Google has released the Agent Payments Protocol (AP2), an open standard designed to ensure AI agent–guided transactions are safe, verifiable, and usable across platforms. The protocol solves the trickiest problem in autonomous commerce—how to trust an agent with money—by encoding user intent and authorization as cryptographically signed artifacts. Over 60 partners found the idea compelling, early evidence that the industry wants a standard way of doing business with agents.
What AP2 actually is and how it fits existing standards
AP2 is a free-standing payment initiation and authorization plane for AI agents that operate in the DMZ of user, merchant, and provider. It supplements already existing work such as the Agent2Agent (A2A) protocol for agent-to-agent communication and the Model Context Protocol (MCP) for tool access, offering agents a uniform, demonstrable method of purchasing. Consider it the consent and accountability glue that enables an assistant to buy things cross-platform without having to build a custom integration for every checkout flow.
- What AP2 actually is and how it fits existing standards
- How the AP2 mandate flow works across use cases
- Multiple payment rails, one standard for agent commerce
- Why 60 partners matter for AP2 traction and adoption
- Security and accountability built into AP2 mandates
- What it means for merchants and developers
- What to watch next as AP2 adoption and tooling evolve
How the AP2 mandate flow works across use cases
AP2 is built around Mandates—tamper-resistant, cryptographically signed digital contracts that capture what a user wants an agent to do, in what circumstances, and for how much. There are two basic forms of mandates: an Intent Mandate (what the user allows the agent to search for or purchase) and a Cart Mandate (the particular purchase the agent is making). These directives assure merchants and payment providers that the agent’s action is indeed based on an explicit request from a user.
During a real-time purchase flow, the user first sends an Intent Mandate to “find and buy” before confirming a final Cart Mandate for payment. In delegated use cases (e.g., a travel bot booking a hotel under a ≤$250/night cap), the user first signs an Intent Mandate upfront that includes limits, time windows, and allowed merchants. Once the conditions are met, the agent creates a Cart Mandate to execute a card transaction with the payment credentials securely attached by the user.
Multiple payment rails, one standard for agent commerce
AP2 aims to be rail-agnostic. It can handle traditional cards, real-time bank transfers, and even stablecoins, meaning agents and merchants don’t need bespoke logic for each. With card networks like American Express and Mastercard, digital payment players including PayPal, and crypto platforms like Coinbase as early supporters of the protocol, it has the potential to connect traditional and emerging payment rails under a single consent model.
Why 60 partners matter for AP2 traction and adoption
Its early backers now include Okta for identity; 1Password for credential management; Adobe and Salesforce for customer and commerce tooling; Confluent for event streaming; and Accenture, one of the giants in IT services and one of the companies best positioned to manage very large IT portfolios at scale. That cross-functional mix is important. Agent commerce is possible only if identity providers, wallets, gateways, and merchants can agree on how to “verify authority” (in the words of Paul Wallet for retailers from ABN AMRO) and settle payments. Wide acceptance would mean AP2 may become a “new norm,” which reduces barriers to entry for integration and merchant adoption, speeding up the timeline.
Security and accountability built into AP2 mandates
AP2 applies the principle of least privilege to spending: mandates can restrict price ceilings, item categories, merchant allowlists, and frequency. Cryptographic signatures provide non-repudiation and a clean audit trail explaining who did what when under which conditions. That kind of transparency, they believe, will assist merchants and payment processors in resolving disputes, managing risk, and operating with compliance alongside constructs such as PCI DSS and the NIST AI Risk Management Framework.
The protocol doesn’t eliminate model risks like prompt injection or agent hijacking, but it reduces the blast radius by ensuring that unauthorized actions are outside a mandate and can be denied or reverted. Identity providers and vaults—supporters include Okta and 1Password—can host strong key management, while merchants can demand further verification for higher-risk transactions.
What it means for merchants and developers
For retailers, AP2 provides a reliable path to take in agent-initiated orders, so businesses do not have to re-engineer checkout for every assistant or device they wish to support. It could help decrease abandoned carts in agent-driven sessions, provide more robust post-purchase messaging through agent-to-merchant channels, and unlock new shopping behaviors such as replenishment and negotiated bundles with defined spend thresholds.
Google has made specifications, documentation, and reference implementations for developers available in a public repository. That lowers the bar to testing flows that include MCP tool access, A2A negotiations (e.ap2|auth), and AP2 spend authorization. As we move forward, you can expect SDKs and compliance checklists from payment partners to come out, helping the path from demo to production.
What to watch next as AP2 adoption and tooling evolve
Key factors are how fast wallets and processors embed first-class AP2 support, what the user experience looks like for mandate revocation and updates, and standardized dispute workflows attached to mandate evidence. Regulators may also pay attention as agents process more payments across cards, instant transfers, and crypto rails, placing a premium on auditability and consumer protections.
AI agents aren’t going to win people’s universal trust overnight, but AP2 provides the ecosystem with a concrete, open method for distinguishing authorized intent from everything else. With identity, payments, and commerce heavyweights on board early, the path to secure, scalable, agent-led transactions just got a lot clearer.