Agent Payments Protocol (AP2)
Type: full-code · Vendor: Google · Language: specification · License: Apache-2.0 · Status: active · Status in practice: emerging · First released: 2025
Define an open protocol for agent-led payments built on signed mandates and verifiable digital credentials that bound spending and leave a cryptographic audit trail.
Description. The Agent Payments Protocol (AP2) is an open specification from Google, developed with the FIPA Alliance working groups, for payments initiated by AI agents. The user signs mandates that capture spending constraints up front so an agent can execute payments within those bounds. Mandates are expressed as verifiable digital credentials, which are tamper-evident, cryptographically signed objects. Each transaction produces a non-repudiable cryptographic audit trail to support dispute resolution.
Agent loop shape. The user signs a mandate that captures payment constraints such as budget and allowed instruments, the agent executes a transaction within those constraints, and the protocol records each step as a tamper-evident, cryptographically signed verifiable digital credential that forms a non-repudiable audit trail.
Primary use cases
- authorizing agent-led payments within user-set spending bounds
- issuing signed mandates as verifiable digital credentials
- producing a non-repudiable audit trail for agent transactions
Key concepts
- Mandate → deontic-token-delegation (docs) — A signed credential that captures a specific authorization step in a purchase; AP2 chains them so each stage of intent, cart, and payment is independently verifiable.
- Verifiable Digital Credential (VDC) → provenance-ledger (docs) — The tamper-evident, cryptographically signed object that every mandate is expressed as, built on the W3C Verifiable Credentials standard for portability and interoperability.
- Checkout Mandate → session-scoped-payment-authorization (docs) — The user's cryptographically signed approval of the explicit goods being purchased and confirmation of the purchase, created at the point the cart is accepted.
- Payment Mandate → agent-initiated-payment (docs) — The mandate that authorizes a payment against a specific instrument and is conveyed to the credential provider, networks, and merchant payment processor to complete the transaction.
Patterns this full-code implements —
- ·Session-Scoped Payment Authorization
The user signs an open mandate that captures spending constraints (budget, allowed instruments) up front, letting the agent execute payments autonomously within those bounds and settle a specific cha…
- ★★Provenance Ledger
AP2 records each transaction as a tamper-evident, cryptographically signed verifiable digital credential, producing a non-repudiable cryptographic audit trail for every transaction.
- ·Deontic Token Delegation
AP2 reifies the user's authorizations and constraints as signed mandates — verifiable digital credentials — that are passed along the agent-to-merchant-to-credential-provider chain: the Checkout Mand…
- ★Agent-Initiated Payment
Once the mandates are signed the agent settles the payment itself, presenting a Payment Mandate that authorizes a charge against a specific payment instrument as the verifiable proof that completes t…
- ★★Model Context Protocol
AP2 is not a standalone stack but an open extension layered on top of the existing agent protocols, designed to work over Agent2Agent (A2A) and the Model Context Protocol rather than replacing them.
Neighbourhood
Click any neighbour to follow the lineage. Scroll to zoom, drag to pan.
Alternatives & relatives
- full-code · framework
x402
Both let an agent settle a payment as part of its loop; x402 answers an HTTP 402 challenge with an inline on-chain micropayment, while AP2 builds signed multi-stage mandates over A2A/MCP for agent-le…
- full-code · framework
Agent2Agent (A2A) Protocol
AP2 is an open extension layered on A2A: agents collaborate over A2A and use AP2 mandates to authorize and settle the payment portion of the interaction.
Listed as alternative by (1)
References
Provenance
- Last analyzed:
- Last updated:
- Verification status: partial