AP2Governed by Google·Version 1.0

Agent Payments Protocol (AP2): Cryptographic Trust for Agentic Transactions

AP2 is Google's cryptographic mandate framework for agentic commerce. Intent and Cart mandates — signed with W3C Verifiable Credentials — give AI agents provable authority to purchase on behalf of users and create the non-repudiation audit trail enterprise procurement, legal compliance, and financial governance require. AP2 is the trust layer that makes AI spending legally defensible.

Protocol Overview

What is AP2?

Agent Payments Protocol (AP2) is Google's mandate framework for establishing cryptographically verifiable trust in AI-mediated transactions. Where UCP handles discovery and ACP handles checkout execution, AP2 answers the hardest question in agentic commerce: how do we prove an AI agent was authorized to make that purchase? AP2 answers with signed Verifiable Credentials that create a tamper-evident chain of authorization from user to agent to transaction.

AP2 operates through two types of cryptographic mandates. An Intent Mandate is a broad, category-scoped authorization — “this agent may purchase SaaS software under $200/month on my behalf.” An Intent Mandate covers an entire shopping session or time period, allowing the agent to browse, compare, and negotiate without requiring per-product approvals. A Cart Mandate is a transaction-specific authorization — it includes a cryptographic hash of the exact cart contents, binding the user's authorization to a specific set of items, prices, and a merchant. If any element of the cart changes, the hash verification fails and the transaction is blocked.

Both mandate types are issued as W3C Verifiable Credentials (VCs) — the global standard for machine-verifiable digital credentials. AP2 supports JWT VC format for REST-compatible systems and LDP VC (Linked Data Proof) format for semantic interoperability. AP2 also integrates with the x402 crypto payment protocol, which extends the HTTP 402 status code into a machine-to-machine payment rail for crypto and CBDC payments — enabling AI agents to pay for API access and digital goods in stablecoin without traditional payment processors.

Authorization Framework

AP2 Mandate Types

Two levels of cryptographic authorization — one for discovery sessions, one for specific transactions. Both produce Verifiable Credential artifacts.

Intent Mandate

Browsing Authorization

An Intent Mandate grants an AI agent permission to browse, compare, and research purchases within a defined category — without committing to any specific transaction. The user defines category constraints ("SaaS tools"), spend limits ($200/month), and a validity window. The agent presents this mandate when fetching product information and pricing from merchants, proving it has legitimate browse authority without requiring per-product user confirmation.

Scope

Category-level

Validity

Up to 24 hours

Use Case

Shopping research and discovery sessions

When issued

When a user starts a shopping session: "Find me the best project management tool under $100/month." The Intent Mandate covers the entire session.

VC credential claims

  • Agent DID (identity of the authorized agent)
  • Purchase category constraints
  • Maximum spend per transaction
  • Validity window (start/expiry)
  • Issuer signature (user or IDP)

Cart Mandate

Transaction Authorization

A Cart Mandate is a cryptographically bound authorization for one specific transaction. It includes a SHA-256 hash of the cart contents — every item, quantity, price, and merchant — making it tamper-evident. If anything in the cart changes between mandate issuance and checkout (price update, inventory change, item modification), the hash verification fails and the transaction is rejected. Cart Mandates are the gold standard for enterprise purchase compliance because they create a document trail binding user intent to the exact transaction executed.

Scope

Transaction-specific

Validity

Up to 30 minutes

Use Case

Specific purchase execution

When issued

When the agent has selected specific items and is ready to proceed to checkout: cart is defined, price is confirmed, merchant is known.

VC credential claims

  • Agent DID (authorized agent identity)
  • Cart hash (SHA-256 of items + prices + merchant)
  • Exact authorized amount
  • Merchant identifier
  • Payment rail (stripe_spt, x402, etc.)
  • Short-lived expiry (anti-replay)
Specification

AP2 Mandates Discovery File

The /.well-known/ap2/mandates.json discovery document declares your mandate infrastructure. Agents and enterprise procurement systems fetch this to understand your AP2 capabilities before requesting authorization.

{
  // AP2 protocol version
  "ap2_version": "1.0",

  // Mandate endpoints — where agents go to get authorization
  "mandate_endpoints": {
    "intent_mandate": "/api/ap2/mandates/intent",   // broad category authorization
    "cart_mandate": "/api/ap2/mandates/cart",        // specific transaction authorization
    "revoke": "/api/ap2/mandates/revoke",            // mandate revocation
    "verify": "/api/ap2/mandates/verify"             // third-party mandate verification
  },

  // Credential formats supported
  "credential_formats": ["JWT_VC", "LDP_VC"],

  // Signing key discovery
  "issuer_did": "did:web:www.acmecommerce.com",
  "jwks_uri": "https://www.acmecommerce.com/.well-known/jwks.json",

  // Supported payment rails for AP2-authorized transactions
  "payment_rails": ["stripe_spt", "x402", "credit_card"],

  // Intent Mandate policy defaults
  "intent_mandate_defaults": {
    "max_validity_hours": 24,
    "max_spend_per_mandate": {
      "amount": "500",
      "currency": "USD"
    },
    "allowed_categories": ["software", "professional_services", "digital_goods"]
  },

  // Cart Mandate policy
  "cart_mandate_policy": {
    "hash_algorithm": "SHA-256",
    "max_validity_minutes": 30,     // cart mandates expire quickly to prevent replay
    "require_price_lock": true       // price must match exactly at checkout
  },

  // Audit trail configuration
  "audit": {
    "log_all_verifications": true,
    "retention_days": 2555,          // 7 years for enterprise compliance
    "export_endpoint": "/api/ap2/audit/export"
  }
}
Credential Infrastructure

Verifiable Credentials in AP2

AP2 mandates are issued as W3C Verifiable Credentials. Below is a real Cart Mandate JWT VC showing the complete credential structure — header, payload, and proof.

// Example: JWT VC for a Cart Mandate
{
  // Standard JWT header
  "alg": "ES256",
  "typ": "JWT",
  "kid": "did:web:merchant.com#key-1"
}
// JWT payload (decoded):
{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://ap2.google.com/credentials/v1"
  ],
  "type": ["VerifiableCredential", "AP2CartMandate"],
  "id": "urn:uuid:f47ac10b-58cc-4372-a567-0e02b2c3d479",
  "issuer": "did:web:merchant.com",
  "issuanceDate": "2026-02-15T14:30:00Z",
  "expirationDate": "2026-02-15T15:00:00Z",  // 30-min window
  "credentialSubject": {
    "id": "did:key:z6MkrCD...AgentDID",      // the agent being authorized
    "mandateType": "cart",
    "authorizedBy": "did:key:z6MkpTU...UserDID",
    "merchant": "acme-commerce",
    "cartHash": "sha256:e3b0c44298fc1c...",   // tamper-evident cart binding
    "authorizedAmount": {
      "amount": "149.99",
      "currency": "USD"
    },
    "paymentRail": "stripe_spt",
    "nonce": "abc123xyz"                      // replay attack prevention
  },
  "proof": {
    "type": "JsonWebSignature2020",
    "created": "2026-02-15T14:30:00Z",
    "verificationMethod": "did:web:merchant.com#key-1",
    "proofPurpose": "assertionMethod",
    "jws": "eyJhbGciOiJFUzI1NiJ9...signature"
  }
}

JWT VC

JSON Web Token format. Best for REST APIs, Stripe integrations, and systems already using JWT-based auth. Compact, widely supported, easy to decode with standard JWT libraries.

alg: ES256 | RS256
typ: JWT
standard VC claims

LDP VC

Linked Data Proof format. Best for semantic web interoperability, enterprise DID-based identity systems, and cross-organization credential exchange. Supports Ed25519Signature2020 and BBS+ for selective disclosure.

proof.type: Ed25519Signature2020
@context: w3c/credentials/v1
JSON-LD expanded format
Enterprise Value

Why Enterprises Need AP2

UCP and ACP make AI commerce possible. AP2 makes it compliant.

Procurement Compliance

Enterprise procurement policies require documented authorization for every purchase. AP2 Intent and Cart Mandates serve as the machine-readable equivalent of a purchase order — signed by an authorized principal, scoped to a specific category or transaction, and verifiable by auditors without human attestation.

Legal Defensibility

When an AI agent makes a purchase, the question "who authorized this?" must have a cryptographically verifiable answer. AP2 Verifiable Credentials provide that answer: the VC proves which user authorized which agent to purchase what, signed with a key traceable to the user's identity. Courts and regulators accept cryptographic signatures as proof of authorization.

Non-Repudiation Audit Trails

AP2 mandates that every mandate issuance, presentation, and verification be logged with timestamp, agent identity, and cryptographic proof. The resulting audit trail is non-repudiable: neither the buyer's agent nor the merchant can claim a transaction did not occur or that different terms were agreed to. For financial close, SOX compliance, and dispute resolution, this trail is essential.

Spend Control and Delegation Governance

Enterprises grant employees spending authority within defined limits. AP2 extends this model to AI agents: finance controllers issue Intent Mandates with category and amount constraints, employees cannot exceed their delegated budget, and every agent purchase is traced to the authorizing human. AP2 makes AI agent spending auditable under the same governance framework as corporate cards.

Implementation Guide

How to Implement AP2 Mandates

Five steps to full cryptographic trust infrastructure — from discovery file to non-repudiation audit trail.

  1. Publish the AP2 mandates endpoint at /.well-known/ap2/mandates.json

    Create /.well-known/ap2/mandates.json on your server. This discovery file declares your AP2 version, your mandate endpoint URLs, supported credential formats (JWT VC and/or LDP VC), and supported payment rails (card, x402). Serve it publicly with Content-Type: application/json. AI agents and enterprise procurement systems fetch this file to understand what authorization infrastructure you support before issuing mandates.

  2. Implement Intent Mandate issuance and verification

    Build the Intent Mandate API endpoint. When an AI agent or enterprise system requests browsing-level authorization, issue a signed Intent Mandate VC containing: the authorized agent DID, purchase category constraints, spend limits, validity window, and issuer signature. Store a mandate ID and hash for audit trail purposes. On the receiving side — when agents present mandates — verify the VC signature, check expiry, confirm the category constraint matches the requested purchase, and log the verification event.

  3. Implement Cart Mandate binding to specific transactions

    Build the Cart Mandate API endpoint. Cart Mandates bind authorization to a specific cart: hash the cart contents (item IDs, quantities, prices, merchant ID), include that hash in the VC claims, and sign the credential. When an agent presents a Cart Mandate at checkout, recompute the cart hash and verify it matches the mandate claim. Any cart modification — price change, quantity change, item swap — invalidates the mandate and requires re-issuance. This tamper-evidence is the foundation of non-repudiable transaction records.

  4. Integrate Verifiable Credential issuance (JWT VC and LDP VC)

    Choose your VC format based on your tech stack. JWT VC: issue standard JWTs with W3C VC claims using your signing key (RS256 or ES256). Include standard fields: @context, type, issuer, credentialSubject, expirationDate. Sign with your private key and return the signed token. LDP VC: issue JSON-LD credentials with a linked data proof (Ed25519Signature2020 or similar). For enterprise deployments, support both formats. Publish your public key at a DID document or JWKS endpoint so verifiers can validate signatures.

  5. Build the non-repudiation audit trail

    Every mandate issuance, presentation, verification, and checkout must be logged to an immutable audit store. Minimum fields: mandate_id, type (intent/cart), agent_did, user_id, timestamp_utc, action (issued/verified/used/revoked), transaction_id if used at checkout, cart_hash if cart mandate, outcome (success/failure/tampered). For enterprise compliance, write these logs to an append-only store (cloud audit log, blockchain anchor, or WORM storage). The audit trail is the legal record that proves what the AI agent was authorized to do and what it actually did.

FAQ

AP2 Questions Answered

What is Agent Payments Protocol (AP2)?

Agent Payments Protocol (AP2) is Google's cryptographic mandate framework for agentic commerce transactions. It defines how users issue verifiable authorization mandates to AI agents — signed with W3C Verifiable Credentials — giving those agents cryptographically provable authority to purchase on their behalf. AP2 creates the non-repudiation audit trail that enterprise procurement, legal compliance, and financial governance require for AI-mediated spending.

What is the difference between an AP2 Intent Mandate and a Cart Mandate?

An Intent Mandate is a broad authorization: it grants an AI agent permission to purchase within a defined category (e.g., "SaaS tools under $200/month") without specifying the exact product. It is issued during a browsing or discovery session before the agent has identified a specific item. A Cart Mandate is a narrow, transaction-specific authorization: it is bound to a specific cart — defined items, exact price, specific merchant — and authorizes only that precise transaction. Both are signed Verifiable Credentials; Cart Mandates include a cryptographic hash of the cart contents for tamper-evidence.

What are Verifiable Credentials in the AP2 context?

In AP2, Verifiable Credentials (VCs) are W3C-standard signed digital documents that prove an AI agent has authorization to transact. Google's AP2 implementation supports two VC formats: JWT VC (JSON Web Token Verifiable Credential) for REST-compatible systems, and LDP VC (Linked Data Proof Verifiable Credential) for semantic interoperability. The credential is signed by the user's identity provider (or directly by the user's key) and includes claims about who authorized the agent, what they can purchase, and for how much.

What is the x402 payment protocol?

x402 is a crypto-native payment protocol that extends the HTTP 402 "Payment Required" status code into a machine-to-machine payment standard. In the AP2 context, x402 enables AI agents to pay for API access, digital content, and micro-transactions in stablecoin or CBDC without Stripe or traditional payment rails. The agent sends an x402 payment proof in the Authorization header; the server verifies the on-chain transaction before serving the resource. AP2 mandates can authorize x402 payments the same way they authorize card transactions.

Why do enterprises need AP2 beyond UCP and ACP?

UCP and ACP handle discovery and checkout — they make transactions possible. AP2 makes transactions legally defensible. Enterprise procurement requires: (1) documented proof that a human authorized each AI purchase category, (2) an immutable audit trail showing exactly what the agent bought and when, (3) cryptographic non-repudiation so neither the buyer nor the merchant can deny the transaction terms. AP2 mandates and VCs provide all three. Without AP2, AI agent purchases exist in a legal gray zone that procurement compliance, auditors, and finance controllers cannot accept.

AP2 Trust Layer

Build Cryptographic Trust for Your Agentic Transactions

Adam Silva Consulting implements the complete AP2 trust layer — mandate APIs, Verifiable Credential issuance, x402 payment integration, and enterprise audit trail infrastructure. Built alongside UCP discovery and ACP checkout for the complete agentic commerce stack.

Implement AP2 Trust LayerExplore Full Protocol Stack