Hello, I’m @tomo, a software engineer working in the Payment Core team at Merpay.
This article is the entry for Day 17 of Merpay & Mercoin Advent Calendar 2025.
The Shift from One-Off Payments to Continuous Payments
Until now, Merpay’s payments have mainly been one‑off payments: you shop on Mercari, or you take out your smartphone, show a barcode, tap a button, and the payment is completed. However, as the Mercari ecosystem has expanded, the nature of payments has been changing significantly.
Take Mercari Mobile, which we recently launched, as an example, customers don’t open the app every month just to pay their usage fees. The system executes payments autonomously in the background.
This shift means that payments are no longer isolated events. Instead, they increasingly take the form of off-session payments—recurring charges that are executed without customer interaction, similar to subscription billing.
To support these ongoing payments at scale—and to integrate the diverse payment methods unique to Mercari—we developed a new foundational concept called the Mandate.
What Is a Mandate?
The word “Mandate” might not sound very familiar in everyday life, but in the fintech domain it’s a common term that refers to things like direct debit instructions or consent for automatic withdrawals. Similar mechanisms are provided by payment platforms worldwide, such as Stripe’s SetupIntent or India UPI’s AutoPay.
A familiar example would be a video streaming subscription service.
When customers sign up, they register their credit card information and grant broad permission like “You may charge this card a fixed amount every month.” This comprehensive consent for future payments is precisely the essence of a Mandate. These kinds of payments where charges happen later, without the customer actively interacting at the moment of charging are generally known as off-session payments.
Mandates in the Mercari follow the same idea. They represent a digital contract in which a customer authorizes a partner (for example, the Mercari Mobile service) to “use my Merpay balance, points, etc. to make future payments.”
In typical implementations, a Mandate is tied one‑to‑one to a specific credit card or bank account. For instance, you might create a Mandate to pay for subscription A using credit card B.
However, Mercari customers have a variety of payment methods, such as:
- Sales / Funds
- Free points / Prepaid points
- Deferred payment
- Credit cards
When customers pay on Mercari, they often want to combine several payment methods. For
example: “If I have enough points, use those first. If not, use my balance. And if that’s still not enough, use the credit card.” To realize this kind of composite payment without requiring any user action each time, simply linking a single card is not sufficient.
That’s why, in the Payment Platform, we designed Mandates so that they can be created against multiple payment methods. In other words, a Mandate is designed as an infrastructure component to safely implement Mercari‑specific requirements like “continuously charge using a combination of diverse payment methods.”
Mandates in Merpay
The Three Basic Elements of a Mandate
For off‑session payments, you can only make a correct authorization decision when all three of the following are clear: who is paying → to whom → and how they’re paying. These three elements define the scope of a Mandate.
- Customer (who pays): Payer
- Partner (who receives the payment): The service that collects the fee (e.g., Mercari Mobile)
- Payment Method (how they pay): Any combination of points, balance, deferred payment, credit card, etc.
By expressing a Mandate as a combination of these three points, we can avoid granting unnecessary permissions, ensure explainability that stands up to audits, and still make payment authorization decisions in a fully mechanical way.
Mandates are managed by the Wallet Service. The Wallet Service is a foundational component responsible for managing customer-specific settings and payment permissions, such as Anshin Payment Settings.
Required Mandate Verification by the Payment Service
Off‑session payments do not involve customer interaction, so safety is paramount. We must absolutely avoid situations where a payment is mistakenly executed without a Mandate or outside the Mandate’s scope.
To guarantee this safety, we integrated Mandate validation logic directly into the payment creation API (CreateCharge).
The client calls CreateCharge with mode=off_session to indicate that the charge is being executed off-session. There is no need to check for the existence of a Mandate beforehand.
When the Payment Service receives mode=off_session, it synchronously calls the CheckMandateExistence API of the Wallet Service to validate that a Mandate exists. If a Mandate exists and is valid within scope, the payment is executed; otherwise, the process is immediately aborted and an error is returned.
By having the platform function as a gatekeeper in this way, we achieve robust safety that does not depend on how each individual service is implemented.
Delivering a Mandate‑Free Developer Experience with the Checkout Solution
With CreateCharge in off‑session mode, clients can use the API without being aware of Mandates. However, during service sign‑up, they still need to implement calls to Mandate‑related APIs. In other words, service‑side engineers must understand and implement the specification for the entire Mandate lifecycle.
To address this, the Payment Platform set out to provide a Mandate‑free developer experience by integrating with our Payment Checkout Solution so that clients no longer need to care about the Mandate API specs at all.
Merpay’s Checkout Solution was originally developed as a mechanism that provides a common checkout screen for payments. Product teams no longer need to implement payment UIs or 3DS flows individually; the platform side offers them in a unified way.
This time, we introduced a new setup mode into the Checkout Solution so that it can centrally manage the registration flow for payment methods as well. When a customer registers a payment method for a service via setup mode, the Checkout Solution internally calls Mandate‑related APIs and creates or updates the Mandate in the Wallet Service.
As a result:
- To let customers configure a payment method, clients just call Checkout Solution.
- For recurring billing thereafter, they only need to call
CreateChargewithmode=off_session
Mandate validation and scope checks are enforced on the Payment Platform side, so clients are completely freed from dealing with detailed permission-management logic required at charge time.
How This Works in Practice for Mercari Mobile
The integration of Mandates and the Checkout Solution is already in production for Mercari Mobile payments using credit cards.
When signing a service contract, customers go through the Checkout screen once to register a credit card as their payment method. After registration, the credit card is internally linked to a Mandate, and monthly charges are then processed automatically in off‑session mode. The customer does not need to perform any special actions each month.
For Mercari Mobile developers, this also means they are freed from having to implement complex card registration flows or heavy Mandate management logic. Secure recurring billing can be achieved with a minimal implementation:
- Use the Checkout Solution at contract time
- Call
CreateChargeinoff_sessionmode every month
Conclusion
In this article, I introduced Mandates as the foundational mechanism for managing future payment authorizations against the backdrop of Mercari’s diverse payment methods and complex business requirements. I also showed how we integrated Mandates into the Checkout Solution (setup mode) in a way that makes them essentially invisible to both customers and developers.
Tomorrow’s article will be written by @Minato. Please look forward to it!
