On this page
Google Agent Payments Protocol (AP2)
Google Agent Payments Protocol (AP2)
AP2 is an open protocol, announced by Google on 2025-09-16, for securely initiating and settling payments made by AI agents on a user's behalf. Where Agentic Commerce Protocol (ACP) and Universal Commerce Protocol (UCP) address how agents discover products and execute checkout, AP2 addresses the trust/authorization layer underneath: proving an agent was actually authorized to spend, that the request reflects the user's true intent, and who is accountable if something goes wrong. It is positioned as payment-method-agnostic and as an extension of the Agent2Agent (A2A) protocol and the Model Context Protocol (MCP) (Google Cloud, 2025-09-16).
Why it exists — the three problems
Google frames AP2 as solving three problems that arise once an agent, not a human, clicks "buy" (Google Cloud, 2025-09-16):
| Problem | What it means |
|---|---|
| Authorization | Proving a user gave the agent specific authority to make this purchase |
| Authenticity | A merchant being sure the agent's request reflects the user's true intent |
| Accountability | Determining who is responsible if a fraudulent or incorrect transaction occurs |
Rivero argues that today's chargeback and dispute systems assume clear human intent and traceable authorizations — assumptions that agent-driven transactions blur with algorithmic intents, cryptographic consent and shared liabilities, creating a gap between current systems and new expectations (Rivero, undated, post-2025-09).
How it works — the Mandate model
At the core of AP2 are digitally signed Mandates — described as tamper-proof, cryptographically signed digital contracts that serve as verifiable proof of a user's instructions (Google Cloud, 2025-09-16).
Key terms
| Term | Meaning (per AP2 spec / Google Cloud) |
|---|---|
| Intent Mandate | Captures the conditions under which an agent may buy on the user's behalf in human-not-present scenarios — e.g. "buy these running shoes when they drop below $100" |
| Cart Mandate | The user's final explicit authorization of a specific cart (exact items + price) in human-present scenarios; the user's cryptographic signature provides non-repudiable proof of intent |
| Payment Mandate | A Verifiable Credentials|Verifiable Credential shared with the payment network and issuer, signalling AI-agent involvement and user-presence (human-present vs not) to help assess transaction context |
| Shopping Agent | Finds products on the user's behalf |
| Credential Provider | A secure digital wallet (e.g. PayPal, Google Pay) that manages payment details |
| Merchant Payment Processor | Constructs the final authorization message for the payment networks |
Intent and Cart Mandates are described as JSON-LD objects structured per the W3C Verifiable Credentials standard and signed using ECDSA cryptography, so any modification invalidates the signature, making them tamper-evident (AP2 spec, undated). The Cloud Security Alliance characterises mandates as cryptographic contracts specifying who is authorized to act (the agent), what actions are permitted (capabilities and limits), where payments may go (approved merchants) and when permissions are valid (CSA, 2025-10-06).
Where AP2 sits — the agentic-commerce stack
Multiple analysts describe AP2, ACP and x402 as stacking layers, not direct competitors (Orium, undated). One framing of the layered stack (DigitalApplied, 2026):
- Universal Commerce Protocol (UCP) (Google, Shopify) — discovery and cart
- Agentic Commerce Protocol (ACP) (OpenAI, Stripe) — in-chat checkout execution
- AP2 (Google-initiated, now FIDO-governed) — proves who authorized the payment
- x402 (Google + Coinbase, Ethereum Foundation, MetaMask) — execution layer for agent-based crypto/stablecoin payments
A single purchase can in principle use all three (DigitalApplied, 2026). Grid Dynamics frames ACP as an application-layer protocol optimised for instant in-chat checkout (speed/UX) and AP2 as a governance-layer protocol using cryptographic mandates to create an audit trail, better suited to complex B2B or high-value workflows (Grid Dynamics, undated).
Are AP2 and ACP/UCP rivals or complementary layers? Most analysts call them complementary layers in an emerging agentic-commerce stack [1]. Other framing (e.g. "Protocol Wars" headlines) treats them as rivals competing for merchant mindshare. The technical substance (a layered stack) is consistent; the rhetoric differs.
Ecosystem and governance
AP2 launched with more than 60 organizations named, including Adyen, American Express, Ant International, Coinbase, Etsy, Forter, Intuit, JCB, Mastercard, Mysten Labs, PayPal, Revolut, Salesforce, ServiceNow, UnionPay International and Worldpay (Google Cloud, 2025-09-16; partner list as-of 2025-09-16).
Around May 2026, Google donated AP2 to the FIDO Alliance for open, community-led governance, and Mastercard contributed its Verifiable Intent framework (co-developed with Google) to work alongside it (PYMNTS, 2026-05; The Paypers, 2026-05). The FIDO Alliance announced it would develop standards for trusted AI-agent interactions via an Agentic Authentication Technical Working Group (chaired by CVS Health, Google, OpenAI) and a Payments Technical Working Group (chaired by Mastercard and Visa), based on AP2 and Mastercard's Verifiable Intent framework (FIDO Alliance, 2026-05).
PayPal and Google Cloud also introduced an agentic-commerce solution letting merchants accept agent-initiated payments through existing PayPal and Braintree integrations without reworking checkout (Google Cloud, undated; as-of 2026).
What it means for merchants
- AP2 provides a non-repudiable, cryptographic audit trail for every transaction, intended to aid dispute resolution (AP2 spec, undated).
- Per the spec, accountability is designed to land on a real-world entity (user, merchant or issuer) for the vast majority of cases, and only on the AI agent if a "load-bearing decision" made by the agent is determined to be wrong (AP2 spec, undated).
- PayPal's developer blog recommends an incremental rollout: start with human-present flows, then extend to human-not-present and new payment rails (PayPal, undated).
Status, criticisms and open questions (as-of 2026-06-26)
- The Cloud Security Alliance published a dedicated framework on secure use of AP2, signalling that secure implementation (distinct from protocol design) is treated as its own concern (CSA, 2025-10-06).
- Rivero notes AP2 is still young, many edge cases are not fully stress-tested, and first movers face open questions such as what constitutes a valid mandate in borderline cases and how to handle conflicting intent (Rivero, undated).
- A reported AP2 v0.2 release on GitHub (~2026-04-28) and a "production-ready for crypto, maturing for cards" status come from a single secondary source and are low-confidence (DigitalApplied, 2026, as-of 2026).
[!unverified] Hard adoption metrics — transaction volumes, live merchant counts, GMV flowing through AP2 — were not found in this run; only named-partner lists and a few named pilots surfaced. Treat AP2 as early-stage in real-world deployment until corroborated by primary newsroom data.
Gaps from this harvest
- No source directly comparing AP2 head-to-head against Visa Intelligent Commerce as a rival standard (Visa/Mastercard appear mainly as AP2/FIDO contributors).
- No concrete new chargeback reason-code or liability-shift rule from Visa/Mastercard for agentic transactions — Rivero discusses the gap conceptually only.
- Reddit signal: none — the reddit-research MCP was unavailable this run.
- YouTube transcripts: none read — the Apify transcript actor was unavailable; candidate videos were logged (see source page).
Related
Agentic Commerce · Agentic Commerce Protocol (ACP) · Universal Commerce Protocol (UCP) · Shared Payment Token (SPT) · Verifiable Credentials · FIDO Alliance · x402 · Model Context Protocol (MCP) · Agent2Agent (A2A) · Network Tokenisation
References
- Orium, undated — orium.com/blog/agentic-payments-acp-ap2-x402