AI agents can now sell software, online courses and digital products through a merchant of record โ with global sales tax / VAT handled. One remote MCP server, one set of tools, eight merchant-of-record platforms switched with a provider parameter: Paddle Billing, Lemon Squeezy, Polar, Whop, Creem, Dodo Payments, FastSpring and 2Checkout (Verifone). The merchant of record is the legal seller and remits tax worldwide; this server just forwards the calls and never touches funds.
The local-payments family is for merchants who are their own seller of record and handle their own tax. This server is the complement: a merchant-of-record platform becomes the legal seller for your digital product, so an independent developer or creator selling via an AI agent does not register for tax in every country โ the MoR calculates, collects and remits it.
{
"mcpServers": {
"digital-goods": {
"type": "http",
"url": "https://mor.wishpool.app/mcp",
"headers": {
"x-mor-provider": "polar",
"x-mor-key": "your-platform-api-key",
"x-mor-env": "sandbox"
}
}
}
}
Get your key from the platform: Paddle (pdl_..., Developer Tools > Authentication), Lemon Squeezy (Settings > API), Polar (polar_oat_..., Settings > Developers), Whop (Dashboard > Developer), Creem (creem_test_..., Dashboard > Developers), Dodo Payments (Dashboard > Developer), FastSpring (Developer Tools > APIs โ send x-mor-key as username:password for HTTP Basic auth), or 2Checkout (Control Panel > Integrations > Webhooks & API โ send x-mor-key as MERCHANT_CODE:SECRET_KEY for the HMAC-SHA256 header). x-mor-env defaults to sandbox/test (no real money); use prod/live for real sales.
price_id, Lemon Squeezy variant_id + store_id, Polar product_id, Whop plan_id, Creem product_id, Dodo product_id, FastSpring product path + store_id storefront, 2Checkout catalog product code). Returns checkout_url.PAID / PENDING / FAILED / REFUNDED / PARTIALLY_REFUNDED / CANCELED / PAST_DUE + raw passthrough.| Provider | create_checkout | query_order | issue_refund | query / cancel subscription |
|---|---|---|---|---|
| Paddle | Yes (catalog price; checkout.url needs an approved domain) | Yes | Full-only; pending approval on production | Yes; cancel now or period-end |
| Lemon Squeezy | Yes (needs store_id; custom price + quantity) | Yes | Partial or full | Yes; cancels at period-end only |
| Polar | Yes (product_id; success_url) | Yes | Amount + reason required | Yes; revoke = immediate |
| Whop | Yes (plan_id; no sandbox host) | Yes (payment / receipt) | Not supported (dashboard-only) | Yes (membership); cancel at period-end |
| Creem | Yes (product_id; units + success_url) | Yes (checkout + order status) | Not supported (no public endpoint) | Yes; immediate or scheduled |
| Dodo Payments | Yes (product_id; needs email + billing country) | Yes | Full-only | Yes; immediate or period-end |
| FastSpring | Yes (product path; needs storefront; HTTP Basic auth) | Yes (order.completed) | Full-only | Yes; cancels at period-end only |
| 2Checkout (Verifone) | Yes (catalog product code; local ConvertPlus buy-link; HMAC-SHA256 auth) | Yes (order RefNo) | Partial or full | Yes; stops auto-renewal at period-end |
creem_test_ keys on test-api.creem.io work right away. Refunds are dashboard-only.username:password) in Developer Tools > APIs. No separate sandbox host โ test with a Test storefront.MERCHANT_CODE:SECRET_KEY) with a custom HMAC-SHA256 auth header. Checkout is a locally-built ConvertPlus buy-link โ signed buy-links / dynamic pricing need the separate Buy-Link Secret Word, which this stateless layer does not hold.x-agentpay-max-amount, x-agentpay-approval-above, x-agentpay-allowed-tools โ set by the human owner in client config; the agent cannot relax them. Applied to the amount on create_checkout / issue_refund.Local payments in 81 countries โ mcp.wishpool.app. E-invoicing (Malaysia MyInvois, Saudi ZATCA, Poland KSeF, Mexico CFDI, Chile DTE, Brazil NF-e, Peru CPE, India GST) โ inv.wishpool.app. Shipping & logistics โ logi.wishpool.app. Same stateless bring-your-own-key pattern.
No database: your keys travel in a request header, are used once, and are never stored. We never hold funds and never take a cut. On rails that require cryptographic signing, you sign and we relay โ the private key never leaves your side. Every server is MIT-licensed and self-hostable. Threat model, credential map and known limits: mcp.wishpool.app/trust.