AP2 is Google's open protocol for AI agent payments — announced September 2025 with 60+ collaborating organisations — that adds a cryptographic trust and authorisation layer to agentic commerce using W3C Verifiable Credentials. Where ACP defines the checkout experience and x402 handles execution, AP2 defines the mandate model: what an agent is allowed to buy, signed by the user, verifiable by any party in the chain.
The Problem It Solves
The core challenge in agentic commerce is not technical — it's trust. When an AI agent submits a purchase, three questions arise that current payment systems cannot answer:
- Did the user actually authorise this? (not just "the agent decided to")
- What scope did the user grant? (price limit, category, timing)
- Who is liable if it goes wrong?
AP2 answers all three via Verifiable Digital Credentials (VDCs) — tamper-evident, cryptographically signed objects based on the W3C Verifiable Credentials standard. If the mandate is modified after signing, the signature fails. Every transaction has a non-repudiable audit trail.
The Three Mandates
AP2 packages authorisation context into three credential types:
| Mandate | When issued | What it captures |
|---|---|---|
| Intent Mandate | When user delegates to an agent | What categories and price limits the agent may act within |
| Cart Mandate | When user approves a specific purchase | Exact items, pricing, payment method — immutably signed by user |
| Payment Mandate | At transaction time | Signals agent involvement to acquirers for risk evaluation and liability routing |
This three-layer model supports both human-present flows (user reviews a specific cart before signing a Cart Mandate) and human-not-present flows (agent operates within a pre-signed Intent Mandate with guardrails).
How It Fits with MCP and A2A
AP2 is designed as a composable layer on top of existing agent protocols:
User grants Intent Mandate
│
▼
Agent discovers products (via ACP / MCP tools)
│
▼
Agent presents cart → User signs Cart Mandate
│
▼
Payment submitted with Payment Mandate
│
▼
Acquirer evaluates mandate, routes liability
Implementing AP2 requires agents to already speak MCP and/or A2A — it adds the payment trust layer on top, not underneath.
Ecosystem
AP2 was co-developed with 60+ organisations including:
- Card networks: Mastercard, American Express, JCB, UnionPay International
- Payment processors: Adyen, PayPal, Coinbase
- Enterprise platforms: Salesforce, Intuit, ServiceNow
- Infrastructure: Google Cloud, Mysten Labs
The breadth of card network involvement is notable — Visa, Mastercard, and Amex buying into the mandate model means AP2 could become the liability and authorisation substrate beneath ACP and x402 transactions.
Why Assess, Not Trial
For Assess:
- Significant institutional backing — Google + 60 orgs including every major card network
- Technically well-grounded: W3C VC standard is proven, not invented for this
- Fills a genuine gap: ACP and x402 don't define the authorisation model AP2 provides
- Open source, non-proprietary, Google Cloud hosted reference implementation available
Why not Trial:
- Announced September 2025 — no consumer-facing products running AP2 in production as of March 2026
- Most of the 60 collaborating organisations are contributing to the spec or evaluating, not deploying
- Governance model is less mature than AAIF-governed ACP (no Linux Foundation stewardship)
- Regulatory and liability frameworks for agent mandates are still undefined in most jurisdictions
Key Characteristics
| Property | Value |
|---|---|
| Announced | September 2025 |
| Author | Google Cloud |
| Collaborators | 60+ organisations (Adyen, Amex, Mastercard, PayPal, Salesforce, Coinbase…) |
| Credential standard | W3C Verifiable Credentials |
| Website | ap2-protocol.org |
| GitHub | ap2-protocol |
| Blog | Google Cloud AP2 announcement |
| Related | ACP, x402, A2A, MCP |