Your shopping agent auto-purchases a $499 Pro plan instead of the $49 Basic tier—who’s on the hook: the user, the agent’s developer, or the merchant? The trust gap in today’s payments rails is the primary obstacle to agent-led check out. Google’s Agent Payments Protocol (AP2) The specification defines a language for agents to initiate payments that is open and interoperable.
Google’s Agent Payments Protocol is an open specification that allows AI agents to initiate payments with auditable cryptographic proof. AP2 extends existing open protocols—Agent2Agent (A2A) and Model Context Protocol (MCP)—to define how agents, merchants, and payment processors exchange verifiable evidence across the “intent → cart → payment” pipeline. It is important to bridge the trust gap between agents and commerce, without fragmenting payments.
Why are agents required to have a payment protocol?
The rails of today are designed to assume a clicker is a human. “buy” When using a semi-autonomous agent to initiate checkout, merchants and issuers face three unresolved questions: (1) was the user’s authority truly delegated (authorization), (2) does the request reflect what the user meant and approved (authenticity), (3) who is responsible if something goes wrong? The merchant and the issuer face three issues when an agent, autonomous or semiautonomous, initiates the checkout. They must determine whether the delegation of authority was true (authorization), whether the request reflects what the customer intended and accepted (authenticity), as well as who will be held accountable in the event that something goes wrong. AP2 standardizes data, messaging, and cryptography to provide answers that are consistent across payment providers.
How can AP2 build trust?
AP2 is used Verifiable Credentials (VCs)—tamper-evident, cryptographically signed digital objects—to carry evidence through a transaction. Three types of mandates are standardised by the protocol:
- Intent Mandate Signed by the user (human not present): Describes any restrictions that an agent is subject to (e.g. brand/category limits, time windows, pricing caps).
- Cart Mandate Human-present: This method binds a user’s explicit consent to an itemized cart, including amounts and currency, signed by the merchant, producing a non-repudiable record of that approval. “what you saw is what you paid.”
- Paying MandateThis message informs networks/issuers of the presence or absence of an AI agent, as well as its modality.
This VC forms an audit trail which unambiguously ties the authorization of users to final charges requests.
What are core roles, and what is the trust boundary?
AP2 defines a roles-based architecture that allows for separation of concerns and minimization of data exposure.
- Users Delegates a task or responsibility to a representative.
- Users/Shopping agents This interface interprets tasks, negotiates carts and collects user approvals.
- Credentials Provider (e.g. wallet) contains payment methods.
- Merchant Endpoint Signs carts and exposes the catalog.
- Merchant Payment Processor Creates the Network Authorization Object.
- Network & Issuer Review and approve the payment.
The difference between human-present and non-human-present on the wire
AP2 defines clear, testable flows:
- Human-presentThe merchant signs the final cart. Cart Mandate. The processor must submit the authorization for the network along with the Paying Mandate. When necessary, the step-up occurs (e.g. 3DS), on a surface that is trusted.
- Human-not-presentThe user authorizes the pre-authorization Intent Mandate Buy when Price
What are the differences between AP2 composition and MCP, A2A or both?
The AP2 specification is an Extension of the term A2A (for agent-to-agent communications) and MCP (for access to tools) allows developers to reuse capabilities already established for negotiation, discovery and execution. AP2 specializes the payments layer—standardizing mandate objects, signatures, and accountability signals—while leaving collaboration and tool invocation to A2A/MCP.
What payment methods fall under the scope of this legislation?
Protocol is a term that describes a set of rules or guidelines. payment-method agnostic. Google and partners have released an initial roadmap for the web3 path. This includes support for digital assets, real-time push transfer (e.g. UPI or PIX), common pull instruments, such as credit/debit cards. Google has released a guide for the web3 route. A2A extension x 402 To operationalize crypto-payments initiated by agents, aligning the x402 mandates with AP2’s constructs.
This is what it looks like to developers.
Google has released a repository for Apache 2.0 with Python types and reference documentation.
- Samples The demo shows how to validate/issue mandates as well as move from the agent to the network.
- Types packageUnder ‘core protocol objects’, you can find all the core protocols.
src/ap2/typesFor integration. - Frame choiceWhile the samples used Google’s ADK (and Gemini 2.5 Flash), AP2 was designed to be framework-agnostic. This means that any agent stack could generate/verify a mandate and communicate with it.
How is AP2 addressing privacy and Security?
AP2’s role separation makes sure sensitive data, such as PANs and tokens, remains within the Credentials Provider. It never has to pass through general purpose agent surfaces. The signatures of the mandates are verified identities that can be used to embed risk signals, without having counterparties see full credentials. It aligns to existing controls, such as step-up authentication and gives networks explicit markers for agent involvement in order to support risk logic and disputes.
What is the state of ecosystem preparedness?
Google mentions its collaboration with More than 60 organizationsThe goal is to avoid one-off integrations by aligning on common mandate semantics and accountability signals across platforms. It is important to align on common semantics for mandates, and signals of accountability across platforms in order to prevent one-off implementations.
Notes on implementation and edge cases
- Determinism over inferenceRather than summaries generated by models, merchants are provided with cryptographic evidence that the user has approved or pre-authorized their actions (intent) rather than summary reports.
- DisputesThe credential chain is evidence for the networks or issuers. Accountability can be determined based on who signed which mandate.
- ChallengesStep-up can be triggered by the merchant or issuer. For AP2, challenges need to be done on trusted surfaces, and the trail of the order must also accompany them.
- Multiple AgentsWhen more than one agent is involved (e.g. travel metasearch plus airline + hotel), A2A will coordinate tasks. AP2 will ensure that each cart has been signed by the merchant and authorized by the user before submitting payment.
Next?
The AP2 project team will continue to add reference implementations and evolve the spec openly. This includes deeper integrations between networks and web3, as well as alignment with the standards bodies regarding VC formats, and identity primitives. The sample scenarios can be run by developers today, along with integrating the mandate types and validating flow against their merchant/agent stacks.
The following is a summary of the information that you will find on this page.
AP2 gives the agent ecosystem a concrete, cryptographically grounded way to prove user authorization, bind it to merchant-signed carts, and present issuers with an auditable record—without locking developers into a single stack or payment method. This is what the payment system requires if agents will be buying things for us.
Take a look at the GitHub Page, Project Page You can also find out more about the following: Technical details. Please feel free to browse our GitHub Page for Tutorials, Codes and Notebooks. Also, feel free to follow us on Twitter Join our Facebook group! 100k+ ML SubReddit Subscribe Now our Newsletter.
Asif Razzaq serves as the CEO at Marktechpost Media Inc. As an entrepreneur, Asif has a passion for harnessing Artificial Intelligence’s potential to benefit society. Marktechpost is his latest venture, a media platform that focuses on Artificial Intelligence. It is known for providing in-depth news coverage about machine learning, deep learning, and other topics. The content is technically accurate and easy to understand by an audience of all backgrounds. Over 2 million views per month are a testament to the platform’s popularity.
