Google has announced Agent Payments Protocol (AP2), an open and shared protocol that allows AI agents—from users, merchants, and payment providers—to initiate and complete secure, verifiable payments across various platforms and payment methods. AP2 is presented as an extension of the Agent2Agent (A2A) and Model Context Protocol (MCP), backed by a consortium of over 60 organizations from the financial and technology sectors, including Mastercard, PayPal, American Express, Revolut, Adyen, Coinbase, JCB, Worldpay, Salesforce, ServiceNow, Etsy, and Intuit. The goal: to prevent fragmentation in “agentic commerce” and provide a common language that ensures authorization, authenticity, and accountability in transactions where no longer is there a direct human click.
Why was a common protocol needed
The premise is simple: AI agents can purchase on behalf of people. This shift breaks the classic assumption of “a person clicks Buy on a trusted surface” and raises three critical questions:
- Authorization? — How to prove that the user gave permission for the agent to make that purchase, under those conditions.
- Authenticity? — How does the merchant know that the agent’s order reflects the user’s real intent.
- Responsibility? — What happens if the transaction is incorrect or fraudulent, and who is accountable.
AP2 addresses this with Mandates: immutable digital contracts, cryptographically signed, and supported by verifiable credentials (VCs). These act as verifiable proof of the user’s instructions and as auditable evidence throughout the flow — from intent to payment.
How it works: intention and cart Mandates
The protocol organizes the purchase process into a chain of evidence:
- Intent Mandate: captures the user request and its rules (e.g., “buy white sneakers up to €120”, or “purchase tickets when available, with a cap of €80”); it is auditable and sets the context.
- Cart Mandate: locks in specific items, price, and terms; the user approves (or their agent, if delegation is explicit) and it remains signed as an irrevocable record of “what you see is what you pay”.
With both Mandates signed with VCs, the protocol securely links the payment method to the verified cart contents and creates a full trace with guaranteed authorization and authenticity, on which accountability can be assigned in case of dispute.
“Pay-agnostic” payments: cards, instant transfers, and stablecoins
AP2 is designed as payment-agnostic. The framework supports credit and debit cards, real-time bank transfers, and crypto assets (stablecoins in particular). To facilitate integration with the web3 ecosystem, Google— in collaboration with Coinbase, Ethereum Foundation, and MetaMask, among others— has launched the A2A x402 extension, production-ready, enabling crypto payments initiated by agents that coexist with traditional rails.
Use cases: from “watching” to multi-agent coordination
Google provides examples that outline new purchase patterns beyond just “one-click payment”:
- Delegated purchase with rules: the user requests a jacket “in green” and authorizes paying up to 20% more if that color appears. The agent monitors availability and executes the purchase when conditions are met.
- Personalized offers between agents: the user requests a bicycle for a specific travel date. The merchant’s agent responds with a bundle (bike + helmet + rack) with 15% discount, negotiated between agents via Mandates.
- Coordinated tasks with budgets: “Flight + hotel” for a weekend, capped at €700. The agent negotiates with airlines, hotels, and OTAs, then signs both reservations simultaneously when the budget and conditions are met.
In B2B, the same framework could support autonomous software shopping on Google Cloud Marketplace, real-time license extensions, or automated procurement with controls and audits.
Who is involved: more than 60 supporters and a call for standardization
The announcement is backed by public support from key players: card networks (Mastercard, JCB), payment gateways and payfacs (Adyen, Worldpay, Checkout.com, Payoneer, PayPal), banks and fintechs (Revolut, DLocal, Ebanx), identity providers (Okta/Auth0), crypto stacks (Coinbase, MetaMask, Mysten/Sui), data streaming platforms (Confluent), and consulting firms (Accenture, Deloitte, PwC), among others. The message is clear: to converge on an open protocol to prevent incompatible silos just as AI agents start to operate at scale.
Benefits and risks: balancing friction and trust
- For the user: less friction (the agent acts under mandate), increased security and control (explicit, auditable conditions), and non-repudiable traceability.
- For merchants: higher conversion rates in high-intent purchases (e.g., automatic reordering or stock hunting), dynamic offers generated by their agents, and fewer chargebacks thanks to cryptographic evidence of intent and cart.
- For financial institutions: clarity in risk management and compliance, with a verifiable record of who authorized what, when, and on what terms.
The obvious risk is operating without human presence. AP2 aims to mitigate this with well-defined Mandates, VCs, and common governance, but will require anti-fraud controls and dispute resolution mechanisms of equal caliber: how to handle a compromised agent, how to revoke credentials, how to prevent prompt injection, or how to limit expenses by default. The actual implementation and its regulatory adoption will be decisive.
Under the hood: technical components and regulatory fit
While Google’s blog emphasizes a product-focused approach, the technical framework aims to integrate with A2A (for agent orchestration and messaging) and MCP (for tool and context interoperability). Based on this foundation, AP2 defines:
- Mandates models (intent and cart) as signed documents.
- Verifiable Credentials (VCs) for identity and authority of agents and involved parties.
- Auditable records for traceability and dispute claims.
- Compatibility with rails (cards, real-time banking, stablecoins).
Standards compatibility (e.g., FIDO Alliance work on VCs) and collaboration with networks and issuers will be crucial to ensure alignment of AP2 with KYC/AML, SCA (strong customer authentication), and frameworks like PSD2/PSD3 in the EU. Google positions AP2 as an open foundation that industry can build upon to innovate in authorization, decentralized identity, and governance.
The role of stablecoins and x402: programmable rails for agents
The most strategic aspect is the compatibility from day one with crypto and stablecoins. The x402 extension— co-developed with Coinbase and other partners— brings to production a scheme where agents can send, receive, and settle payments with programmable assets, maintaining the Mandates and VCs as a trust layer. It does not replace traditional rails but coexists with them and routes through the most efficient paths, based on cost, speed, or success rate.
What remains to be seen: market adoption, SDKs, and governance
The launch is open and accompanied by a public repository: specifications, documentation, and reference implementations will be updated continually with contributions from Google and the community. In the short term, adoption will depend on three levers:
- Development tools — SDKs, libraries, sandboxes, and playgrounds.
- Success stories — e.g., travel, retail with complex carts, SaaS with usage-based billing.
- Regulatory alignment and clear responsibility models among issuers, networks, merchants, and agent orchestrators.
Practical illustrative scenarios where AP2 adds value
- Smart replenishment: a supermarket agent detects that the user is running low on coffee capsules; with an Intent Mandate that sets brand and max price, it compares offers and executes the order when conditions are met.
- Drop-time shopping: the user signs “buy the limited edition if the price ≤ €150 and size M is available”; the agent monitors inventory, signs the cart instantly, and pays.
- SaaS autoscaling in B2B: an AI stack grows from 50 to 200 licenses during a campaign; a Capacity/Budget Mandate allows agents to expand licenses in a non-repudiable way, then reduce them after, with auditing for FinOps.
- Travel with restrictions: “Flight + hotel in November for ≤ €700 with flexible cancellation”; agents explore combinations, block the cart, and close when final price and conditions align with the Mandate.
What industry insiders say
- PayPal emphasizes that AP2 brings a trust foundation and operational clarity to the commerce ecosystem.
- CMSWire highlights the auditable chain from intent to checkout, supporting cards, instant transfers, and stablecoins.
- Specialized media note that AP2 is not yet in mass operation, but it presents an early opportunity to build transactional experiences between agents and avoid fragmentation.
Conclusion: a shared “rail” for AI to buy for people (with guarantees)
AP2 arrives as AI agents transition from lab experiments to real-world use. If successful, it will enable users to delegate purchases with verifiable conditions, allow merchants to design dynamic offers between agents, and let payment providers manage risk with clear cryptographic proofs. The challenge now is not whether agents can pay, but how they will do so trustworthily, how disputes will be resolved, and who responds. An open, agnostic, and auditable protocol like AP2 may not guarantee success by itself, but it provides the most reasonable foundation for standardizing the next wave of agent-driven commerce.
Frequently asked questions
What is AP2, and how does it differ from A2A and MCP?
AP2 is an open protocol for agent-led payments that extends A2A (messaging/negotiation between agents) and MCP (tool/component interoperability). It adds signed Mandates and verifiable credentials to ensure intent, cart, and payment are linked and auditable.
How does AP2 ensure authorization and authenticity in purchases without human clicks?
By using Intent Mandates (user instructions and rules) and Cart Mandates (items, prices, terms), both signed as VCs. This cryptographic chain provides irrefutable proof of consent and “what is being purchased”.
What payment methods does AP2 support, and how does the x402 extension fit in?
The protocol is payment-agnostic: supports cards, instant bank transfers, and crypto (stablecoins). The A2A x402 extension, co-developed with Coinbase and other partners, enables crypto payments between agents while maintaining the Mandates and VCs trust layer.
Which companies support AP2, and why is it relevant for merchants and fintechs?
Over 60 organizations, from global networks to gateways and fintechs, endorse AP2 to prevent fragmentation and align security, identity, and compliance in “agentic commerce”. Notable supporters include: Mastercard, PayPal, American Express, Adyen, Worldpay, Revolut, Coinbase, JCB, Salesforce, ServiceNow.
Is it already operational at scale? Where should I start testing?
Google has published the spec and reference implementations in a public repository. It will be continually updated through community contributions, demos, and refinements. Short-term adoption depends on SDKs, pilot cases, and regulatory alignment across regions.
What are the main risks, and how can they be mitigated?
Risks include agent impersonation, credential revocation, spending limits, prompt injection attacks, and dispute resolution. AP2 does not eliminate risk but normalizes intent proof and accountability, enabling networks, issuers, and merchants to manage incidents with auditable evidence.
via: cloud.google