identity-attest (HMAC-signed verification orchestrator). Each ships independently to npm.

Is there a Model Context Protocol (MCP) server?

Yes. @ar-agents/mcp bundles all 7 ar-agents packages into a single MCP server compatible with Claude Desktop, Cursor, Codeium, Continue, Cline, or any MCP host. Auto-detects which packages to enable from environment variables. Listed on Glama (glama.ai/mcp/servers/ar-agents/ar-agents) and the official MCP Registry (io.github.ar-agents/mcp).

ar-agents, open infrastructure for AI corporations in Argentina

30 production patterns. 20 battle-tested in real money flows. 3 demonstrate cross-package composition. Every recipe is runnable TypeScript.

The cookbook is the working answer to "what does an agent that actually transacts in Argentina look like?" Each recipe is a single TypeScript file, fully typed, with the SDK surface, the gotchas, and the exact sequence of tool calls. Read it as a tutorial, copy as a starter, deploy as production.
Source: packages/mercadopago/cookbook. Every recipe is Edge-Runtime compatible; uncomment export const runtime = "edge" to deploy on Vercel Edge / Cloudflare Workers.

● Starter · 1

R01Checkout Pro · single sale →

mercadopago

Hosted checkout URL for a one-off purchase. Buyer enters card on MP's form (no PCI scope for you). MP fires payment webhook on completion.

● Production patterns · 20

R02SaaS subscription · Plan + first payment + card swap →

mercadopago

Reusable Plan, per-customer subscribe_to_plan, recurring auto-charge, card swap on expiration via update_subscription({ card_token_id }).

→ Card swap is the path that breaks the most production deploys, recipe wires it correctly.

R03Webhook handler · HMAC verify + replay defense →

mercadopago

verifyWebhookSignature() + WebhookDedup. 5-minute replay-tolerance window. Auto-fetches the underlying Payment/Preapproval/Order resource and dispatches by topic.

R04Marketplace split · seller OAuth + commission →

mercadopago

Rappi / Tienda Nube pattern. Seller connects MP via OAuth, your platform takes a marketplace fee, the rest splits to the seller's MP account. VercelKVOAuthTokenStore for token persistence.

R05In-store QR · POS + WhatsApp confirmation →

mercadopagowhatsapp

Dynamic QR for brick-and-mortar. create_store + create_pos one-time, create_qr_payment per sale. Cashier gets WhatsApp '✓ Cobro $X' notification when payment lands.

R063DS challenge · detect → redirect → recover →

mercadopago

When MP triggers 3DS (issuer-mandated SCA), detect via status_detail, extract challengeUrl from three_ds_info, redirect, recover after.

R07Auth-only Order · ride-share / hotel pattern →

mercadopago

Estimate max upfront, capture actual at completion. Order with capture_mode: 'manual'. Final amount ≤ authorized.

R08Recovery patterns · 6 stuck states + the right move for each →

mercadopago

Card-expired subs, pending_challenge, pending_review_manual, auto-cancelled subs, pending_waiting_payment for cash methods, in_process for offline. The full triage tree.

R11Dunning sequence · multi-step revenue recovery →

mercadopagowhatsapp

Day 0/3/7/14/30 escalation tree for failed recurring charges. Maximises revenue recovery, minimises churn. Driven by an agent that picks the right step from prior signals.

R12Reconciliation pipeline · daily MP ↔ DB diff →

mercadopago

Daily batch job. Compares MP settlement records against your billing DB. Surfaces 4 discrepancy classes: missing-on-MP, missing-on-yours, amount-mismatch, refund-not-reflected.

R15Prorated pause/resume · the math MP doesn't do for you →

mercadopago

Compute days remaining → refund prorated amount → pause sub → on resume, recalculate next billing date. Production maths, not vibes.

R19Forensic compliance dashboard · scheduled audit-log ingest + alerting →

incorporate

Daily cron-driven Node.js script that ingests audit entries via fetchAudit(sessionId, { verify: true }), buckets by tool / governance / latency, surfaces anomalies (tampering, error-rate spikes, p95 regressions), and renders a contador-friendly Spanish summary for monthly compliance reports. The pattern that turns RFC-001 § 9.2's 'legally probative' into actually monitored.

→ Multi-tenant marketplaces operating many sociedades-IA scale linearly with this, one digest per tenant, escalation on tampered.

R22Nightly MP ↔ AFIP reconciliation · drift detection + auto-correction →

facturacionmercadopagoincorporate

Daily cron that cross-references MP payments against AFIP-issued CAEs against the audit log. Surfaces 3 drift classes (MP paid + no factura, factura + no MP payment, duplicate MP payments + one factura), auto-corrects the safe ones (re-emit factura on MP-paid orphans), and renders a contador-friendly Spanish digest for monthly compliance. The pattern that catches every silent failure in the AFIP/MP bridge.

→ AFIP fails ~30% of mechanical CAE requests. WSFE silent failures + MP retries make drift inevitable. Recipe 22 is the floor.

R23Astro Chat · the additive-migration cutover pattern →

identitybankinggde-tadwhatsapp

Production chat (Astro Chat at astro.ar) cutting over from raw @anthropic-ai/sdk to @ar-agents/* via an additive route (/api/arg) instead of rewriting the legacy /api/chat. Risk-asymmetric, reversible, observable. The exact pattern any production-already-shipped operator should follow when adopting the toolkit without a stop-the-world rewrite.

→ Live on naza00000/astro/feat/ar-agents-cutover. Full merge readiness review in docs/launch/astro-cutover-merge-readiness.md.

R24Sociedad-IA disaster recovery · export + restore preserving the audit timeline →

incorporate

Nightly export of a sociedad's configuration to portable JSON (no secrets, those stay in your secrets manager). When disaster hits (Vercel project deleted, repo locked, laptop dies), feed the export to a fresh /api/auto-incorporate call with the SAME sessionId, the forensic audit timeline continues unbroken across the disaster. Regulators see one chain of events, not two.

→ sessionId continuity is the load-bearing piece. The export references env-var names (not values), so recovery is config-portable without secret leakage.

R25Quarterly compliance report · the answer to a regulator request, generated from the audit log alone →

incorporate

Pure function that takes a list of sessionIds + a sociedad metadata block and produces a single self-contained JSON report: per-session timelines + HMAC-verification results + cross-session aggregates + anomalies (clock-skew, governance-shifts, errored LLM calls, missing-HMAC) + a self-disclosure conclusion (clean / anomalies-noted / tampering-detected) + remediation list. Optionally HMAC-signs the report itself for tamper-evidence. Bundles RFC-004 § 9's four mandatory artifacts into one document.

→ The operational narrative a regulator can demand without a court order, generated from the log not from the operator's recollection. Companion to RFC-004 § 9 + /auditor.

R26Certify any sociedad-IA by fetching its public endpoints →

incorporate

Reusable TypeScript function that takes a target base URL, runs ~9 checks against its public endpoints (well-known, audit-read, audit-verify, CSV, OpenAPI, security headers), and returns a 0-100 conformance score + per-check breakdown. Same function backs the /certifier web flow + the /api/certifier HTTP endpoint. Pure fetch, runs in Edge / Node / browser / deno. Includes a CLI mode that exits non-zero if score < 60, drop into CI as a pre-merge gate.

→ Anyone can verify any sociedad-IA's claims from one HTTP call. No install, no setup. Lives behind /certifier (web) + /api/certifier (programmatic).

R27Live conformance monitoring · 90-day time-series + threshold alerts →

incorporate

Pure monitor loop that POSTs to /api/conformance-history every N minutes to append a new cert-score for a URL, then compares the latest against a sliding-window baseline (default: median of last 24 points). If the new score drops > threshold (default 10%), fires an alert via Slack/webhook. KV-backed 365-entry capped time-series with 90-day TTL. Idempotent. Drop into Vercel cron, GitHub Actions schedule, or any scheduler. Exits non-zero on alert for CI integration.

→ Conformance isn't a snapshot, it's a horizon. Recipe 27 turns the certifier into a continuous monitor with drift detection + alerting. Companion to recipe 25 (compliance report) + the /audit-explorer page.

R28Operator onboarding checklist · pre-launch readiness verifier →

incorporate

Pure function `checkOperatorReadiness(baseUrl)` that walks 10 pre-launch items (discovery manifest, audit endpoints, CSV export, RFC-005 keys, OpenAPI spec, HSTS headers, sitemap, /llms.txt) and returns a per-item pass/fail/skip with remediation links. Reads as the readiness report the operator's pre-launch sign-off. Aggregate readiness rating: ready / almost / blocked. CLI mode exits non-zero on blocked.

→ Different from recipe 26 (RFC conformance, public), recipe 28 is operator-internal pre-launch sign-off. Used by /api/auto-incorporate to validate freshly-deployed sociedades before adding to /registro.

R29Publish your sociedad-IA's Ed25519 public key (RFC-005 § 4) →

incorporate

Generate an Ed25519 keypair via Web Crypto, format the public key as SPKI base64url (RFC-005 § 4 wire format), and print: (1) the public-keys JSON to drop into public/.well-known/sociedad-ia/keys.json, (2) the private key as PKCS8 base64url to paste into the operator's secrets manager (Vercel env, 1Password, AWS SM). Same keyId can stay valid; rotation is additive.

→ The one-time bootstrap for opting into the RFC-005 asymmetric path. Subsequent appendAudit calls automatically include both `hmac` (v1) and `signature` (v2) entries when AUDIT_ED25519_PRIVATE_KEY is set.

R30Submit your sociedad-IA to the public /registro →

incorporate

Pre-flight check + PR-body generator. Runs recipe 28 (operator readiness) + recipe 26 (RFC certifier) against your URL, validates honesty heuristics (CUIT format, demo-vs-productive disclosure language, type matches behavior), and if everything passes, prints a copy-paste Markdown PR body for the registry submission. Refuses to produce a PR body if any check fails, prevents over-eager submission of half-built sociedades.

→ Closes the loop from incorporated → conformant → certified → publicly listed. With recipe 30, the full operator lifecycle from `vercel deploy` to listing in /registro is scripted + repeatable.

● Composition (multi-package) · 3

R10Cross-package billing · 5 packages, one agent loop →

identityidentity-attestmercadopagofacturacionwhatsapp

The flagship composability demo. One prompt → CUIT validate → AFIP padron lookup → BCRA credit-situation check → WhatsApp OTP attestation → MP subscription → AFIP factura → WhatsApp PDF delivery.

→ What would normally be 200 lines of orchestration code, in 30. The killer demo.

R13Anti-fraud pre-charge middleware · CUIT + payer + velocity + BCRA →

identitybankingmercadopago

Pre-charge heuristics that score incoming payments. CUIT validity, payer history, transaction velocity, BCRA credit-situation cross-check. Combined into a single risk verdict.

R14Marketplace onboarding · seller verification end-to-end →

identitymercadopagowhatsapp

CUIT validate → AFIP padron lookup → MP OAuth connect → first-test-charge probe → WhatsApp confirmation. Detects monotributo category → tier rules.

● Infrastructure / agent commerce · 6

R09OpenTelemetry · spans + metrics end-to-end →

mercadopago

W3C traceparent on every MP API call. mp.request + mp.tool spans. p50/p95/p99 latency + error-rate + rate-limit-remaining metrics. Ships to Honeycomb / Datadog / Grafana Tempo.

R16ACP checkout · LLM-buyer + auto-factura →

agentic-commerce-bridgemercadopagofacturacion

Stripe-style hosted checkout where the BUYER is an LLM agent (ChatGPT / Claude / Gemini). On payment confirmation, server auto-emits AFIP factura A/B/C/E with CAE.

→ Headline pattern that no other LATAM implementation ships out of the box.

R17USA-LLC ↔ AR composition · ClawBank / doola / MIDAO consume @ar-agents →

mcpidentitymercadopagofacturacionshipping

USA-incorporated agent does AR business via @ar-agents/mcp + a thin AR-resident facade (escribano / contador / platform partner). The reference pattern for cross-jurisdictional agent commerce.

→ Wired to RFC-001's three-layer liability framework.

R18USA-LLC self-incorporates AR sociedad-IA · one-call programmatic flow →

incorporateap2agentic-commerce-bridge

USA-LLC agent calls @ar-agents/incorporate's `incorporate({...})` to spin up an AR sociedad-IA's deploy spec in one call. Receives generated package.json + agent.ts + .env.example + README.md + Vercel deploy URL + signed audit-log reference. Chains incorporation + ongoing operations under a single forensic timeline.

→ The headline claim of /sociedades-ia made fully programmatic. `pnpm add @ar-agents/incorporate` + 1 await.

R20Multi-tenant marketplace · spawn vendor sociedades-IA on signup →

incorporate

Vertical SaaS / marketplace pattern: each new vendor signing up gets a fresh sociedad-IA spec materialized via @ar-agents/incorporate, audit log keyed by tenantId. Pieza selection driven by vendor profile (ecommerce → +shipping, large-revenue → +whatsapp/ACP/AP2). Includes the platform-side compliance sweep that fan-outs recipe 19 across tenants, and the badge SVG embed for vendor profile pages.

→ Pre-toolkit, this was a manual escribano job per vendor. Post-toolkit: ~50 lines + idempotent.

R21Cross-jurisdictional commerce · USA-LLC + AR sociedad + AP2 mandate →

incorporateap2facturacionidentitybanking

USA-LLC sells to AR consumer; AR sociedad-IA verifies AP2 mandate (ES256/JWS), enforces per-op + monthly + idempotent caps, runs CUIT validity + BCRA credit checks, then emits factura A/B/C under its own CUIT. Each refusal lands as an audit entry that's challengeable later. The reference implementation of RFC-001 § 7's cross-jurisdictional contract surface.

→ 5 verification gates + idempotency + audit-log-as-evidence in ~250 lines. Wyoming DAO LLC plugs into AR jurisdiction without refactoring its agent.

How to run a recipe locally

Each recipe assumes you've installed the relevant @ar-agents/* packages. Then:

# clone the repo (recipes import from the workspace, but the same
# code works against published @ar-agents/* npm packages)
git clone https://github.com/ar-agents/ar-agents
cd ar-agents
pnpm install

# set env vars (MP token, AFIP cert, etc, see each recipe's header)
cp .env.example .env.local
$EDITOR .env.local

# run a recipe
pnpm tsx packages/mercadopago/cookbook/10-cross-package-billing.ts

What recipe is missing for your case?

Cookbook gaps are the best signal of where the toolkit needs to go next. Open an issue at https://github.com/ar-agents/ar-agents/issues with the use case and the API surface you wish existed, most new recipes start as a one-paragraph issue.

Cookbook.

● Starter · 1

● Production patterns · 20

● Composition (multi-package) · 3

● Infrastructure / agent commerce · 6

How to run a recipe locally

What recipe is missing for your case?