Agent Payments Protocol (AP2)
How does an AI agent pay for something?
AP2 is Google's payment authorization layer for agents. Where A2A handles communication and UCP handles commerce, AP2 handles the money — authorizing payments through cryptographic credentials so agents can transact without storing card numbers or passwords.
Verifiable Credentials
The core primitive is the VDC (Verifiable Digital Credential) — a cryptographically signed authorization that proves an agent has permission to spend.
| Property | What It Does |
|---|---|
| Issuer | Who created the credential (bank, wallet, institution) |
| Subject | Which agent holds the credential |
| Scope | What the agent can do (amount limits, merchant categories, time windows) |
| Proof | Cryptographic signature proving authenticity |
| Revocable | Can be canceled by the issuer at any time |
VDCs replace stored credentials. Instead of giving an agent a credit card number, the card issuer gives it a signed credential with specific permissions. The agent proves it's authorized without ever seeing the underlying payment instrument.
Three Mandate Types
AP2 uses three escalating authorization levels:
| Mandate | What It Authorizes | When Used |
|---|---|---|
| Intent | "Buy something in this category up to $X" | Agent browsing, price comparison |
| Cart | "Purchase these specific items for $Y" | Agent has selected items |
| Payment | "Execute this payment of $Z to this merchant" | Final settlement |
INTENT MANDATE CART MANDATE PAYMENT MANDATE
"Up to $500 on "These 3 items "Pay $347.50 to
electronics" for $347.50" merchant X"
↓ ↓ ↓
Agent shops Agent confirms Payment settles
with budget specific purchase on merchant's rails
Each mandate narrows scope. The human (or authorizing system) sets broad intent, the agent refines to cart, the payment system executes. At each step, the VDC proves authorization.
Payment Architecture
HUMAN/SYSTEM AGENT MERCHANT
| | |
|-- Issues Intent VDC ------>| |
| (budget, categories) | |
| |-- Shops via UCP ------------>|
| | (browse, cart, discount) |
| |<--------- Cart total --------|
| | |
|<--- Request Cart VDC ------| |
|-- Issues Cart VDC -------->| |
| (specific items, $) | |
| |-- Authorize via AP2 -------->|
| | (Payment VDC) |
| |<--------- Confirmation ------|
The human never sees card details. The agent never stores card details. The VDC chain proves authorization at every step. Revocation propagates instantly — cancel a VDC and the agent loses purchasing power in real time.
Settlement Rails
AP2 authorizes. Settlement happens on whatever rails the merchant supports:
| Rail | Speed | Cost | Best For |
|---|---|---|---|
| Card networks (Visa, Mastercard) | 1-3 days | 1-2% | Traditional merchant checkout |
| Stablecoins (USDC, USDT) | Seconds | <0.1% | Cross-border, agent-to-agent |
| x402 (Coinbase + Google) | Seconds | <0.1% | Crypto-native agent payments |
| Bank transfer (ACH, SEPA) | 1-5 days | Low | Large B2B transactions |
AP2 is rail-agnostic. The VDC proves authorization; the merchant chooses settlement infrastructure.
x402 Extension
x402 is the crypto-native extension — Coinbase, Google, and the Ethereum Foundation collaborating on stablecoin settlement for agent payments.
| Feature | What It Does |
|---|---|
| HTTP 402 | Standard "Payment Required" response triggers agent payment |
| Stablecoin settlement | USDC on Base, Sui, or Ethereum |
| Micropayments | Sub-cent transactions viable on L2s |
| Atomic settlement | Payment and delivery in one transaction |
x402 makes the web itself payable. Any HTTP endpoint can require payment. Any agent can pay. No payment forms, no checkout flows — just a 402 response and a stablecoin transfer.
Partners
60+ launch partners across the payment ecosystem:
| Category | Partners |
|---|---|
| Card networks | Mastercard (+ Verifiable Intent), American Express |
| Payment processors | PayPal, Adyen, Stripe, Fiserv, Worldpay, Checkout.com |
| Crypto | Coinbase, Sui, Ethereum Foundation |
| Commerce | Shopify, BigCommerce |
| AI platforms | Google, Salesforce, ServiceNow |
Sui as launch partner — Move's linear type system (assets can move but never copy) aligns with VDC semantics. A credential on Sui is physically incapable of duplication.
Verifiable Intent
Mastercard and Google co-developed Verifiable Intent — the authorization/identity layer that complements AP2's VDC model. Where VDCs prove an agent can pay, Verifiable Intent proves a human did authorize.
| AP2 Layer | Verifiable Intent Layer | Together |
|---|---|---|
| VDC proves agent scope | Cryptographic record of human intent | Every agent transaction traceable to human consent |
| Mandate escalation | Selective disclosure | Minimum data shared at each authorization step |
| Rail-agnostic auth | Protocol-agnostic identity | Works across wallets, platforms, payment networks |
Built on FIDO, EMVCo, IETF, W3C open standards. Partners: Adyen, Fiserv, Worldpay, IBM, Checkout.com, Basis Theory — overlapping significantly with AP2's 60+ partner ecosystem.
The combination closes the consent gap: AP2 scopes what agents can do, Verifiable Intent proves the human behind it. Disputes get an audit trail instead of guesswork. Spec open-sourced at verifiableintent-dev.
Where AP2 Sits
| Layer | Protocol | What It Does |
|---|---|---|
| Communication | A2A | Agents discover and coordinate |
| Commerce | UCP | Agents browse, cart, checkout |
| Authorization | AP2 | Agents prove they can pay |
| Settlement | Card/stablecoin/x402 | Value actually moves |
| Attribution | PCP | IP value flows to creators |
Context
- Agent Protocols — The protocol landscape
- A2A Protocol — Communication layer AP2 extends
- UCP — Commerce layer AP2 authorizes payment for
- Agent Commerce — The standards war: AP2 vs ACP
- Smart Contracts — On-chain settlement infrastructure
- Sui — Settlement layer: Move safety + ~390ms finality
- Stablecoins — The settlement instrument
Links
- AP2 Announcement — Google Cloud blog
- x402 Protocol — Coinbase + Google crypto-native extension
- Sui AP2 Partnership — Move-native payment safety
Questions
When payment authorization becomes a cryptographic credential, what happens to the billion-dollar fraud prevention industry?
- If VDCs can be scoped to category, amount, and time window, does the concept of a "stolen credit card" become obsolete for agent transactions?
- What breaks when the Intent Mandate says "buy the cheapest" but the cheapest merchant has the worst reputation?
- Verifiable Intent solves "did the human authorize this?" — but does it solve "did the human understand what they authorized?"
- At what point does the convenience of agent purchasing create consent problems — the human authorized $500 on electronics, but did they mean THIS specific purchase?