From Cash to Cards to AI Agents: Google just announced AP2 - the New Rulebook for 'Autonomous' Commerce payments!

19 Sept

by Yannis Larios

Two months ago I wrote that the AI Wallet would become the real battleground of commerce. That wasn’t a prediction; it was a countdown. Google just announced the new rulebook

Google announced on September 17, 2025, the Agent Payments Protocol (AP2), an open standard that fixes a basic flaw in today’s checkout: systems assume a human clicks “buy,” yet AI agents are increasingly doing the deciding. AP2 creates a secure, verifiable way for agents to transact on a user’s behalf using cryptographically signed "Mandates" that record what you authorized and what was actually purchased. It supports both human‑present approvals and delegated, rule‑bound purchases so autonomy doesn’t come at the expense of control.

Beyond consumer checkout, the prize is of course B2B commerce! Agent-driven supply chains where bots watch inventory, forecast demand, negotiate with suppliers, and buy only within pre-approved policies.

Three quick scenes (life after Google’s AP2)

1) Retail, Saturday 10:12. You tell your AI assistant: “I want a Bosch Series 4 washer, under €500, A‑energy rated, deliver in 72 hours. Use loyalty if it saves real money.” Your AI agent negotiates with three merchant agents, shows a one‑screen cart you approve, and tags the payment with a signed record of what you OK’d. Your bank, acting as Credential Provider, attaches a Payment Mandate that tells card networks an AI agent was involved and that you were present. Approval rises; fraud theatre drops.

2) Travel bundle, human‑present. You ask your AI agent to book Athens → Paris next weekend with a 4‑star hotel near Le Marais under €900 total. It negotiates with airline and hotel agents, composes a single cart across merchants, and presents a one‑screen Cart Mandate for you to approve. Your bank, as Credential Provider, signs the Payment Mandate that flags human‑present agent checkout. Refund and change rules are embedded, so if the airline changes your flight, everyone reads the same evidence trail.

3) Delegated replenishment, human‑absent. You set an Intent Mandate for replenishing weekly household essentials: “top up coffee, detergent, and paper towels when unit price drops below last month’s average; max €40; deliver weekday evenings.” Your AI agent executes within those limits without bothering you, and each order carries a Payment Mandate that signals human‑absent with policy bounds. You can revoke or tighten the mandate at any time; disputes have a tamper‑proof audit trail of the rules and the exact cart.

That’s the point: AP2 doesn’t invent new money. It standardizes trust so AI agents can safely spend the money we already have.

What AP2 is, in simple terms

AP2 (Agent Payments Protocol) is an open protocol that lets AI agents, merchants, PSPs and issuers speak a common payments language. The core idea is a Mandate: a tamper‑proof, cryptographically signed record of what the user authorized, using Verifiable Credentials (VCs). Three show up again and again:

Intent Mandate — the rules you set (budget, vendors, time window, whether you must be present).
Cart Mandate — the exact items, price, delivery and refund rules you approved.
Payment Mandate — the payment authorization that signals to networks/issuers that an agent initiated the transaction and what evidence exists.

These are machine‑checkable, not screenshots. They travel with the request so everyone downstream can verify that an agent acted inside your instructions.

Context matters though! AP2 needs controlled access to your pricing, inventory and policy data to be useful. Build for privacy-by-design and selective disclosure rather than broad data sharing.

The Three A’s AP2 solves

Authorization: prove you gave the agent specific authority.
Authenticity: prove the request reflects your intent, not an AI hallucination.
Accountability: make liability assignable when things go wrong.

Two shopping scenarios

Human‑present: the agent assists, you approve each time.
Delegated: you pre‑authorize with detailed limits; the agent executes later within those bounds.

AP2 is rail‑agnostic: cards today; bank transfers and subscriptions next; and a crypto path via x402, so the same evidence model works on stablecoin rails.

Important Security reality check: AP2 fixes the payments evidence layer. It doesn’t harden your agent layer! Treat MCP/ tool endpoints as untrusted by default, filter for prompt-injection/ toxic flows, and tie AP2 step-up/revocation to any anomaly signals.

Why this is a paradigm shift (cash → cards → agents)

Moving from cash to cards in the past, didn’t just change the plastic in your wallet; it created the evidence layer (authorizations, chargebacks, dispute codes) that made remote commerce trustworthy.

AP2 is that shift for AI agents. It gives agents a way to prove what the human intended, what got bought, and who’s responsible. With that, approval rates rise, false declines fall, and disputes stop being guesswork.

It also enables complex multi‑agent flows: your travel agent can coordinate airline, hotel and car across multiple merchants and present a single, signed bundle for payment.

Law catches up last though - as always! AP2 improves proof, not law. Who is responsible when an agent errs will be clarified by contracts and regulators before fully autonomous, human-absent flows go mainstream.

Ecosystem scale and why it matters

This is not a single‑vendor “proof-of-concept” approach. Google’s announcement came with 60+ major collaborators across the stack: card networks and issuers (@Mastercard, American Express, JCB International Credit Card Co., Ltd. (USA), China UnionPay ), global PSPs (Adyen LLC, Worldpay, Checkout.com), fintech and wallets (PayPal, Revolut), commerce platforms (Ant International/ Alibaba.com), and web3 players (Coinbase, MetaMask ). That breadth gives AP2 instant credibility and a realistic path to become the dominant standard for agent‑led transactions.

AP2 is also open‑source. The spec and reference implementations are on GitHub under permissive licensing, and Google is inviting standards‑body work. Translation: you can build against it now, and you won’t be locked into a walled garden later.

Google’s open posture is also strategic; agent telemetry and mandate flows are valuable. UX risk: the agent checkout layer could fragment before it converges. Favor open specs and reference implementations.

*AP2 Partners - Image sourced from Google's announcement*

What changes for each player

Each player in the commerce/ payments value chain has to assume its new role, fast:

Banks & issuers (be the Credential Provider)

Operate the mandate vault with hardware‑backed keys, revocation and TTLs; run step‑up when risk spikes; pass presence, SKU class and refundability as risk signals into authorization. Monetize CP APIs for fintechs and PSPs.

Payment Service Providers & Acquirers (AP2‑aware gateway)

Parse and verify mandates, attach “human‑present/ agent‑present” flags into auth messages, and auto‑assemble dispute packs from the signed chain. Offer this as an “Agent‑Safe Checkout” SKU to merchants.

Merchants & marketplaces - A whole new era for e-commerce

Publish an agent endpoint with inventory, delivery, returns, loyalty and offers. Encode refund rules in the Cart Mandate to cut gray‑area chargebacks. Support bundled carts so multi‑merchant trips or kits survive to fulfillment. Let agents optimize beyond price — delivery fees and timing, return friction, merchant rating/reviews, and loyalty awards should all be first-class inputs.

Agent builders & super‑apps

Use A2A for negotiation, MCP for tool access, AP2 for payments. Your moat is mandate UX, vendor networks and policy engines, not another pretty chat window. The hard part however isn’t the payment handshake; it’s discovery, ordering, shipping and returns. AP2 covers pay; you still need clean merchant APIs and agent-network protocols to make end-to-end commerce work.

What banks and fintech boards should actually do in the next 120 days

Appoint an AP2 owner. CIO + CRO co‑own. Run a controlled pilot with one flagship merchant and one agent partner.
Stand up a Mandate Vault. Store Intent/ Cart/ Payment mandates; use hardware keys, revocation, TTLs and redactable merchant views. Map fields to PCI/ GDPR minimization. This is your Credential Provider cornerstone. In parallel, harden the agent/ MCP stack: allowlist/ attest servers, rotate short-lived credentials, and scan for toxic tool chains;
Upgrade the gateway. Validate signatures, carry Payment Mandate flags into network auth, and generate dispute packs automatically. Productize as “Agent‑Safe Checkout.”
Wire agent basics. Adopt A2A for cart negotiation and MCP to reach internal services (offers, loyalty, inventory).
Pick the right first use cases. Subscription renewals, travel bundles, marketplace payouts, etc. Small-basket consumer flows will lead; large commercial and cross-border cases will lag due to complexity.
Expand merchant Terms of Service for agentic flows. Add AP2‑specific clauses on mandate acceptance (Intent/ Cart/ Payment), agent‑presence flags, refundability encoded in mandates, dispute evidence sharing, and conformance testing. Clarify liability and step‑up triggers for delegated purchases. I’ll unpack a full clause‑by‑clause template in a separate Next Agenda issue focused on merchant contracts.

Bottom line - hello new agentic commerce era!

This is a paradigm shift on the scale of cash to cards. AP2 establishes the evidence and accountability layer for autonomous commerce.

With open code, broad partnerships and multi‑rail coverage, the timing and scale suggest AP2 will set the rulebook for agent‑driven payments. If your Q4, 2025 plan doesn’t include a mandate vault, an AP2‑aware gateway and a live pilot, you’re betting conversion and disputes on hope. Your customers’ AI agents most probably won’t wait!

If this resonates, please consider subscribing to “The Next Agenda”. For briefings or board-level discussions, feel free to reach out to me; INED dialogues welcomed where my expertise adds value.

Resources to dig deeper