Google’s AP2 arrives to unlock real commerce for AI agents

The short version

Google’s Agent Payments Protocol, AP2, is a new open standard designed to let AI agents pay for goods and services with verifiable user consent. Announced on September 16, 2025, AP2 introduces signed mandates that link what a user asked an agent to do with the exact purchase that was executed, creating an auditable chain from intent to settlement. It fits alongside agent messaging standards, then plugs into a variety of payment rails so that agents can complete real transactions.

If you have been waiting for the moment when agents move from product finder to actual buyer, AP2 is the missing piece.

Why trusted checkout is the blocker for agents

Agents are getting good at research, comparison, and negotiation. The last mile has been checkout. Merchants, issuers, and wallets need proof that a machine-initiated transaction reflects a human’s instruction, that the scope of authority was not exceeded, and that someone is accountable if something goes wrong. Without a standard, each provider was improvising trust signals, which meant brittle integrations and a fragmented user experience.

AP2 tackles three questions head on:

• Authorization, did the user delegate authority to this agent for this kind of purchase
• Authenticity, does the payment request match the user’s actual instruction and the final cart
• Accountability, who is responsible if the transaction deviates from policy or outcomes

By answering these consistently, the protocol gives merchants confidence to accept agent-initiated orders and gives issuers confidence to approve them.

What AP2 actually standardizes

AP2 focuses on the evidence that travels with a transaction. It defines data objects, cryptographic signatures, and the flow between them so different platforms can interpret agent checkout the same way.

The mandate workflow

At the core are two signed artifacts that travel with a transaction:

• Intent Mandate, a signed snapshot of the user’s instruction to the agent. It captures scope such as item categories, constraints like price caps or brands, and timing. If you say, find me size 10 trail runners under 150 dollars, that context is frozen into the Intent Mandate.
• Cart Mandate, a signed approval of the specific cart the agent assembled. It includes item identifiers, quantities, price, taxes, shipping, and time bound validity. This proves the user, or a policy acting on the user’s behalf, approved the exact purchase.

The link from intent to cart is crucial. Together they produce a non repudiable record of what was asked and what was bought. For real time purchases, the user can sign both in a single flow. For delegated scenarios, the user signs the intent in advance and policy decides when to mint cart approvals under that scope.

Roles and identities

AP2 clarifies the actors and the claims they make. The user and their agent possess credentials that can be validated by merchants, issuers, and payment service providers. Merchants and their agents present their own credentials, including risk posture and policy restrictions. The protocol does not force one identity system. Instead, it relies on verifiable credentials that can be issued by trusted parties. This preserves flexibility while maintaining a chain of attestations.

Auditability by design

Every step in the flow produces tamper evident logs that downstream systems can consume, from fraud tooling to accounting. If there is a dispute, the parties can examine the mandates and signatures to see whether the agent stayed within scope. That allows for clear resolution without guessing what the user meant or what the agent intended.

Payment method agnostic

AP2 does not pick a winner in payments. It defines how proof of intent and approval accompany a transaction, then lets existing rails do what they do best. Card networks, account to account transfers, and digital asset rails can all carry a transaction that is backed by AP2 artifacts.

How AP2 fits with A2A and tools

Think of the modern agent stack in layers. Collaboration and tool invocation happen over agent messaging protocols such as Agent2Agent, where agents negotiate, request quotes, and compose plans across vendors. Context tools and extensions bring browsing, retrieval, and plugins into the flow. AP2 slots in when the plan reaches checkout. It is the payment evidence layer, not the conversation layer.

This separation matters. Agent interactions across browsers or enterprise platforms can evolve without changing the way payments are authorized, and vice versa. If you are tracking how agents will run in the browser, our deep dive on Claude for Chrome makes the browser the agent runtime shows where shopping assistants and page level automation are heading. For enterprise stacks, our look at OpenAI and Databricks bring GPT‑5 natively to Agent Bricks explains how companies are assembling fleets of agents behind policy gates. AP2 provides the common checkout language both worlds can share.

Where the payment rails stand today

On day one, the practical path runs through familiar instruments. Card rails remain the easiest way to reach global acceptance, and issuers already know how to evaluate risk given a strong set of signals. Real time account transfers and bank linked payments are a natural next step where local infrastructure supports them. Digital asset rails, especially programmable stablecoins, are interesting for machine to machine scenarios, microtransactions, escrow, and conditional settlement.

The headline, AP2 treats these as interchangeable from a trust perspective. As long as the payment provider honors the AP2 evidentiary model, the merchant can accept and the issuer can evaluate with the same mental model.

What changes for merchants and issuers

Merchants gain a standard way to accept orders from agents without whitelisting a hundred one off integrations. The cart mandate gives SKU level clarity, so fulfillment and customer service do not lose context. Risk teams can inspect signed artifacts when a return or chargeback arises. Marketing and merchandising can run agent targeted offers that are provably accepted, not just clicked.

Issuers receive structured, verifiable proof of what the user authorized, plus policy signals from the user’s agent. That allows approvals that would have looked risky under traditional heuristics. For delegated shopping, issuers can honor standing instructions with precision rather than pushing the user through repeated out of band challenges.

Security, compliance, and privacy

AP2 is opinionated about evidence, not about where secrets live. It avoids centralizing sensitive data while making sure each party can prove its claims. Verifiable credentials allow selective disclosure, so a merchant might learn that a buyer’s agent is authorized for purchases up to a limit without seeing unnecessary personal details. Compliance checks like sanctions screening or travel rule payloads can be tied to settlement steps. Privacy and proof can co exist when the protocol defines the minimum viable claims that must traverse the flow.

From a threat perspective, the biggest risks are mandate replay, agent impersonation, and policy drift. AP2’s signatures, unique identifiers, and expiry rules help mitigate replay. Credential binding and attestation combat impersonation. Policy drift is handled by making the policy at the time of signing part of the record. None of this removes the need for good endpoint security and strong key management, but it moves the ecosystem from best effort to standard practice.

Developer experience, what it looks like in code

Developers do not adopt protocols, they adopt repos, SDKs, and working samples. Google has published reference documentation and runnable scenarios in the AP2 GitHub repository. You can run a shopping agent that assembles a cart, issues an Intent Mandate, captures a Cart Mandate, and then drives a mock payment. The examples show both human in the loop approvals and delegated flows with policy rules.

In practice you will:

1. Register your agent and obtain credentials appropriate for your role, buyer side or merchant side.
2. Capture a user instruction and mint a signed Intent Mandate that encodes scope and constraints.
3. Conduct discovery and negotiation over your preferred agent messaging stack.
4. Present a cart proposal and obtain a signed Cart Mandate if the user or policy approves.
5. Attach both mandates and relevant credentials to the payment request you send to the provider.
6. Record the returned receipt and proofs for downstream services such as ERP, tax, and support.

The initial SDKs focus on Python and Android samples, which should be familiar to teams already building shopping assistants or retailer agents. The repository demonstrates how to keep mandate signing auditable and how to thread IDs through your services so logs line up later.

Real world scenarios AP2 unlocks

• End to end retail bundles, a user asks for a weekend bike trip kit under a budget. Their agent coordinates across retailers, negotiates a bundle price, then presents a cart for approval. The cart mandate locks in items and price, the purchase executes immediately.
• Delegated ticket buying, the user sets a standing instruction to buy concert tickets under 100 dollars whenever a tour date drops in their city. The agent holds the intent mandate, monitors inventory, and mints cart approvals at the moment of release.
• Enterprise procurement, a team lead authorizes an agent to buy development tools up to a monthly cap. AP2 records policy, approvals, and vendor credentials so finance can reconcile purchases without chasing down emails.
• Data and tooling marketplaces, agents can pay other agents for API calls, crawls, and model inferences in small increments with clear receipts. This supports pay per use pricing without manual invoicing.
• Returns and disputes, an agent can initiate a return using the original cart mandate and receipt, which makes it straightforward to validate eligibility and route the item back through warehouse flows.

Each scenario turns what used to be a set of screenshots and emails into artifacts that machines can validate. That is the prerequisite for scaling agent commerce beyond pilots.

Industry response and momentum

Support at launch spanned dozens of payment networks, merchants, and technology providers. The breadth matters because AP2’s utility grows as more counterparts recognize its artifacts. Early demos showcased full journeys from discovery through checkout, with credentialed agents on both buyer and seller sides. News outlets covered the debut and emphasized the mandate model and the open approach, see TechCrunch’s report on the new protocol for agent-driven purchases.

No one should assume instant ubiquity. Standards win when they make everyone’s job easier. Merchants will integrate AP2 capable flows where agents already drive incremental demand. Issuers will tune approval logic as they see clear fraud reductions tied to mandate evidence. Wallets and super apps will expose user friendly consent screens for signing intent and cart approvals.

What could still go wrong

• Fragmentation, competing approaches could re introduce one off integrations. The antidote is staying faithful to the evidence model and mapping payment rails to the same artifacts.
• UX friction, signing mandates must feel natural. If users are asked to sign too often, they will turn agents off. If they are asked too rarely, risk rises. Expect iteration on default policies, pairing strong authentication with lightweight approvals.
• Policy conflicts, enterprises will want layers of oversight, from spend controls to vendor lists. AP2 supports that with policy claims, but implementation details will matter.
• Regulatory clarity, different markets interpret delegated consent and liability differently. The protocol provides the evidence, but rules about who pays when something fails vary by jurisdiction.
• Cost and latency, attaching proofs and verifying credentials adds steps. Smart caching, short lived credentials, and batched checks will be key.

None of these are showstoppers. They are the usual maturation steps when a new layer becomes part of the transaction fabric.

How to prepare if you are building with agents

• Merchants, instrument your catalogue and carts so agents can produce precise proposals. Add AP2 aware endpoints that accept mandates and return receipts with verifiable details. Train support and fraud teams to read mandate evidence.
• Issuers and wallets, extend authorization systems to ingest mandate fields. Expose user friendly consent managers that let people set durable spending policies and revoke them cleanly.
• Agent platform teams, keep your conversation layer modular. Adopt messaging standards for discovery and negotiation, then layer AP2 at checkout. Reuse the same mandate signing logic across web, mobile, and back office agents to simplify audits.
• Developers, start in a sandbox. Run the samples, wire mandate creation into your agent’s plan executor, then treat verification like a middleware that every outbound payment passes through.

Final take

AP2 is the most credible attempt so far to convert agent promises into real, trustworthy checkout. By making intent and approval portable, verifiable, and readable by machines, it provides the common language that merchants, issuers, wallets, and agent platforms have been missing. The timing is right. Agent interactions are graduating from novelty to utility. Retailers want to personalize offers for agents that arrive with context. Enterprises want to codify spend rules so delegated purchases do not go feral. Consumers want help, not surprises.

There is still hard work ahead. Adoption curves always take time, and the first integrations will surface edge cases in UX and policy. But the essential piece is now standardized. If your roadmap depends on agents that can actually buy things, AP2 turns that into a plan you can ship. Start with the samples, plug it into your agent stack, and build the mandate centric checkout your users can trust.