Google AI introduces Agent Payment Agreement (AP2): Open Agreement for Interoperable AI Agents across Merchant and Wallets

Your shopping agent automatically purchases the $499 Pro plan instead of the basic tier of $49 – who is hooking: user, agent developer or merchant? This trust gap is the primary blocker for agents leading checkouts for today’s payment rails. Google’s Agent Payment Agreement (AP2) addresses it through an open, interoperable specification for payments initiated by a proxy, defining a common language with password verification, so any compliant proxy can trade with any compliant merchant worldwide.

Google’s Agent Payment Agreement (AP2) is an open vendor-neutral specification for encrypted, auditable proof of user intent initiated by an AI agent. AP2 extends existing open protocols (Agent2Agent (A2A) and Model Context Protocol (MCP)) to define how agents, merchants and payment processors exchange verifiable evidence on the “Intent→Carl→Payment” pipeline. The goal is to narrow the trust gap in agency-dominated business without decentralizing the payment ecosystem.

Why do agents need payment agreements?

Today’s railroad tracks believe that humans are the ones who click “buy” on trustworthy surfaces. When an autonomous or semi-autonomous agent initiates a checkout, the merchant and issuer face three unresolved issues: (1) the authentic delegation of the user’s authority (authorization), (2) (2) the request reflects the user’s meaning and approval (authenticity), and (3) who is responsible for the wrong (responsibility). AP2 formally delivers data, passwords and messaging to answer these questions consistently between providers and payment types.

How to build trust in AP2?

AP2 usage Verified Credentials (VCS)– Tamper-Evender, a digital object of password signature – carries evidence through transactions. This protocol standardizes three types of authorization:

• Intent Task (Humans are not supreme): Capture constraints that an agent can make transactions (e.g., brand/category, price cap, timing window), signed by the user.
• Shopping cart mission (President of Humanity): Link the user’s clear approval with the merchant’s signed shopping cart (item, amount, currency) and generate an unapplicable proof that “What you see is what you pay”.
• Payment tasks: conveys to the network/issuer what AI agents are involved in, including modality (human supremacy vs. non-existence) and risk-related environments.

These VCs constitute an audit trail that explicitly links user authorization to the final fee request.

What are the core roles and boundaries of trust?

AP2 defines a role-based architecture to separate attention and minimize data exposure:

• user Delegate the task to the agent.
• User/Shopping Agent (Interface with which the user interacts) Explain the task, negotiate shopping carts and collect approvals.
• Certificate Provider (for example, a wallet) has a payment method and issues method-specific artifacts.
• Businessman endpoint Expose directory/quotes and logo carts.
• Merchant Payment Processor Build network authorization objects.
• Network and issuers Evaluate and authorize payments.

Humans and humans are not the whole: what changes are happening on the wires?

AP2 defines a clearly testable stream:

• Human existence: The businessman sign is the last cart; the user approves it in a trusted UI, generating a signature Shopping cart mission. Processor and Payment tasks. Upgrades (such as 3DS) occur on trusted surfaces if needed.
• Humans are not humans: User pre-authorization Intent Task (For example, “When will the price be purchased”

How does AP2 consist of using A2A and MCP?

AP2 specified as expand to A2A (for proxy messaging) and interoperate with MCP (for tool access) so developers can reuse established capabilities for discovery, negotiation and execution. AP2 specifically retains the payment layer (standardizing authorization objects, signatures and accountability signals) as collaborative and tool calls for A2A/MCP.

What payment methods are within range?

The agreement is Payment method agnostic. The initial focus covered pull-based instrumentation (credit/debit card) and provided roadmap support for real-time push transfers (e.g., UPI, PIX) and digital assets. For Web3 paths, Google and partners have published A2A X402 Extension To operate the crypto payment initiated by the agent, the X402 is consistent with the authorization structure of AP2.

What does this look like for developers?

Google has published a public repository (Apache-2.0) with reference documents, Python types and runnable samples:

• sample Demonstrate card traffic that exists in humans, X402 variants and Android digital payment certificates, showing how authorization is issued/verified and transferred from agency negotiations to network authorization.
• Type package: The core protocol object can be src/ap2/types For integration.
• Frame selection: While the sample uses Google’s ADK and Gemini 2.5 Flash, AP2 is framework-agile; any proxy stack can generate/verify authorization and say the protocol.

How does AP2 solve privacy and security?

The role separation of AP2 ensures that sensitive data (e.g., PANS, tokens) remains in the credential provider without having to flow through the universal proxy surface. Authorization is a signature with a verifiable identity and can embed a risk signal without showing all credentials to the counterparty. This aligns with existing controls (e.g., accelerated authentication) and provides the network with explicit markers of proxy participation to support risk and dispute logic.

Is the ecosystem ready?

Google Quotes and More than 60 organizationsspanning networks, issuers, gateways and technology providers (e.g., American Express, Mastercard, PayPal, Coinbase, intuit, intuit, servicenow, unionpay International, worldpay, adyen). The goal is to avoid one-time integration by aligning common authorization semantics and accountability signals between platforms.

Implementation notes and edge cases

• Deterministic inference: The merchant receives password evidence from user approval (shopping cart) or pre-authorized (intention) rather than a model-generated summary.
• dispute: The credential chain acts as evidence material for the network/issuer; accountability can be allocated based on the authorization signed and the responsibility of who signed it.
• challenge: The issuer or merchant can trigger acceleration; AP2 requires the completion of the challenge on a trustworthy surface and link to the mission trail.
• Multiple agents: A2A coordinates the mission when multiple agents participate (e.g., Travel Meta Search + Airline + Hotel); AP2 ensures that each cart is signed and authorized by the user before submitting payment.

What’s next?

The AP2 team plans to develop specifications in “public” and continue to add reference implementations, including deeper integration across networks and Web3, and aligning with the standard bodies of VC formats and identity original substrates. Developers can run sample scenarios starting today, integrate authorization types, and verify traffic against their proxy/merchant stacks.

Summary

AP2 provides a specific, password-based basis for the proxy ecosystem to prove user authorization, bind it to a merchant-signed shopping cart, and issuers in units of visual records without locking the developer into a single stack or payment method. If the agent is going to buy goods on our behalf, then this is evidence of the need for the payment system.

---

Check GitHub page, project page and Technical details. Check out ours anytime Tutorials, codes and notebooks for github pages. Also, please stay tuned for us twitter And don’t forget to join us 100K+ ml reddit And subscribe Our newsletter.

Asif Razzaq is CEO of Marktechpost Media Inc. As a visionary entrepreneur and engineer, ASIF is committed to harnessing the potential of artificial intelligence to achieve social benefits. His recent effort is to launch Marktechpost, an artificial intelligence media platform that has an in-depth coverage of machine learning and deep learning news that can sound both technically, both through technical voices and be understood by a wide audience. The platform has over 2 million views per month, demonstrating its popularity among its audience.