Launched in September 2025 by Google in collaboration with 60+ industry partners, Agent payments protocol (AP2) provides a standard for securely initiating and completing transactions led by AI agents. Traditional payment systems are built on the assumption that a human is always present to click "buy." But in agentic commerce, this is no longer guaranteed. What happens when a user delegates a task for the agent to complete hours or days later?

AP2 creates the necessary cryptographic foundation to handle both real-time and delegated agent-led commerce securely and at scale. It addresses three fundamental questions that arise when an AI agent makes a purchase:

• Authorization: How do you prove that a consumer gave an agent the specific authority to make a particular purchase?
• Authenticity: How can you be sure that an agent's request accurately reflects the consumer's true intent?
• Accountability: If a fraudulent or incorrect transaction occurs, how is accountability determined?

AP2 answers these questions by using cryptographically-signed digital contracts called Mandates, which create a tamper-proof audit trail for every agent-led transaction.

How the agent payments protocol works: the mandate model

AP2 provides verifiable proof of consumer authorization through its core component: Mandates. These tamper-proof digital contracts are based on the robust W3C Verifiable Credentials standard, making them inherently secure and portable. Each mandate is a signed JSON object that forms a tamper-evident, verifiable audit trail. Any attempt to modify it will break its cryptographic signature, rendering it invalid. This built-in security is what makes the system trustworthy, addressing fraud and disputes with cryptographic proof.

AP2 defines three mandate types for the transaction lifecycle:

• Intent Mandate: This mandate captures the consumer's initial high-level instruction. It defines the scope and rules for the agent's task. This can be a real-time search ("Find me new running shoes under €150") or a delegated, long-running task ("Buy tickets for this concert the moment they go on sale, up to €200 for two seats together"). The Intent Mandate serves as the foundational proof of the consumer's consent.
• Cart Mandate: Once an agent presents a specific cart of items, this mandate is created to lock in the exact details: the items, quantities, price, and terms. Crucially, it is cryptographically signed by both you (committing to the cart's contents and price) and the consumer (confirming what they see is what they agree to pay for). This creates a non-repudiable record that is invaluable for resolving disputes.
• Payment Mandate: This is a minimal credential derived from the Cart Mandate. It is appended to the payment authorization and signals to the payment network (and issuers) that an agent was involved. It specifies the transaction modality (human-present or human-not-present) without exposing sensitive cart or payment details to every party in the chain. This separation is critical: the shopping agent orchestrates the purchase but never sees raw payment data, ensuring PCI-DSS compliance is maintained.

Transaction modalities

AP2 is designed to support the two primary ways a user will shop with an agent.

Real-Time purchases (Human-Present)

This modality covers real-time, conversational shopping sessions where the consumer is actively involved. 

1. Consumer asks agent to find products ("Find me hiking boots")
2. Agent creates an Intent Mandate capturing the request.
3. Consumer approves the Mandate (confirms authorization).
4. Agent presents cart with found products.
5. Consumer reviews and signs the Cart Mandate (approves specific items and price).
6. Consumer selects payment method and confirms.
7. System creates a payment mandate and executes transaction.
8. Consumer receives confirmation.

In this flow, the consumer's signatures at row 3 and 5 provide irrefutable proof of authorization at each step, signaling a low-risk transaction to the payment network.

Think of a consumer interacting with a Google's Gemini or a brand's chatbot to find and purchase a gift.

• Use case: A consumer asks an agent, "Find me a wool sweater for my dad's birthday, under €100."
• The flow: The agent presents options, and the consumer actively confirms their choice. The consumer provides real-time signatures for both the Intent Mandate ("find a sweater") and the Cart Mandate ("I agree to buy this specific sweater for €95").
• The result: Each consumer signature provides strong, irrefutable proof of authorization at every step. For payment processors and banks, this signals a low-risk, user-attended transaction, similar to a traditional online purchase.

Delegated tasks (Human-Not-Present)

This is the most transformative modality, enabling fully autonomous commerce. The agent acts on pre-approved instructions without the consumer being present at the time of the transaction.

1. Consumer creates an Intent Mandate upfront with detailed conditions: "Purchase this one-way flight when price drops below €300".
3. Consumer signs this Mandate once and grants the agent authority to execute.
4. Agent monitors conditions continuously.
5. When conditions are met, agent automatically creates a Cart Mandate on the consumer's behalf.
6. Agent proceeds to payment using the pre-approved mandate.
7. Consumer receives confirmation and can dispute if needed.

This is the key distinction for autonomous tasks. In human-not-present scenarios, the consumer pre-authorizes the agent by defining clear boundaries. The agent then executes the purchase on its own within those constraints. The signed Intent Mandate provides you with cryptographic certainty that the agent is authorized, creating a fully auditable and trustworthy transaction.

• Use case: A consumer sets a rule: "Buy the new limited-edition 'Apollo' sneakers from SneakerWorld the moment they are released next Tuesday, as long as the price is under €250."
• The flow: The consumer signs a single, detailed Intent Mandate upfront, granting the agent specific, bounded authority. When the sneakers are released, the agent acts on this pre-authorization, automatically creating the Cart and Payment Mandates to complete the purchase on the consumer's behalf.
• The result: The signed Intent Mandate provides you with cryptographic certainty that the agent is authorized to act. This is the key distinction for autonomous tasks: AP2 provides a framework for "delegated trust," creating a fully auditable and secure transaction even without the consumer being present.

Why is Agent Payments Protocol important?

Preparing for AP2 today gives you a strategic advantage in the emerging landscape of agent-driven commerce. AP2 addresses a fundamental challenges in agentic commerce: how to enable AI agents to initiate and complete transactions on a user’s behalf with verifiable authorization and strong fraud protection.

In addition, AP2 enables secure agent-initiated transactions across different payment means—including cards, bank-based payments, and emerging payment rails like stablecoins. By supporting both real-time and human-not-present, delegated purchase scenarios, AP2 makes it possible for agents to execute transactions automatically and securely.

By making your infrastructure AP2-ready, you position yourself to participate in the next generation of trusted, agent-driven commerce without sacrificing security or payment reach.

Prepare for your integration

Based on industry guidance, you can take the following actionable steps today to ensure your systems are ready for agentic commerce:

1. Verify your payment processor's AP2 readiness: AP2 requires close alignment between merchants, PSPs, and payment ecosystems. At Worldline, we are closely co-developing and testing AP2. Make sure to partner with a PSP that is prepared to support AP2.
2. Audit your checkout for delegated authorization: AP2 introduces new authorization patterns. You must ensure your checkout flows can support agent-initiated transactions without requiring human login. Focus on:

• Guest checkout capability: Ensure seamless guest flows exist, as agents won't log in via traditional user accounts.
• CAPTCHA blocking: Review if your bot detection blocks legitimate agent traffic.
• Fraud rules: Audit CVV, AVS, and risk thresholds that might reject valid agent transactions.

1. Prepare machine-readable product data: Agents need structured, machine-readable product information to shop effectively. Implement standards such as schema.org standards for your product listings to ensure agents can understand specifications, pricing, inventory, and policies.
2. Synchronize real-time inventory: Your inventory must be synchronized in real-time between your product pages accessed by agents and your checkout systems. If an agent detects an item as "in stock" but it's unavailable at checkout, the transaction will fail.
3. Review bot access and WAF rules: Agents must be able to crawl your website to evaluate products. Review and update your robots.txtand Web Application Firewall (WAF) rules to allow recognized agent user-agents selectively.
4. Prepare agent-ready integration points: While your payment processor will handle the technical handshake with AP2, you must offer clear API endpoints or structured data for agents to interact with. Review if an agent can programmatically search your catalog, validate pricing, and fetch order status.
5. Plan for fraud rule adaptation: Work with your payment processor to design risk frameworks that incorporate AP2 mandate signals into existing fraud models, helping to distinguish legitimate agent-initiated transactions from fraud.

Get started

To get started with AP2, the official public repository hosted by Google is your primary resource. It contains the complete technical specification, reference implementations, and all documentation required for integration. For detailed steps and to review the protocol, visit the GitHub repository.