Agent Payments Protocol (AP2): Revolutionizing Secure AI Agent Commerce with Cryptographic Verification

Introduction

The rapid growth of artificial intelligence has introduced a new era where AI agents can perform complex tasks on our behalf, including making purchases and completing transactions. While this capability offers tremendous convenience, it also creates significant challenges for traditional payment systems that were designed with human operators in mind. Today’s payment infrastructure assumes that a human is directly clicking “buy” on a trusted interface, but when autonomous agents initiate payments, this fundamental assumption breaks down.

The Agent Payments Protocol (AP2) emerges as a solution to this critical challenge. Developed through collaboration between Google and over 60 leading payments and technology organizations, AP2 provides an open protocol for secure, reliable, and interoperable agent commerce. This protocol establishes a common framework that enables AI agents to transact on behalf of users while maintaining security, accountability, and trust across the entire payment ecosystem.

Understanding the Need for AP2

The Trust Gap in Agent-Led Commerce

When AI agents begin making purchases without direct human supervision, several critical questions arise that traditional payment systems cannot adequately address:

Authorization Concerns
How can merchants and financial institutions verify that a user actually gave an AI agent specific authority to make a particular purchase? Without proper verification mechanisms, there’s no way to distinguish between legitimate agent transactions and unauthorized activities.

Authenticity Challenges
How can merchants be confident that an agent’s request accurately reflects the user’s true intent? The risk of AI “hallucinations” or errors in interpretation creates significant uncertainty about whether transaction requests genuinely represent what the user wanted.

Accountability Issues
If a fraudulent or incorrect transaction occurs, who should be held responsible? The user, the agent’s developer, the merchant, or the financial institution? Current systems lack clear frameworks for determining accountability in agent-initiated transactions.

Without addressing these fundamental questions, the potential of AI-driven commerce remains limited. AP2 provides the technical foundation to answer these questions through cryptographic verification and standardized processes.

Core Principles of AP2

Openness and Interoperability

AP2 is designed as a non-proprietary, open extension for existing protocols like Agent2Agent (A2A) and Model Context Protocol (MCP). This approach fosters a competitive environment where multiple providers can innovate while ensuring that agents and merchants can interact seamlessly regardless of their underlying technology stacks.

The protocol’s open nature prevents ecosystem fragmentation that would otherwise result from proprietary solutions. For merchants, this means reaching more customers without implementing multiple incompatible payment systems. For users, it means greater choice and flexibility in selecting AI agents that meet their needs.

User Control and Privacy Protection

AP2 places users firmly in control of their transactions. The protocol incorporates privacy-by-design principles through a role-based architecture that limits exposure of sensitive information. Payment details and personal data remain protected throughout the transaction process, with different entities only accessing the information absolutely necessary for their specific roles.

This approach ensures that users maintain sovereignty over their data while still enabling the convenience of agent-assisted commerce. Users can define precise constraints and permissions for their agents, creating a balance between automation and control.

Verifiable Intent Rather Than Inferred Action

Unlike some AI systems that might make assumptions about user preferences, AP2 anchors transactions to deterministic, non-repudiable proof of user intent. This distinction is crucial for building trust in autonomous transactions, as it provides clear evidence of what the user actually authorized rather than what an AI system inferred might be appropriate.

The protocol uses cryptographic signatures to create undeniable records of user authorization, ensuring that transactions reflect genuine user intent rather than algorithmic guesswork.

Clear Transaction Accountability

Every transaction conducted through AP2 generates a cryptographic audit trail that provides unambiguous evidence of authorization and execution. This audit trail supports dispute resolution and creates confidence for all participants in the ecosystem—users, agents, merchants, and financial institutions alike.

The clear accountability framework helps financial institutions manage risk more effectively while giving merchants greater confidence in accepting agent-initiated payments.

Global Readiness and Future-Proof Design

AP2 is designed from the ground up as a global solution that supports various payment methods and currencies. The initial implementation focuses on common “pull” payment methods like credit and debit cards, but the protocol’s architecture accommodates future expansion to include real-time bank transfers (such as UPI and PIX) and digital currencies.

This forward-looking approach ensures that AP2 remains relevant as new payment technologies emerge and different regions adopt varying payment preferences.

Technical Foundation: Verifiable Credentials

The Role of Cryptographic Verification

At the heart of AP2 lies the concept of Verifiable Credentials (VCs)—tamper-evident, cryptographically signed digital objects that serve as the building blocks of trusted transactions. These credentials provide the mathematical foundation for establishing trust in agent-initiated payments without requiring blind faith in any particular company or technology.

Verifiable Credentials enable three critical types of mandates that govern agent transactions:

Intent Mandates for Pre-Authorized Actions

Intent Mandates capture the specific conditions under which an AI agent can make purchases on behalf of the user, particularly in scenarios where the user isn’t actively present during the transaction. For example, a user might authorize their agent to “purchase concert tickets as soon as they become available, up to $150 per ticket.”

These mandates include detailed constraints that define the boundaries of the agent’s authority:

Maximum spending limits
Approved merchant categories or specific retailers
Time windows during which transactions can occur
Product or service specifications
Geographic restrictions if applicable

The user cryptographically signs the Intent Mandate using secure keys managed by their credentials provider (typically a wallet application), creating a verifiable record of their pre-authorization.

Cart Mandates for Explicit Approval

When a user is actively engaged with their shopping agent (a “human-present” scenario), Cart Mandates come into play. These mandates capture the user’s final, explicit authorization for a specific shopping cart containing exact items, quantities, and prices.

The process begins with the merchant signing a digital representation of the shopping cart, attesting to its contents and pricing. The user then reviews this merchant-signed cart and provides their cryptographic approval, creating a Cart Mandate that serves as non-repudiable proof of their intent to purchase those specific items at those specific prices.

This two-step signing process (merchant then user) ensures that both parties agree on the transaction details before any payment occurs, addressing the critical “what you see is what you pay” requirement for trustworthy commerce.

Payment Mandates for Network Communication

Payment Mandates serve as specialized credentials that convey essential context to payment networks and financial institutions. These mandates indicate that an AI agent was involved in the transaction and provide risk-relevant information such as whether the user was present during the approval process.

This information helps issuers make more informed decisions about transaction risk without exposing sensitive details about the user or their specific authorizations. Payment networks can incorporate this context into their fraud detection and risk assessment systems while maintaining appropriate privacy boundaries.

AP2 in Action: Transaction Flows

Human-Present Transactions

In scenarios where users interact directly with their shopping agents, AP2 follows a clear sequence that balances convenience with security:

Task Delegation: The user instructs their agent to perform a shopping task, such as “find me a new winter coat under $200.”
Agent Discovery and Negotiation: The shopping agent uses A2A protocols to discover relevant merchant agents and negotiate potential options. Throughout this process, the agent operates within any constraints defined by existing Intent Mandates if applicable.
Cart Finalization: Once the user selects their preferred options, the merchant agent creates a signed digital cart containing the specific items, prices, and terms.
User Approval: The user reviews the merchant-signed cart in a trusted interface (such as their wallet application) and provides cryptographic approval, creating a Cart Mandate.
Payment Processing: The payment processor constructs the network authorization request, attaching the relevant Payment Mandate to provide context about the agent’s involvement.
Authentication Completion: If the payment network requires additional authentication (such as 3-D Secure), this occurs through trusted surfaces that maintain the security of the user’s credentials.

This flow ensures that users maintain final approval over specific purchases while still benefiting from agent assistance during the discovery and negotiation phases.

Human-Not-Present Transactions

For automated purchases where users aren’t actively involved at the moment of transaction, AP2 provides a secure framework based on pre-authorization:

Intent Definition: The user creates a detailed Intent Mandate that specifies the conditions under which the agent can act autonomously. This might include instructions like “buy my preferred coffee beans when they’re on sale for less than $12 per bag.”
Agent Monitoring: The shopping agent continuously monitors for conditions that match the Intent Mandate’s criteria, using MCP tools to access merchant inventory and pricing information.
Condition Verification: Once the agent identifies a matching opportunity, it verifies that all conditions specified in the Intent Mandate are satisfied.
Cart Creation and Mandate Generation: The agent works with the merchant to create a cart that fulfills the mandate conditions, then generates a Cart Mandate based on the pre-authorization contained in the Intent Mandate.
Payment Execution: The agent initiates payment using the credentials provided through the user’s wallet, with the Payment Mandate indicating that this is a pre-authorized transaction.

This approach enables truly automated purchases while maintaining strong cryptographic evidence of user authorization, addressing the accountability challenges that would otherwise limit such capabilities.

Integration with Existing Protocols

Extending A2A for Payments

AP2 is designed as a natural extension of the Agent2Agent (A2A) protocol, which provides the foundation for agent discovery, negotiation, and collaboration. While A2A handles the general communication patterns between agents, AP2 specializes the payments layer with standardized mandate objects, signatures, and accountability signals.

This separation of concerns allows developers to leverage existing A2A implementations for agent coordination while adding AP2 compliance for payment transactions. The result is a cohesive ecosystem where agents can handle both commercial and non-commercial interactions using consistent communication patterns.

Compatibility with MCP Tools

The Model Context Protocol (MCP) enables agents to access tools, data sources, and services through a standardized interface. AP2-compliant agents use MCP to interact with merchant systems for product information, inventory checks, and price queries—all of which occur before the payment-specific interactions handled by AP2.

This clear division between general-purpose tool usage (via MCP) and payment-specific actions (via AP2) helps maintain security boundaries while enabling rich functionality. Merchants can expose product catalogs and inventory systems through MCP servers without worrying about payment security concerns, as those are handled separately by AP2-compliant payment endpoints.

x402 Extension for Crypto Payments

Recognizing the growing importance of cryptocurrency and blockchain-based payments, Google collaborated with Coinbase, Ethereum Foundation, MetaMask, and other leading organizations to create the A2A x402 extension. This specialization of AP2 provides production-ready solutions for agent-based crypto payments, extending AP2’s core concepts to support digital assets.

The x402 extension demonstrates AP2’s flexibility in accommodating different payment methods while maintaining consistent security and accountability principles. As cryptocurrency adoption grows, extensions like x402 will help shape the evolution of digital asset integrations within the core AP2 protocol.

Implementation and Development

Getting Started with AP2

Developers interested in implementing AP2 can begin with the reference implementation available in the public GitHub repository. The repository contains complete technical specifications, documentation, and runnable samples that demonstrate key protocol concepts.

The quickest way to start experimenting with AP2 is to run one of the provided sample scenarios:

# Clone the repository
git clone https://github.com/google-agentic-commerce/AP2.git

# Navigate to a scenario directory
cd AP2/samples/python/scenarios/a2a/human-present/cards/

# Set up environment variables (including your Google API key)
export GOOGLE_API_KEY=your_key_here

# Run the scenario
bash run.sh

These samples provide complete working implementations that demonstrate how to issue and verify mandates, move from agent negotiation to payment authorization, and handle different transaction types.

AP2 Types Package

The protocol’s core objects are defined in a dedicated types package located in src/ap2/types. While a PyPI package will be published in the future, developers can currently install the types directly from the GitHub repository:

uv pip install git+https://github.com/google-agentic-commerce/AP2.git@main

This package provides Python data classes for all AP2 mandate types, making it easier to implement protocol-compliant systems without manually handling serialization and validation.

Framework Compatibility

Although the reference implementation uses Google’s Agent Development Kit (ADK) and Gemini 2.5 Flash, AP2 is explicitly designed to be framework-agnostic. Any agent stack can generate and verify mandates following the protocol specification, regardless of the underlying AI models or development frameworks.

This flexibility ensures that organizations aren’t locked into specific technology choices when adopting AP2. Existing agent systems can add AP2 compliance without requiring complete architectural changes.

Industry Adoption and Ecosystem Support

Broad-Based Collaboration

AP2 represents the culmination of extensive collaboration across the payments and technology industries. More than 60 organizations have contributed to shaping the protocol, including major payment networks, financial institutions, technology providers, and merchants:

Payment Networks and Processors

Adyen, American Express, JCB, Mastercard, UnionPay International, Worldpay
PayPal, Coinbase, BVNK, Crossmint, Lightspark

Technology Platforms

Salesforce, ServiceNow, Intuit, Adobe, Dell Technologies
Okta, 1Password, Gravitee, Confluent

Merchants and Marketplaces

Etsy, Shopee, Global Fashion Group

This diverse participation ensures that AP2 addresses the real-world needs of all ecosystem participants rather than reflecting the perspective of any single company or segment.

Enterprise Applications

Beyond consumer shopping scenarios, AP2 enables transformative enterprise applications:

B2B Procurement
Enterprises can use AP2 to automate procurement processes while maintaining appropriate authorization controls and audit trails. Agents can source from multiple suppliers, negotiate terms, and execute purchases—all with proper cryptographic evidence of compliance with company policies.

Marketplace Transactions
Platforms like Google Cloud Marketplace can leverage AP2 to enable autonomous purchasing of software and services. Customers can delegate routine procurement tasks to agents while maintaining visibility and control through mandate-based authorization.

Dynamic Resource Management
AP2’s support for conditional authorization enables innovative business models such as automatic scaling of software licenses based on real-time needs. Systems can automatically purchase additional capacity when predefined utilization thresholds are reached, with the Intent Mandate providing pre-authorization within specific constraints.

Security and Privacy Considerations

Role-Based Data Minimization

AP2’s architecture intentionally minimizes sensitive data exposure through strict role separation:

User/Shopping Agents handle task interpretation and cart negotiation without accessing payment credentials
Credentials Providers (wallets) store payment methods and issue payment-specific artifacts without involvement in product selection
Merchant Endpoints expose catalog information and sign carts without receiving payment details
Payment Processors handle network authorization while receiving only the necessary context about agent involvement

This approach ensures that no single entity has unnecessary access to sensitive information, reducing the attack surface and privacy risks.

Cryptographic Security Properties

AP2 mandates provide several crucial security properties:

Integrity Protection
Digital signatures prevent tampering with mandate contents after they’re created. Any modification invalidates the signature, alerting recipients to potential manipulation.

Non-Repudiation
The use of asymmetric cryptography ensures that signers cannot later deny having created valid signatures. This property is essential for establishing accountability in dispute scenarios.

Selective Disclosure
Verifiable Credentials can be designed to reveal only necessary information to each participant. For example, a Payment Mandate might indicate that an agent was involved without disclosing the agent’s specific identity or capabilities.

Compliance with Existing Standards

AP2 is designed to complement rather than replace existing payment security standards:

PCI DSS Compatibility
The protocol’s role-based architecture helps organizations maintain PCI DSS compliance by ensuring that sensitive authentication data remains with credentialed providers rather than flowing through agent systems.

3-D Secure Integration
AP2 supports integration with 3-D Secure and similar step-up authentication mechanisms, ensuring that strong customer authentication can occur when needed through trusted surfaces.

Regulatory Compliance
The audit trails generated by AP2 facilitate compliance with financial regulations by providing clear evidence of authorization and transaction details.

Future Development and Evolution

Protocol Enhancement Process

Google has committed to evolving AP2 through an open, collaborative process that includes engagement with standards bodies. The GitHub repository serves as the central hub for technical discussions, proposal submissions, and reference implementation updates.

This open approach ensures that the protocol continues to address emerging needs and incorporates innovations from across the ecosystem rather than being driven by any single organization.

Planned Extensions and Improvements

The AP2 roadmap includes several key areas for future development:

Additional Payment Method Support
While the initial focus is on card-based payments, future versions will expand support to include real-time bank transfers, digital wallets, and additional cryptocurrency integrations.

Enhanced Identity Primitives
Integration with decentralized identity standards will provide more flexible and privacy-preserving approaches to agent and user identification.

Cross-Border Considerations
As AP2 adoption grows globally, the protocol will evolve to address region-specific requirements including currency support, tax calculation, and regulatory compliance.

Performance Optimization
Ongoing work will focus on optimizing mandate processing for high-volume scenarios without compromising security properties.

Getting Involved

For Developers

Developers interested in contributing to AP2 can start by:

Exploring the GitHub repository and running sample scenarios
Reviewing open issues and contributing code or documentation improvements
Joining discussions about protocol enhancements and use cases
Building AP2-compliant agents or merchant integrations and sharing implementation experiences

For Organizations

Organizations across the payments ecosystem can participate by:

Implementing AP2 support in their products and services
Providing feedback based on implementation experiences
Participating in industry working groups and standards discussions
Sharing case studies and best practices for agentic commerce

Conclusion

The Agent Payments Protocol represents a significant step forward in enabling trustworthy AI-driven commerce. By providing a common language for secure agent transactions, AP2 addresses the critical authorization, authenticity, and accountability challenges that would otherwise limit the potential of agentic automation.

Through its open, collaborative development and broad industry support, AP2 has the potential to become the foundational layer for a new era of commerce where AI agents can safely and reliably transact on our behalf. As the protocol evolves and adoption grows, we can expect to see increasingly sophisticated applications that leverage AP2’s capabilities to create better experiences for users, merchants, and financial institutions alike.

The journey toward ubiquitous agentic commerce is just beginning, but with AP2 providing the trust foundation, we can move forward with confidence that security, privacy, and accountability remain at the forefront of this transformation.

This overview of Agent Payments Protocol (AP2) is based on technical documentation and announcements from Google and its partners. All information reflects the current state of the protocol as of its publication in September 2025. For the most current specifications and implementations, refer to the official GitHub repository at github.com/google-agentic-commerce/AP2.