Skip to content
Primores AI wiki

Agent Payment Protocols — The Infrastructure Under Agentic Commerce

Agent Payment Protocols

TL;DR: Between September 2025 and May 2026, four standards shipped that constitute the production infrastructure under agentic commerce. AP2 (Google, Sep 2025) is the universal payments protocol — JSON-LD “Mandates” signed as W3C Verifiable Credentials. x402 (Coinbase + Cloudflare, Sep 2025) revives the HTTP 402 “Payment Required” status code as a stablecoin payment rail — 119M transactions on Base + 35M on Solana, ~$600M annualized volume, ~2-second settlement, zero protocol fees (March 2026). UCP (Universal Commerce Protocol — Google + Shopify + Etsy + Wayfair + Target + Walmart) is the commerce schema layer. Visa TAP (Oct 2025, with Cloudflare) is the agent-identity / merchant-verification layer. AWS Bedrock AgentCore Payments shipped May 7, 2026 with native x402 support — agents on Bedrock now transact autonomously via Coinbase CDP wallet or Stripe Privy wallet, with session-level spending limits and full audit trails. The protocols are layered, not competing in most cases.

Why this matters

In April 2026 the wiki documented automation/agentic-commerce as a $1 trillion category that was emerging. By May 2026 the infrastructure that makes the category operationally real has shipped: agents on AWS, Google, and Anthropic platforms can now discover paid endpoints, settle stablecoin payments, and continue executing — without human approval per transaction. The infrastructure layer is no longer speculative; it’s production.

This matters for three reasons:

  1. Distribution flips toward agents. When 350,000+ MCP endpoints become discoverable and payable by agents at runtime (Coinbase x402 Bazaar via AWS Bedrock launched May 7 with 10,000+ x402 endpoints, growing fast), the unit of commerce shifts from “human pays for thing” to “agent pays for API call or service.” Brands that don’t have machine-readable, payable endpoints are invisible at this layer.
  2. The protocol stack is becoming standardized. A year ago, every agent platform had its own proprietary payment scheme. By mid-2026, the open-protocol stack (AP2 + x402 + UCP + TAP) has emerged as the production standard, with Amazon’s closed-loop approach (Buy for Me + Rufus) as the structural counterpart.
  3. The legal and trust scaffolding hasn’t caught up. US consumers have no clear dispute rights when AI agents transact on their behalf — and the Anthropic Project Deal experiment (April 2026) showed that users represented by worse agents don’t realize they’re worse off. This is the “agent quality gap” — see below.

The four-layer protocol stack

The 2026 stack is layered, not flat. Each protocol addresses a distinct concern:

LayerProtocolWhat it doesLeadStatus
Commerce schemaUCP (Universal Commerce Protocol)Standard schemas for product discovery, capability negotiation, cart building, order trackingGoogle + Shopify + retailer coalitionCoalition formed early 2026
Identity / verificationVisa TAP (Trusted Agent Protocol)Merchants verify which AI agent represents which consumerVisa + CloudflareLaunched October 14, 2025
Payment authorizationAP2 (Agent Payments Protocol)Universal authorization rail — JSON-LD Mandates as W3C Verifiable CredentialsGoogle + 60+ partnersLaunched September 16, 2025
Payment settlementx402HTTP-native stablecoin payment execution (HTTP 402 status code)Coinbase + CloudflareLaunched September 2025; x402 Foundation formed

The protocols compose. A typical agent transaction in mid-2026:

  1. Agent uses UCP to discover product, build cart, negotiate
  2. Merchant uses TAP to verify which consumer the agent represents
  3. Agent presents an AP2 Mandate authorizing payment
  4. Settlement happens via x402 (stablecoins) or traditional rails depending on Mandate terms

The “protocol war” framing (Visa TAP vs. Google AP2 vs. Coinbase x402 vs. PayPal) is partially misleading. The protocols compete within layers (Visa TAP vs. PayPal’s verification scheme; x402 vs. traditional rails for settlement) but mostly compose across layers.

AP2 — the universal authorization rail (Google, September 2025)

Announced September 16, 2025 with 60+ payment and technology partners (PayPal, Mastercard, American Express, Adyen, plus the ones launched into UCP later — Shopify, Etsy, Wayfair, Target, Walmart, Best Buy, Visa, Stripe).

The structural innovation: Mandates.

An AP2 Mandate is a JSON-LD document structured as a W3C Verifiable Credential, cryptographically signed by the consumer (or their delegated agent) authorizing a specific transaction. Each Mandate carries:

  • The user’s request payload (what to buy, from whom, under what terms)
  • A timestamp and nonce (preventing replay attacks)
  • The signer’s public key reference
  • A signature using ECDSA over P-256 (or stronger curves) with SHA-256 integrity hashing

The Mandate is the cryptographic primitive that lets a merchant know: this agent has explicit, time-bounded, payment-bounded authorization from this consumer for this transaction. It replaces “I trust this agent because it’s logged in as the user” with “I have a signed credential I can verify independently.”

Why W3C Verifiable Credentials specifically: the format is open, interoperable, and already supported across identity and credential infrastructure. AP2 didn’t invent a new credential format; it bet on an existing standard.

AP2 is rail-agnostic. A Mandate can settle via stablecoin (x402), credit card (traditional networks), bank transfer, or any payment method the merchant accepts. AP2 is the authorization layer; settlement is below it.

Reference implementation: npx agentic-payments provides a JavaScript SDK; Google maintains the github.com/google-agentic-commerce/AP2 repository.

x402 — the HTTP-native stablecoin protocol (Coinbase + Cloudflare, September 2025)

The cleverest piece of the stack. x402 revives a 30-year-old idea: the HTTP status code 402 Payment Required has existed since the original HTTP specification but was never operationalized. x402 fills it in.

The transaction flow:

  1. Client (agent or human) requests a resource gated by x402
  2. Server returns HTTP 402 Payment Required with payment instructions in the response body (amount, recipient, chain, terms)
  3. Client sends the request again with a payment authorization header
  4. A payment facilitator verifies the payload and settles the transaction
  5. Server returns the resource

The entire flow takes ~2 seconds in production. No accounts, no credit cards, no manual intervention.

Settlement layer: USDC (Coinbase’s stablecoin) is primary, on Base (Coinbase’s L2). x402 also supports Ethereum, Arbitrum, Polygon, and Solana. The protocol is chain-agnostic in design.

Production scale (March 2026):

  • 119 million transactions on Base
  • 35 million on Solana
  • ~$600 million annualized volume
  • Zero protocol fees (vs. credit card 1.5–3% + interchange)
  • ~2-second settlement

x402 is governed by the x402 Foundation, co-governed by Coinbase and Cloudflare. The foundation structure prevents either company from unilaterally dictating protocol direction.

The economic insight: stablecoin settlement at ~2 seconds with zero fees makes agent-mediated micropayments economically viable in a way credit card rails never could. A penny-per-API-call charge is impossible on Visa (the interchange exceeds the payment); trivial on x402.

UCP — the commerce schema (Google + retailer coalition, early 2026)

The Universal Commerce Protocol is the “HTTP of commerce” — standard schemas for the actions an agent needs to take when shopping:

  • Discovery — what products exist? What’s their structured data?
  • Capability negotiation — does this merchant accept this payment method? Does it ship to this location? Does it support returns?
  • Cart building — atomic add/remove/update operations with consistent semantics
  • Order tracking — status, shipment, returns

The coalition matters as much as the technology. UCP is backed by:

  • Google (lead) + Shopify (initial co-developer)
  • Major retailers: Etsy, Wayfair, Target, Walmart
  • Payment providers: Visa, Mastercard, Stripe, Best Buy (yes, Best Buy is in the payment-provider tier here)

The strategic move: UCP keeps merchants as the merchant of record. The retailer owns the transaction, maintains its own checkout, and retains customer-loyalty data. This is the open-protocol counterpart to Amazon’s closed-loop approach (Amazon Buy for Me + Rufus keep discovery, payment, and fulfillment inside Amazon’s infrastructure).

The two approaches will likely coexist for years. Amazon’s closed loop wins for in-Amazon commerce; UCP wins for everywhere else.

Visa TAP — the identity/verification layer (Visa + Cloudflare, October 2025)

Launched October 14, 2025. The narrower of the four protocols.

What it does: lets merchants identify and verify which AI agent is acting on behalf of which consumer during a transaction. The verification problem is non-trivial — without TAP-style protocols, a merchant has no way to distinguish “Bob’s authorized shopping agent” from “a scraper claiming to be Bob’s agent.”

Why Cloudflare: Cloudflare sits in front of a substantial fraction of internet commerce. Putting agent-identity verification at the edge layer means merchants don’t have to implement it themselves — Cloudflare does the verification work and passes a signed agent-identity header to the merchant.

Relationship to AP2: complementary. AP2 says what the consumer authorized; TAP says which agent is presenting the authorization. A complete transaction uses both — TAP to verify the agent, AP2 to verify the consumer-side authorization.

AWS Bedrock AgentCore Payments — the hyperscaler realization (May 7, 2026)

Launched 11 days before this wiki page was written. The most consequential single deployment so far because it makes the protocol stack accessible to every AWS enterprise customer without new vendor relationships.

What it does: when an agent built on Amazon Bedrock encounters an x402-gated endpoint (HTTP 402 response), AgentCore Payments handles the full transaction flow:

  • x402 protocol negotiation (parse payment instructions, build authorization)
  • Wallet authentication (Coinbase CDP wallet or Stripe Privy wallet — the developer’s choice)
  • Stablecoin payment (settle via USDC on Base or supported chain)
  • Proof delivery (return signed proof to the endpoint)

All of this happens “without interrupting the agent’s reasoning loop” — the agent doesn’t pause to wait for human approval per transaction. Session-level spending limits, policy-based controls, and a full audit trail are built-in.

The Bazaar: Coinbase’s x402 Bazaar MCP server is available through AgentCore Gateway, providing 10,000+ x402 endpoints that agents can search, discover, and pay for autonomously. The Bazaar is the agent-native equivalent of an app store — except every entry is a paid API endpoint, not a downloaded application.

Built with: Coinbase (for the x402 + wallet side) and Stripe (for the Privy wallet integration). The choice of two wallet providers is structural — AWS didn’t want to lock customers into a single payment-credential vendor.

The closed-loop vs. open-protocol dynamic (Amazon vs. Google coalition)

Two approaches are now visibly competing:

ApproachClosed-loopOpen-protocol
LeadAmazon (Buy for Me + Rufus)Google + retailer coalition (UCP + AP2 + x402)
Merchant of recordAmazonThe retailer
Customer loyalty dataAmazon owns itRetailer retains it
Discovery surfaceInside AmazonOpen web
SettlementAmazon internalAny rail supporting AP2 (including x402 stablecoin)
Failure mode (March 2026)OpenAI’s Instant Checkout shut down because “did not offer the level of flexibility that we aspire to provide”

The OpenAI Instant Checkout shutdown is the data point worth tracking. OpenAI tried to be a third position — an aggregator with its own checkout — and quit in March 2026. The market has consolidated to two viable approaches: own everything (Amazon) or be one piece of an open protocol stack (Google coalition).

For brand strategy (marketing/preparing-for-agentic-ai): if your brand is on the Google-coalition side, you participate in the open protocol stack and retain your customer relationship. If you’re on the Amazon side, you sell on Amazon’s terms.

The agent quality gap (Anthropic’s Project Deal, April 2026)

Project Deal was Anthropic’s internal experiment: 69 employees each got a $100 budget (paid out as gift cards after, adjusted for what their agent bought/sold). For one week in December 2025, all transactions in the SF office classified marketplace went through agent representatives.

The setup: 4 parallel marketplaces ran simultaneously. One “real” marketplace (where goods actually changed hands), three study runs. Two runs used Claude Opus 4.5 for everyone’s agent. Two runs randomized 50/50 between Opus 4.5 and Haiku 4.5 (less capable).

Findings:

  • 186 deals, >$4,000 total value in one week. The marketplace worked.
  • More capable models produced “objectively better outcomes.” Users represented by Opus 4.5 got better prices, faster deals, more favorable terms.
  • Users on the losing end didn’t notice. Participants represented by Haiku 4.5 in the randomized runs didn’t realize they were getting worse outcomes. This is the “agent quality gap” — a category Anthropic explicitly named.
  • Initial agent instructions had minimal impact on completion rate or final prices. Model capability dominated prompt framing.

The “agent quality gap” finding is the most consequential. It connects directly to glossary/ai-agent-behavior (agents have predictable biases users may not notice), glossary/agent-adoption-frictions (the “calibrated uncertainty” problem from the user side — users can’t calibrate the quality of representation they’re getting), and the broader glossary/honest-assessment family of trust signals (when one agent is honestly worse than another but the user can’t tell).

Practical implication: as agent-to-agent commerce scales, the quality of the agent representing each consumer becomes a material economic variable. Users with access to better models will compound advantage over users with worse models — in ways the worse-served users won’t detect. This is a different inequality vector than traditional pricing or access.

US consumers currently have no clear dispute rights when AI agents transact on their behalf. Existing consumer protection law (the Fair Credit Billing Act, state UCC variants, chargeback regimes) was written assuming the consumer is the one initiating the transaction. When an autonomous agent initiates the transaction within session-level limits the consumer pre-authorized:

  • Is the agent the consumer? (Legally, probably not.)
  • Is the consumer responsible for what the agent does within authorized limits? (Probably yes, but no case law confirms.)
  • What’s the dispute process when the agent buys the wrong thing, the wrong amount, or from a fraudulent merchant? (No standard answer.)
  • Who’s liable when the agent encounters a deceptive merchant designed to fool AI agents specifically? (No regulatory framework.)

This is a known gap. The 2026 protocols (AP2, TAP) include technical structure for dispute flows, but the legal scaffolding for enforcing those flows doesn’t exist yet. Expect substantial regulatory development over 2026–2027 as the volume scales past the threshold where individual disputes start producing court cases.

Connection to wiki frameworks

  • automation/agentic-commerce — The category page. This payment-protocols entry is the infrastructure layer.
  • glossary/ai-agent-behavior — Allouah et al. (Columbia + Yale 2025) findings on agent purchasing biases. The Project Deal “agent quality gap” extends this — biases are one source of agent-quality difference; raw capability is another.
  • glossary/agent-adoption-frictions — Wharton frictions framework. The user-side trust friction now has a new dimension: trusting the quality of the agent representing you, not just trusting the agent category.
  • glossary/agent-engineering — Karpathy’s discipline. Payment protocols are part of the “tools” surface agents operate against; designing agent systems that handle payment failures gracefully is part of the discipline.
  • glossary/tool-use — The basic primitive. Payment endpoints (x402-gated APIs) are a new class of tools — the agent doesn’t just call them, it pays for them.
  • glossary/guardrails — Session-level spending limits, per-transaction caps, and policy-based controls are guardrails specifically for payment-capable agents. AWS Bedrock AgentCore Payments includes these as native primitives.
  • tools/claude-managed-agents — Managed Agents currently uses Anthropic’s own infrastructure; payment-protocol support is one of the differentiators when comparing managed-platform agent runtimes.
  • marketing/preparing-for-agentic-ai — Brand strategy for the agentic era now has a protocol-stack dimension. Choose the side (open-protocol vs. Amazon closed-loop) consciously.
  • glossary/honest-assessment — The “agent quality gap” is a content-trust problem at the agent-representation layer.

Honest limits

  • The protocols are young. AP2 is ~8 months old, x402 ~8 months, UCP a few months, AgentCore Payments 11 days at the time of this writing. Substantial spec evolution is expected. Treat 2026 architecture as directional rather than locked.
  • Adoption ≠ volume. AP2 has 60+ partners; production transaction volume on AP2 specifically (vs. x402 settlement) isn’t yet broken out in public reporting. Be careful not to conflate ecosystem partnership announcements with transaction-flow reality.
  • The $600M x402 annualized figure is rapidly moving. It was lower in February and almost certainly higher by July. Cite cautiously.
  • The legal void is a real risk surface. Builders deploying agent-payment-capable systems before consumer-protection regulation catches up are taking on a meaningful liability exposure that hasn’t been priced.
  • The agent quality gap finding is one experiment, n=69, one week. Directionally important and consistent with the broader agent-behavior literature, but treat as preliminary evidence requiring replication.
  • The closed-loop vs. open-protocol framing oversimplifies. Amazon also participates in some open protocols where it serves its strategic interests; Google’s coalition has internal tensions between retailer interests and platform interests. The competitive dynamic is messier than the two-column table suggests.

Key Takeaways

  • Four standards constitute the production infrastructure for agent-to-agent commerce as of May 2026: AP2 (authorization, Google, Sep 2025), x402 (settlement, Coinbase+Cloudflare, Sep 2025), UCP (commerce schema, Google+retailer coalition, early 2026), Visa TAP (identity, Visa+Cloudflare, Oct 2025).
  • The protocols are layered, not competing in most cases. A typical transaction uses UCP for discovery, TAP for agent verification, AP2 for authorization, x402 for stablecoin settlement.
  • x402 hit ~$600M annualized volume by March 2026 (119M tx on Base + 35M on Solana). ~2-second settlement. Zero protocol fees. Stablecoin micropayments are economically viable in a way credit cards never made them.
  • AWS Bedrock AgentCore Payments shipped May 7, 2026 with native x402 + Coinbase CDP wallet + Stripe Privy wallet. Bedrock-built agents now transact autonomously within session-level limits.
  • Coinbase’s x402 Bazaar through AgentCore Gateway exposes 10,000+ x402 endpoints discoverable by agents at runtime. The agent-native app-store equivalent.
  • OpenAI’s Instant Checkout shut down March 2026 — the third-position aggregator-with-own-checkout approach lost. Two viable approaches remain: Amazon closed-loop (Buy for Me + Rufus) vs. Google-coalition open-protocol stack.
  • Anthropic’s Project Deal (April 2026) documented the “agent quality gap” — users represented by less capable models get objectively worse outcomes and don’t notice. Model capability dominated prompt framing.
  • US legal scaffolding hasn’t caught up. Consumers have no clear dispute rights when AI agents transact on their behalf. Expect 2026–2027 regulatory development.

Sources

AP2 (Google):

x402:

AWS Bedrock AgentCore Payments:

Anthropic Project Deal:

Visa TAP + protocol war:

Legal void: