Here’s a thing that’s about to become a real problem for a lot of businesses. An AI agent is going to try to buy something on your behalf and nobody is quite sure whose responsibility it will if that goes wrong.
This isn’t hypothetical. AI agents that browse, compare, and purchase are already in early production. The moment an agent stops just recommending and starts actually transacting, a cascade of questions opens up. Did the user actually authorize this? Which agent made the purchase? Who bears liability if the agent buys the wrong thing, or gets manipulated into buying something it shouldn’t? How does the merchant verify the buyer is who they claim to be when there’s no human sitting at a keyboard?
AP2, the Agent Payments Protocol, is Google’s proposed answer to those questions. Google announced AP2 in September 2025, then re-launched it more formally in April 2026 with over 60 founding partners: Mastercard, PayPal, Adyen, American Express, Coinbase, and Revolut. It’s an open protocol designed to give agentic commerce the trust infrastructure it currently lacks.
The Problem AP2 Solves
Every existing payment system assumes a human is present at the point of authorization. You swipe a card, enter a PIN, tap your phone, approve a notification. The security model is built around verifying that a real person with the right credentials is making a deliberate choice. When an AI agent steps into that role, the assumption breaks. The agent doesn’t have a fingerprint. It can’t be sent an SMS code. And “the user approved it” is a statement that’s very hard to verify after the fact if nobody recorded what “approved” actually looked like.
AP2 solves this by introducing something called a mandate. A mandate is a cryptographically signed digital contract. It captures exactly what a user authorized an agent to do, under what conditions, and with what limits. There are three types. A Cart Mandate covers a specific purchase the user is present to approve. An Intent Mandate captures broader pre-authorization. The user says “buy this item when the price drops below $50,” and the agent acts autonomously when that condition is met. A Payment Mandate is derived from the other two and is what actually gets sent to the issuer when a transaction executes.
Each mandate is signed using Verifiable Credentials, a cryptographic standard that makes the authorization tamper-proof and auditable. The transaction record isn’t a log entry that can be disputed or amended. It’s a signed artifact that answers three questions unambiguously: who authorized this, what exactly was authorized, and which agent acted on it.
Why the Partner List Matters
AP2 is open source under Apache 2.0 and lives on a public GitHub. Anyone can implement it. But the reason it’s likely to become the standard rather than one of several competing ones is the coalition behind it.
Mastercard has gone furthest in integrating AP2 into its own product. Mastercard Agent Pay is their agentic payments framework. It implements AP2 mandates alongside their own Verifiable Intent standard, creating a unified cryptographic proof layer for agent-initiated transactions on their network. When an AP2-compliant agent transacts through Mastercard, the entire authorization chain is verifiable end-to-end.
PayPal’s integration is oriented around their merchant network. They’re positioning AP2 as the trust layer for their existing agentic commerce services, which let merchants accept payments from AI surfaces. Adyen is approaching it from the infrastructure side. They’re contributing to a common rulebook for AI payments that standardizes how agentic orders get processed across payment types, regions, and merchant categories.
The protocol is also payment-method agnostic, which matters more than it might initially seem. It works with credit cards, bank transfers, stablecoins, and cryptocurrency. Building agent payment infrastructure that only handles one payment rail is building it to become obsolete.
What ISVs Building in Commerce Need to Know
If you build software that processes payments or lives anywhere near the commerce workflow, AP2 is worth understanding now rather than after your enterprise customers start asking about it.
The immediate implication is that any AI agent features your product includes that touch purchasing decisions are going to face scrutiny around authorization and accountability. “The user clicked approve” is going to be an insufficient answer. Not when the clicking was done by an agent acting on a mandate the user set six weeks ago. Enterprise buyers in financial services, retail, and healthcare are going to require auditable proof of agent authorization. AP2 is the emerging standard for what that proof looks like.
The less obvious implication is on the opportunity side. ISVs that build AP2-compliant agent payment flows into their products early will have a concrete, verifiable answer to that question. It’s coming in every enterprise security review. That’s a real differentiator in a market where most competitors are still figuring out what the question even means.
AP2 fits into the broader agentic stack. It sits alongside A2A, which handles how agents communicate with each other, and MCP, which handles how agents interact with tools and external systems. AP2 handles the transaction layer specifically. If your agentic workflows involve purchasing or financial commitments, all three are worth understanding.
Want to go deeper?
- AP2 official announcement (Google Cloud blog), The original launch post with architecture overview, mandate types, and founding partner list.
- AP2 protocol specification, The full technical specification including mandate schemas and Verifiable Credential requirements.
- Mastercard Agent Pay, Mastercard’s implementation of AP2-aligned agentic payments, including their Verifiable Intent standard.
- PayPal on AP2 integration, PayPal’s developer blog on how they’re integrating AP2 into their agentic commerce services.