This is Part 2 of our three-part series on the Agentic Commerce Stack. Part 1 covered ACP, Stripe and OpenAI's commerce layer for checkout flows and merchant integration. This instalment examines AP2—the trust layer that establishes cryptographic proof of authorisation. Part 3 explores x402, the settlement layer for on-chain payment execution.
Executive Summary
When an AI agent spends money on your behalf, how do you prove you authorised it? This is the fundamental question the Agent Payments Protocol (AP2) answers. Developed by Google with over 60 partners including Mastercard, PayPal, American Express, and Coinbase, AP2 establishes the trust infrastructure for agent-driven commerce.
While ACP handles the checkout flow, AP2 solves a more fundamental problem: proving that an agent's actions reflect genuine user intent. The protocol introduces cryptographically-signed Mandates—tamper-proof digital contracts that create non-repudiable proof of authorisation at every step of a transaction.
Key findings:
- AP2 uses W3C Verifiable Credentials to create immutable audit trails linking every transaction to explicit user consent
- The protocol supports both human-present (real-time) and human-not-present (delegated) transaction modes
- Native x402 integration via the A2A x402 extension enables stablecoin settlement within the AP2 framework
- Payment-agnostic design supports cards, bank transfers, digital wallets, and cryptocurrencies through a unified trust model
The Problem: Proving Intent in Autonomous Systems
Traditional payment systems assume a human directly initiates every transaction. When you click "Buy" on a website, your action itself constitutes authorisation. The entire security model—from 3D Secure challenges to fraud detection—is built around this assumption.
AI agents break this model completely:
- Authorisation ambiguity: Did the user actually grant the agent permission to make this specific purchase?
- Authenticity uncertainty: Does the transaction reflect genuine user intent, or agent hallucination?
- Accountability gaps: If something goes wrong, who bears responsibility—the user, the agent platform, or the merchant?
As Google's announcement notes: "While today's payment systems generally assume a human is directly clicking 'buy' on a trusted surface, the rise of autonomous agents breaks this fundamental assumption."
Without a common protocol, the result would be fragmented proprietary solutions—creating confusion for users, operational complexity for financial institutions, and elevated fraud exposure across the ecosystem.
How AP2 Works: The Mandate System
AP2's core innovation is the Mandate—a cryptographically-signed, tamper-proof digital contract that serves as verifiable proof of user intent. All mandates are expressed as W3C Verifiable Credentials, ensuring portability, interoperability, and cryptographic integrity across the ecosystem.
The protocol defines three mandate types, each serving a distinct purpose in the transaction lifecycle:
Intent Mandate
The Intent Mandate captures the user's initial instruction—what they want the agent to accomplish. According to the AP2 specification, it contains:
- Natural language description of user intent
- Merchant allow-lists or restrictions
- SKU constraints and price limits
- Time-to-live parameters
- Payment method categories
Example: "Find me white running shoes under $150, buy them if you find a good deal."
The Intent Mandate creates an auditable record of what the user authorised before any transaction occurs. For real-time purchases, it provides context. For delegated tasks, it grants bounded authority for the agent to act autonomously.
Cart Mandate
The Cart Mandate locks in the exact details of a specific purchase. It's generated by the merchant based on the user's selections and signed by the user—typically using a hardware-backed key on their device.
According to PayPal's technical analysis, the Cart Mandate contains:
- Payer and payee information: Verifiable identities for user and merchant
- Payment method: Tokenised representation of the specific payment method to be charged
- Risk payload: Container for fraud signals required by merchants, processors, and issuers
- Transaction details: Exact products, destination, amount, and currency
The cryptographic signature provides non-repudiable proof: this specific user approved this specific cart at this specific price.
Payment Mandate
The Payment Mandate is a minimal credential derived from the Cart or Intent Mandate, specifically designed for payment networks and issuers. It signals:
- Whether an AI agent was present in the transaction
- The transaction modality (human-present or human-not-present)
- Hashed cart contents for verification
This gives issuers visibility into agent involvement without exposing sensitive PCI/PII data—enabling enhanced risk scoring for agentic transactions.
Transaction Modes: Human-Present vs Human-Not-Present
AP2 supports two fundamentally different transaction patterns, each with distinct trust requirements.
Human-Present (HP) Transactions
In HP mode, the user actively participates in the transaction flow. This mirrors traditional e-commerce, but with agent assistance.
Flow:
- User provides shopping task to agent ("Find me a gift for my sister's birthday")
- Agent discovers merchants, compares options, assembles cart
- Merchant signs Cart Mandate with exact items and pricing
- User reviews and approves on trusted surface with device attestation
- Payment Mandate created with HP flag
- Transaction routed through payment ecosystem
The user's real-time signature on the Cart Mandate creates the same level of authorisation as clicking "Buy" on a traditional checkout page—but with a cryptographic audit trail.
Human-Not-Present (HNP) Transactions
HNP mode enables truly autonomous agent commerce. The user grants authority upfront, and the agent executes later when conditions are met.
Flow:
- User signs detailed Intent Mandate with specific parameters:
- Price limits and budget constraints
- Timing windows
- Product specifications
- Merchant restrictions
- Agent monitors for matching conditions
- When conditions are met, agent initiates purchase
- Merchant may optionally require user confirmation if uncertainty exists
- Payment Mandate created with HNP flag
- Transaction executes with Intent Mandate as authorisation
Example use case: "Buy concert tickets the moment they go on sale, up to $200 per ticket, maximum 4 tickets."
The Intent Mandate provides cryptographic proof that the user pre-authorised this category of purchase within specified bounds—even though they weren't present at execution time.
Security Architecture: Cryptographic Trust Without Central Authority
AP2 achieves trust through cryptographic verification rather than centralised gatekeepers.
Verifiable Credentials Foundation
All mandates are implemented as W3C Verifiable Credentials, providing:
- Tamper evidence: Any modification invalidates the cryptographic signature
- Decentralised verification: Credentials can be verified without calling a central service
- Portability: Standardised format works across ecosystem participants
- Crypto-modularity: Supports emerging approaches including post-quantum cryptography
Cryptographic Primitives
According to the Cloud Security Alliance's analysis, AP2 employs:
- ECDSA signatures: Core mechanism for non-repudiable proof of intent
- Hardware-backed keys: Device attestation for high-assurance signing
- Deterministic signature bases: Consistent formatting for verification
- Nonce-based replay protection: Prevents transaction replay attacks
Role-Based Architecture
AP2 distributes security responsibilities across five distinct roles:
| Role | Responsibility |
|---|---|
| User | Provides authorisations, signs mandates |
| Shopping Agent | Orchestrates purchase workflow, never handles raw credentials |
| Credentials Provider | Manages payment methods, issues tokens, handles authentication |
| Merchant Endpoint | Negotiates terms, signs Cart Mandates, fulfils orders |
| Merchant Payment Processor | Aggregates mandates, routes to issuers |
This separation ensures payment credentials never unnecessarily flow to agents or merchants—minimising PCI exposure and attack surface.
The Non-Repudiable Audit Trail
The chain of mandates creates complete transaction evidence:
Intent Mandate (user intent)
→ Cart Mandate (specific approval)
→ Payment Mandate (network visibility)
→ Settlement Proof (execution record)
Each step is cryptographically linked. If a dispute arises, the mandate chain provides irrefutable evidence of who authorised what, enabling clear accountability assignment.
Integration with the Protocol Ecosystem
AP2 is designed to work alongside—not replace—existing agent communication and payment protocols.
Agent2Agent (A2A) Protocol
AP2 functions as a payment extension to A2A, Google's protocol for agent-to-agent communication. This enables complex multi-agent scenarios:
- Shopping agents coordinating with merchant agents
- Travel agents simultaneously negotiating with airline and hotel agents
- Procurement agents interfacing with supplier agents
The A2A foundation provides the communication layer; AP2 adds the trust and payment layer.
Model Context Protocol (MCP)
AP2 integrates with Anthropic's MCP, enabling agents to access payment capabilities through the same standardised interface they use for other tools and data sources.
The A2A x402 Extension
In collaboration with Coinbase, Ethereum Foundation, and MetaMask, Google launched the A2A x402 extension—a production-ready bridge between AP2's trust framework and x402's stablecoin settlement.
As Erik Reppel, Head of Engineering at Coinbase Developer Platform, stated: "x402 and AP2 show that agent-to-agent payments aren't just an experiment anymore, they're becoming part of how developers actually build."
The x402 extension enables:
- Stablecoin payments within the AP2 mandate framework
- Agents monetising their own services
- Agent-to-agent micropayments
- Crypto settlement without abandoning AP2's trust guarantees
Complementary Infrastructure: Card Network Protocols
AP2 operates alongside—and integrates with—protocols from the major card networks.
Visa's Trusted Agent Protocol
Visa introduced the Trusted Agent Protocol in October 2025, focusing on agent identity verification at the merchant level. Visa has explicitly aligned TAP with both AP2 and x402.
Mastercard's Agent Pay Framework
Mastercard's Agent Pay introduces:
- Trusted agent recognition: Only verified agents can initiate transactions
- Purchase intent data: Visibility into cart contents, transaction limits, validity windows
- Agentic Tokens: Extension of Mastercard's tokenisation for agent commerce
Cloudflare Web Bot Auth
Underpinning both card network protocols is Cloudflare's Web Bot Auth—a cryptographic agent authentication layer developed with Microsoft, Shopify, Checkout.com, Worldpay, and Adyen.
Web Bot Auth uses HTTP Message Signatures (IETF RFC 9421) with Ed25519 cryptography. Agents attach signatures to requests; merchants verify against registered public keys. This provides:
- Stable agent identity without relying on spoofable user agents or IP addresses
- Replay attack protection via nonces and timestamp windows
- Tagged signatures distinguishing browsing from purchasing activity
Ecosystem Adoption
Partner Network
AP2 launched in September 2025 with over 60 partners, spanning:
Payment networks: Mastercard, American Express, JCB, UnionPay International
Payment processors: Adyen, PayPal, Worldpay, Checkout.com, Revolut
Technology platforms: Salesforce, ServiceNow, Intuit
Crypto infrastructure: Coinbase, Ethereum Foundation, MetaMask, Mysten Labs
Merchants: Etsy, Shopify, and major retailers
PayPal's Implementation
PayPal's detailed implementation plan outlines how they're integrating AP2:
- Embedding mandate artifacts into ISO 8583 and API flows
- Integrating agent-presence signals into fraud engines
- Leveraging existing wallet and checkout architecture
- Incorporating mandates into Seller Protection workflows
Key Milestones
| Date | Event |
|---|---|
| April 2025 | Mastercard Agent Pay launches |
| September 16, 2025 | Google announces AP2 with 60+ partners |
| September 29, 2025 | ACP launches with ChatGPT Instant Checkout |
| October 2025 | Visa Trusted Agent Protocol announced |
| October 2025 | Cloudflare Web Bot Auth launches |
AP2 in the Agentic Commerce Stack
AP2 operates as the trust layer in the three-protocol stack:
| Protocol | Developer | Layer | Focus |
|---|---|---|---|
| ACP | Stripe + OpenAI | Commerce | Checkout flows, merchant integration |
| AP2 | Google + 60 partners | Trust | Authorisation, identity, mandates |
| x402 | Coinbase + Cloudflare | Settlement | On-chain payment execution |
How They Work Together
As Orium's analysis describes: "ACP, AP2, and x402 are not direct competitors so much as layers in an emerging agentic commerce stack."
A complete transaction might flow:
- ACP orchestrates the checkout—agent discovers products, creates cart, initiates payment flow
- AP2 establishes trust—user signs Intent Mandate upfront; Cart Mandate locks in specific approval
- x402 settles the transaction—if paying via stablecoin, the A2A x402 extension executes the transfer
The protocols are complementary: ACP defines how to complete a purchase; AP2 proves who authorised it; x402 moves the funds when crypto is the rail.
Payment-Agnostic Design
AP2's critical advantage is payment-method independence. The same mandate framework works for:
- Credit and debit cards (via Mastercard, Visa, Amex)
- Real-time bank transfers
- Digital wallets (PayPal, Apple Pay)
- Stablecoins (via x402 extension)
- Cryptocurrencies
This positions AP2 as the universal trust layer regardless of settlement rail—whereas ACP is currently Stripe-centric and x402 is stablecoin-focused.
What This Means for the Market
The emergence of AP2 signals that trust infrastructure for agent commerce is now an industry-wide priority.
For financial institutions: AP2 provides the risk management clarity needed to underwrite agent transactions. The mandate system creates the audit trail required for compliance, dispute resolution, and fraud detection.
For AI platforms: Integrating AP2 enables agents to execute higher-value transactions. Human-not-present mandates unlock fully autonomous purchasing—the capability that transforms agents from assistants to autonomous economic actors.
For merchants: AP2-compatible transactions come with cryptographic proof of authorisation, reducing dispute exposure. The mandate chain provides irrefutable evidence if chargebacks occur.
For enterprises: The combination of ACP for commerce, AP2 for trust, and x402 for settlement provides the complete infrastructure to deploy agents with bounded financial authority—the prerequisite for autonomous procurement, expense management, and B2B transactions.
The trust layer is now defined. The final question is settlement—how do the funds actually move?
Continue to Part 3: x402 to understand how Coinbase and Cloudflare are architecting sub-3-second stablecoin settlement, or revisit Part 1: ACP for the commerce layer that initiates the transaction.
Hexploits specialises in AI infrastructure, agent architectures, and autonomous system design. If you're building systems that require cryptographic trust for agent transactions, we should talk.