With the Agent Payment Protocol (AP2), your payment information and data remain private and your purchases remain secure, even when an Artificial Intelligence agent executes the transaction on your behalf.

We have spent years designing payment flows (gateways, tokens, bank redirects) assuming a sacred rule: there is a human on the other side of the screen clicking "Buy". The rise of AI has broken that assumption. If an agent is going to spend your money, the AP2 protocol serves as the trust layer so that transactions occur without human intervention but with your explicit permission.

AP2: translated for developers

If you read "Agent Payment Protocol", you probably think of a new Stripe or PayPal API. It's not exactly that.

In engineering terms, AP2 does not process the money directly. It is a framework, a shared identity and authorization layer that sits on top of MCP (Model Context Protocol). It works by issuing digital mandates. Think of a mandate as a supercharged JSON Web Token (JWT) or a smart contract cryptographically signed by a Verifiable Credential (VC).

When you ask your agent to buy something, you generate an "Intent Mandate". The agent takes that token to the merchant's agent. The merchant cryptographically verifies that the conditions (budget, product) have not been altered. If there is a match, a "Cart Mandate" is executed and the payment is closed using traditional gateways (cards, transfers or stablecoins). In short: it is a machine-to-machine consensus protocol to prevent a hallucinating AI from draining your bank account.

How does AP2 work under the hood?

The promise of AP2 is sustained by an architecture based on limits and traceability:

  1. Strict security limits (Intent Mandate): Everything starts when you set the rules of the game. You don't give it free access to your card. You tell your agent the brands, the specific products you want and, most importantly, how much it can spend. All this is encapsulated in your initial mandate.
  2. Conditional execution (Match): Only when the merchant's agent returns an offer that meets exactly those signed parameters, your agent will automatically complete the transaction for you. If the flight costs €201 and your limit was €200, the mandate is invalid and the transaction aborts.
  3. Privacy and tamper-proof mandates: The technology uses cryptographic signatures to preserve the privacy of your data. By using these tamper-proof digital mandates, AP2 ensures that the agent (whether yours, the merchant's, or the payment provider's) always acts on your behalf without exposing your raw credit card along the way.
  4. The digital paper trail (Accountability): Every step of the process is signed and logged. You will get a permanent and verifiable trail. If you ever need to make a return or there is a fraud dispute, you and the merchant have the same cryptographic record. You will know exactly what instruction you gave to the machine and what the merchant replied.

How is it different from classic tokenization or 3D Secure?

It's a logical doubt. When engineers hear about AP2, the first reaction is usually: "But isn't this already done by Stripe's network tokens or the bank's 3DS?". The short answer is no. They solve different layers of the problem.

Tokenization (Apple Pay, Stripe PCI Vaults) Their only job is to obfuscate the PAN (the long number of your card). They swap the real data for a temporary identifier. The problem is that a token has no "business context". If you give your token access to an agent and it hallucinates, it can execute fifty €1,000 charges in a row. Tokenization protects against data theft, not against unauthorized spending.

3D Secure (3DS2 and PSD2) It is a human authentication protocol. Its purpose is to stop the payment process, send you an SMS or open the banking app to ask for your fingerprint (FaceID). It answers the question: "Are you the human clicking right now?". If your autonomous agent finds a flight deal at 4 AM while you are sleeping and tries to buy it, 3DS will block the transaction. The agent cannot read your SMS or use your fingerprint.

The gap AP2 fills AP2 does not replace tokens or gateways, it wraps them. It acts as an asynchronous delegation system. You cryptographically sign the "Intent Mandate" with your rules. When the agent closes the deal with the store, it sends that mandate along with the payment token.

The payment gateway uses the AP2 mandate as irrefutable cryptographic proof that you pre-authorized that exact purchase. This allows banks to consider the operation as "frictionless", bypassing the 3DS challenge (and the SMS at 4 AM) without violating financial security regulations.

A practical example: Buying sneakers on autopilot

Imagine you need very specific running shoes, but you don't have time to look for deals during the week.

  1. The instruction: You open your terminal or app and tell your agent: "Find me some Nike Pegasus 40 sneakers, size 43, white color. You have permission to buy them if the total price with shipping drops below €110".
  2. The agent searches and negotiates: Your agent connects to the internet and starts communicating via the A2A (Agent-to-Agent) protocol with the agents of different stores.
  3. Mandate Generation: Store X replies to your agent with a price of €105. Your agent validates that it meets your Intent Mandate and issues the cryptographically signed Cart Mandate.
  4. Transaction closing: The AP2 protocol verifies the credentials of both parties. The store's agent charges the €105 from your wallet (using your secure payment token) and processes the order.

You were sleeping or working. When you look at your phone, you have the verifiable digital receipt and an email with the tracking number. Without AP2, the risk of the agent buying three pairs by mistake, or the merchant altering the final price, would be unacceptable.