🤖 Agentic Payments Protocols: The Game

A 5 minute introduction to ACP & AP2

❤️ ❤️ ❤️
0

To give AI agents the ability to make online payments, two (competing) agentic commerce protocols have recently emerged. Your mission: master the protocols.

LEVEL 1

ACP

Agentic Commerce Protocol
Stripe OpenAI
6 missions
LEVEL 2

AP2

Agent Payments Protocol
Google
6 missions

~5 minutes • 12 missions total

Level 1: ACP • Mission 1 of 6

The Three-Party Model

Understanding the separation of concerns in ACP

👤

Buyer

Authorizes payments, owns the customer relationship with the merchant

🤖

AI Agent

Facilitates discovery and checkout orchestration

🏪

Business

Merchant of record, processes payments, fulfills orders

💡 Key architecture decision: The AI Agent never becomes the merchant of record. This preserves existing merchant-customer relationships and ensures chargebacks flow to the actual seller—not the AI platform.

A customer disputes a charge made through an AI agent. Under ACP's model, who handles the chargeback?

A The AI Agent platform (e.g., OpenAI) since they facilitated the transaction
B Stripe, as the payment processor handling the SPT
C The Business, as they remain the merchant of record
Level 1: ACP • Mission 2 of 6

Shared Payment Tokens

The payment primitive enabling secure agent-initiated transactions

Tokenization flow: PAN to SPT

4242 •••• •••• 4242
PaymentMethod (stored with Stripe)
🔐
spt_1RgaZcFPC5QUO...
Shared Payment Token

💡 Why not just use existing tokens? SPTs are specifically designed for delegation. Unlike a standard PaymentMethod token, an SPT can be granted to a third party (the business) by the agent, with explicit usage constraints. The agent never accesses the underlying PAN.

How does an SPT differ from a standard Stripe PaymentMethod token in this architecture?

A SPTs store the full PAN encrypted, while PaymentMethod tokens don't
B SPTs are designed for delegation to third parties with explicit usage constraints
C SPTs bypass PCI-DSS requirements that PaymentMethod tokens must follow
Level 1: ACP • Mission 3 of 6

SPT Guardrails & Constraints

Programmable security boundaries built into every token

Example SPT response object:

{
  "id": "spt_1RgaZcFPC5QUO6ZCDVZuVA8q",
  "object": "shared_payment.granted_token",
  "usage_limits": {
    "currency": "usd",
    "max_amount": 5099,  // $50.99 in cents
    "expires_at": 1751587220  // Unix timestamp
  },
  "deactivated_at": null
}

💰 max_amount

Hard cap on transaction value. Prevents overcharging.

⏱️ expires_at

Unix timestamp expiry. No stale authorizations.

💱 currency

Locked to specific currency.

🚫 Revocation

Agent can deactivate token anytime via API.

📊 Risk Signals

SPTs pass fraud signals to issuer for better authorization rates.

🏪 Seller Details

Scope the SPT to a specific merchant. Only that seller can charge the token.

An SPT is issued with max_amount: 5099 and expires_at set to 24 hours from now. The merchant attempts to charge $75.00 fifteen minutes later. What happens?

A The charge fails—it exceeds max_amount regardless of expiry status
B The charge succeeds since the token hasn't expired yet
C The charge is partially approved for the max_amount value
Level 1: ACP • Mission 4 of 6

The Transaction Flow

Click each step to trace the request lifecycle

👤
User intent
🤖
Agent queries ACP
🔐
SPT issued
🏪
Merchant charges
Confirmation

👆 Click each step to understand the data flow at each stage.

At which point in the ACP flow does the AI agent have visibility into the buyer's actual payment credentials?

A When the SPT is issued—the agent decrypts it to verify authorization
B During checkout confirmation—the agent validates the card
C Never—the agent only handles opaque token references
Level 1: ACP • Mission 5 of 6

Agent Simulation

You're the AI agent. Make the right architectural decisions.

💬 ChatGPT + Instant Checkout
In Progress
👤
I want to buy that vintage ceramic vase from Etsy for $45. Can you handle the purchase?
Level 1: ACP • Mission 6 of 6

ACP Knowledge Check

Test your understanding of ACP architecture

🎉

Level 1 Complete!

You've mastered ACP fundamentals. Now let's explore Google's AP2 protocol—a different approach using cryptographic mandates.

📚 ACP Key Takeaways

  • Merchant of Record: Businesses retain this status
  • SPT Constraints: max_amount, expires_at, currency
  • Zero Credential Exposure: Agents use opaque tokens
Level 2: AP2 • Mission 1 of 6

The Three Mandates

AP2's staged authorization model

📖 Example: Sarah asks her AI agent to "buy me running shoes under $150"

1. Intent Mandate

Sarah's signed request: "Buy running shoes, max $150." Delegates authority within constraints.

2. Cart Mandate

Sarah reviews and signs: "Nike Pegasus, $129, Foot Locker." Locks the specific purchase.

3. Payment Mandate

Signals to payment processor: "agent-initiated, user approved." Full context for the network.

💡 Each mandate is signed: Creates a cryptographic chain showing exactly where authorization existed.

Sarah's agent finds three shoe options from different merchants: Nike ($140), Adidas ($135) and Brooks ($145). The agent presents these to Sarah, and she selects the Brooks shoes. What is Sarah signing when she approves this selection?

A An Intent Mandate—she's expressing her preference
B A Cart Mandate—she's authorizing this specific purchase from this merchant
C A Payment Mandate—she's completing the transaction
Level 2: AP2 • Mission 2 of 6

Verifiable Digital Credentials

The cryptographic primitive that makes mandates tamper-proof

Each mandate is a VDC—a tamper-evident, cryptographically signed object:

{
  "type": "CartMandate",
  "items": [{
    "name": "Nike Pegasus",
    "price": 12900,
    "merchant": "foot_locker_123"
  }],
  "user_signature": "eyJhbGciOiJS...",
  "signed_at": 1751587220
}

💡 Tamper-evident: Signatures are bound to exact values. If anyone modifies "$129" to "$229", verification fails.

A merchant receives a Cart Mandate but modifies the quantity from 1 to 3 before processing. When the user disputes, what happens?

A The merchant's version is accepted since they processed the payment
B The merchant's version won't match the user's signed original—verification fails
C Both versions are considered valid since the mandate ID matches
Level 2: AP2 • Mission 4 of 6

Human-Present vs Human-Not-Present

How the mandate chain handles autonomous agent actions

👤 Human-Present

Agent finds options → User reviews and signs Cart Mandate → Purchase proceeds. The user explicitly approved the specific transaction.

🤖 Human-Not-Present

Agent finds options within Intent Mandate constraints → Purchases autonomously. User accepted risk for actions within their stated constraints.

💡 The Intent Mandate bridges the gap: With autonomous agents, the Intent Mandate serves as authorization—"you may act on my behalf, within these bounds."

An agent autonomously books a $180 hotel when the Intent Mandate specified "under $200." The user disputes, claiming they didn't approve this specific hotel. What's the likely outcome?

A The agent platform is liable—they should have obtained a Cart Mandate
B The user accepted this risk—the agent acted within the signed Intent Mandate constraints
C The hotel is liable—they should have verified user presence
Level 2: AP2 • Mission 5 of 6

Dispute Detective

You're the auditor. Examine the evidence and deliver your verdict.

🔍 Case #7429: The $200 Discrepancy
Investigating
⚖️ Dispute Filed

A user claims they only approved $300 for a laptop purchase, but the merchant charged $500. Both parties are adamant. Your job: examine the cryptographic evidence.

👤 User Claims

$300

"I only approved $300 for the laptop"

🏪 Merchant Claims

$500

"User agreed to $500 including accessories"

📁 Evidence Locker 
{
  "type": "IntentMandate",
  "user_id": "user_8x7k2m",
  "intent": "Purchase laptop",
  "max_amount": 50000,
  "currency": "usd",
  "user_signature": "eyJhbGc...",
  "signed_at": 1751587200
}

✓ Signature verified - max_amount: $500

🔎 Examine all evidence before delivering your verdict.

Case Closed

Level 2: AP2 • Mission 3 of 6

The Four Key Roles

Understanding who does what in the AP2 ecosystem

🛒

Shopper

The end user who initiates purchases through their AI agent and signs mandates to authorize transactions

🏪

Merchant

Sells goods/services, receives mandates from agents, and submits payment requests to processors

🔐

Credentials Provider

Issues and manages Verifiable Digital Credentials (VDCs) that prove identity and authorization

💳

Payment Processor

Validates the mandate chain, processes payments, and maintains the cryptographic audit trail

💡 Separation of concerns: AP2 separates credential issuance from payment processing, allowing specialized providers for each function.

A shopper's AI agent presents a Cart Mandate to a merchant. Before processing, who validates that the mandate's VDC is authentic?

A The merchant verifies directly using the shopper's public key
B The payment processor validates the VDC against the credentials provider
C The AI agent self-certifies the mandate's authenticity
Level 2: AP2 • Mission 6 of 6

AP2 Knowledge Check

Test your understanding of AP2 architecture

Graduated Agent

Training Complete!

You've completed the training

0/100
0
Correct Answers
0
Missions Completed

👾 I hope you liked it! Thanks for playing. -Joris

Built by Joris van Mens and Claude Code