Agent Payments Protocol: Building Verifiable Trust for Agentic Commerce

Today’s payments infrastructure is predicated on direct human interaction at checkout, where authentication, authorization, and accountability are bound to the user’s real-time presence. As AI agents begin to discover products, assemble carts, and initiate payments autonomously, the traditional assumptions underlying human-driven payment flows begin to break down. Without a common standard, the result would be fragmented integrations, inconsistent data signals for risk engines, elevated fraud exposure, and ambiguity in accountability assignment across merchants, issuers, and networks. 

AP2 introduces a framework that ensures agent-driven transactions are verifiable, auditable and interoperable through four core elements:  

Mandates are cryptographically signed records of user intent that anchor each transaction to verifiable evidence. AP2 defines three types of mandates: 

All mandates are expressed as W3C Verifiable Credentials, ensuring tamper resistance, portability, and interoperability across the ecosystem. Mandates embed cryptographically verifiable consent into authorization flows, providing merchants with dispute-grade evidence, issuers with consistent agent-presence signals and consumers with non-repudiable proof of intent.  

Roles are core AP2 constructs and serve to delineate responsibilities for ecosystem participants, ensuring sensitive data is only handled by the appropriate entities. This includes: 

This role separation confines PCI data and authentication to credential providers, limits merchant and agent exposure, and is designed to enforce accountability across the transaction lifecycle.  

Trust model is anchored today by signed mandates and curated allow-lists of trusted participants. Over time, AP2 will progress toward real-time identity assurance using open internet standards such as HTTPS, DNS ownership, and mutual TLS. This staged design is intended to enable immediate adoption with curated trust while providing a path to stronger, standards-based verification as infrastructure matures. 

Accountability tied to real-world entities such as the user, merchant or the issuer, and not the agent. Cryptographic audit trails are designed to ensure that disputes are resolved with verifiable evidence, keeping accountability predictable and fair for merchants, issues, and consumers in agent-driven transactions. 

Implementing AP2 

AP2 establishes a specification for how agent-driven payments must operate. PayPal is well positioned to integrate this standard, leveraging infrastructure already scaled across billions of transactions, multiple payment rails, and approximately 200 markets. Here are a few key ways AP2 could be applied across PayPal: 

Verifying Consent: PayPal enforces strong authentication in a number of ways, including device keys, biometrics, and adaptive step-ups. The processing stack could embed mandate artifacts into ISO 8583 and API flows and link them to tokenized credentials, so issuers and networks can receive agent-presence context without requiring changes to existing systems. PayPal’s fraud engines then could ingest mandate metadata such as modality and linkage, incorporating it into machine-learning models trained on global transaction data. Together, these capabilities are positioned to make AP2 mandates actionable at scale through PayPal, giving merchants stronger dispute protection, issuers clearer risk signals, consumers confidence in delegated payments, and developers APIs to simplify mandate capture. 

Ensuring Role Separation: PayPal’s architecture in many ways reflects the role boundaries that AP2 specifies. The PayPal wallet manages credentials and consent. Checkout mediates the transaction context, and Braintree and PayPal core systems route authorization and settlement to issuers and networks. This structure can minimize PCI exposure and reduce agent access to sensitive data, with sensitive elements and authentication handled by specialized entities and secure elements in the payment infrastructure. These boundaries can be reinforced by compliance frameworks such as AML/KYC, GDPR/CCPA, PSD2, and RBI mandates across many markets. This offers the practical effect of lowering merchant compliance burden, making governance mor predictable for issuers and regulators, giving consumers potentially greater confidence that data is secure-by-design, and making way for SDKs for developers that abstract away PCI complexity. 

Establishing Identity: In the near term, AP2 anticipates curated allow-lists and registries among agents, credential providers, and merchants. PayPal’s onboarding and credential-provider vetting is positioned to serve this function, with device fingerprinting, velocity controls, and tokenization propagated through network integrations. Over time, the trust framework is expected to incorporate open internet standards such as HTTPs with verified domains (DNS/DNSSEC) and mutual TLS. PayPal’s system is positioned to adopt these anchors as they mature. Benefits would include higher merchant approval rates with fewer unnecessary step-ups, richer risk context for issuers, smoother agent-driven checkout for consumers, and access to trust primitives via APIs for developers.

Resolving Disputes: PayPal’s Seller Protection and dispute workflows adjudicate billions annually with structured evidence such as authentication logs, delivery confirmation, and chargeback data. Incorporating Cart, Intent, and Payment mandates into these pipelines could add cryptographic artifacts that can be validated independently. This would equip merchants with stronger representment packages, issuers with verifiable custody of intent, consumers with protection from unauthorized agent activity, and developers with mandate-linked receipts they can surface in apps and commerce flows. 

Scaling Adoption: PayPal’s global reach spanning approximately 200 markets and dozens of currencies provides the scale that can help integrate AP2 into existing commerce rails as adoption begins. Mandates can flow through existing authorization packets; role separation would be reinforced by the wallet, checkout, and processing layers; trust would advance through registries and open standards, and accountability would be supported through Seller Protection enhanced with mandate evidence. This continuity could then enable merchants to accept agent-driven payments without reworking checkout; help issuers and networks to gain visibility into agent activity without new infrastructure; enable consumers to transact with confidence in delegated commerce; and allow developers to adopt AP2 through SDKs and APIs rather than custom integrations. 

Building on the above, additional opportunities to apply AP2 across PayPal include:  

Benefits Offered by AP2  

By applying AP2 across PayPal and our networks, processors, and wallets, it can translate into measurable benefits for merchants, consumers, issuers, and developers. Below is a list of potential benefits that AP2 offers. 

Merchants 

Consumers 

Issuers and Networks 

Developers 

Next: Extending AP2 for commerce use cases 

AP2 lays the groundwork for trusted, verifiable agentic payments by separating roles, anchoring consent in signed mandates, and giving issuers and networks the visibility they need. PayPal is committed to supporting AP2 and sees it as an essential foundation for the ecosystem. 

Yet, payments represent just one dimension in an agentic commerce paradigm where agents must search, compare, and decide on behalf of users. The same principles of openness, privacy, verifiable intent, and accountability in AP2 must extend upstream to commerce use cases in a consistent manner, such as when agents perform commerce tasks, surface merchant brand and loyalty, optimize payment method selection, and work to preserve value for both consumers and merchants.  

Building on AP2, PayPal is leading an effort with participating companies to extend AP2 with a standard developed for commerce use cases. Building on the strong foundation of AP2, we envision a future where agent-ready payments and commerce use cases are both practical and scalable worldwide.