Five protocols launched in five months to let AI agents buy things. Google, Visa, Mastercard, Stripe, and OpenAI are racing to become the payment layer for agentic commerce. McKinsey forecasts a trillion dollars. Every protocol solves who pays. None solve who approved.
In January 2026, Google announced the Universal Commerce Protocol at the National Retail Federation conference. Sundar Pichai unveiled an open standard with twenty partners — Shopify, Visa, Mastercard, Stripe, Walmart, Target — that standardizes the full shopping journey from product discovery to order management. Before the month ended, Mastercard launched Agent Suite, FIS shipped its agentic commerce platform for banks, and Stripe released its Agentic Commerce Suite with OpenAI as the anchor customer.
By February, OpenAI launched Instant Checkout inside ChatGPT. Eight hundred million weekly active users can now buy products without leaving the conversation. Fifty million shopping queries per day flow through a system where a Stripe Shared Payment Token is issued when the user clicks 'Buy,' scoped to a single merchant, capped at the checkout total, and time-limited. PayPal announced support for three competing protocols simultaneously and acquired Cymbio for multi-channel orchestration. Microsoft powered Copilot Checkout with PayPal and integrated Mastercard Agent Pay. Coinbase and Cloudflare's x402 protocol — reviving the long-dormant HTTP 402 status code for internet-native stablecoin payments — hit 156,000 weekly transactions with 492 percent growth since launch.
McKinsey forecasts one trillion dollars in orchestrated U.S. agentic commerce by 2030, three to five trillion globally. Gartner says AI agents will intermediate more than fifteen trillion dollars in B2B spending by 2028. CB Insights maps over ninety companies across the agent commerce stack. The race is not theoretical. It is the fastest infrastructure buildout in payments since contactless.
What Each Protocol Actually Solves
Visa's Trusted Agent Protocol uses cryptographically signed HTTP messages to transmit an agent's intent, verified user identity, and payment details. Over a hundred partners, thirty in sandbox, hundreds of controlled transactions completed. Visa predicts millions of agent-completed purchases by the 2026 holiday season. The protocol answers: is this agent legitimate, and does it have a valid payment credential?
Mastercard's Agent Pay introduces agentic tokens — dynamic, cryptographically secure credentials with programmable constraints. Spending limits, validity windows, merchant scope. A Know Your Agent registration process vets the agent itself. Purchase Intent Data provides an audit trail. The system evaluates whether the agent has been approved to act on the user's behalf and whether the transaction falls within predefined parameters. The answer is delegated authorization: permissions set once, enforced cryptographically.
Stripe's Shared Payment Tokens are the simplest and most elegant. A user clicks 'Buy' in ChatGPT. Stripe issues a token scoped to the specific business, capped at the checkout total, with a time limit. The token never contains real card numbers. Radar runs fraud signals. The merchant receives a single-use credential. The authorization event is a click — authenticated by whatever session the AI platform maintains.
Google went furthest. The Agent Payments Protocol introduces Verifiable Digital Credentials with two mandate types. An Intent Mandate captures the conditions under which an agent can purchase in human-not-present scenarios — delegated authority with explicit constraints. A Cart Mandate captures the user's final explicit authorization for a specific cart with a cryptographic signature providing what Google calls 'non-repudiable proof of intent.' AP2 addresses three challenges: authorization, authenticity, and accountability.
Read that last paragraph carefully. Google's AP2 uses the word 'authorization.' It provides 'non-repudiable proof of intent.' It cryptographically binds the user's approval to a specific transaction. Of the five major protocols, it comes closest to solving the problem the others skip entirely.
It does not solve it.
The Categorical Gap
Google's Cart Mandate proves that a cryptographic key was used to sign a transaction. It does not prove that a specific human body was present when the key was used. The distinction sounds academic until you think about what goes wrong.
A malware-infected device signs a Cart Mandate. A compromised API key issues an Intent Mandate. A social-engineered session cookie generates a Shared Payment Token. A replayed OAuth flow produces a valid agentic token. In every case, the cryptographic proof is valid. The credential is real. The signature checks out. And the human whose money is being spent may be asleep.
This is not a criticism of the protocols. They are well-engineered for their purpose. The purpose is payment. Payment identity answers: is this credential valid for this transaction? The credential can be a card token, a wallet address, a session cookie, a Verifiable Digital Credential. All of these bind a payment method to an action. None of them bind a specific human to a specific approval at the specific moment the action occurs.
Authorization identity answers a different question: did this specific person, verified by something they are rather than something they have, approve this specific action? The distinction is between something that can be stolen (a key, a token, a session) and something that cannot (a face, a fingerprint, a retinal pattern). Payment systems have always operated at the first level. Financial regulation increasingly demands the second.
PYMNTS published an article in early 2026 titled 'Agentic Commerce Pushes Know Your Human Into Verification Processes.' The industry is naming the gap. The protocols being built to move trillions of dollars through AI agents authenticate the agent, authenticate the credential, and authenticate the payment method. They do not authenticate the human.
Why Payment Always Comes First
This is not a new pattern. The credit card preceded the fraud detection system by decades. Contactless payments shipped before tokenization. Mobile wallets worked with static card numbers before Apple Pay introduced device-specific tokens. In every case, the rail that moves money is built before the rail that verifies who authorized the movement.
The reason is economic. Payment infrastructure generates revenue from the first transaction. Authorization infrastructure generates cost until it prevents the first fraud. The incentive to build payment is immediate and measurable — basis points on transaction volume. The incentive to build authorization is deferred and probabilistic — avoided losses from incidents that may not have happened.
This creates a structural window. Between the deployment of the payment rail and the deployment of the authorization rail, the system operates on trust in the cryptographic chain. The assumption is: if the credential is valid, the authorization is valid. For small transactions, this is reasonable. A four-dollar coffee purchased through an agent-initiated checkout does not require biometric confirmation. The fraud economics do not justify the friction.
For large transactions, the assumption breaks. An agent executing a fifty-thousand-dollar portfolio rebalance needs more than a valid token. It needs proof that the specific person responsible for that portfolio approved that specific trade. The Shared Payment Token proves the credential is valid. It does not prove the human is present.
The window between payment rail and authorization rail is where losses concentrate. Not the small losses — those are absorbed by fraud reserves and chargeback systems. The large, irreversible, institutionally consequential losses. The ones that generate lawsuits, regulatory action, and fiduciary liability. Those losses require authorization infrastructure that none of the five protocols provide.
The Closest Miss
One company gets closer than the rest. Dock.io's Truvera platform uses W3C Verifiable Credentials to bind each AI agent to a verified user or organization. The credentials are scoped and revocable — an agent can be limited to purchases under two hundred euros per week. The binding is cryptographic. The verification is real.
But the biometric verification happens at credential issuance, not at each transaction. The human passes KYC once. The credentials persist. From that point forward, the system trusts the chain. This is the same pattern as every other protocol — verify the human at setup, trust the crypto thereafter. Truvera is the most thoughtful implementation of this pattern. It is still the same pattern.
The question nobody is building for: can you verify that a specific human approved a specific transaction at the specific moment of execution — not the moment of credential setup, not the moment of account creation, but now, with biometric certainty?
What I Notice
Five protocols in five months. A trillion-dollar market forecast. Over ninety companies mapped by CB Insights. The collective weight of Google, Visa, Mastercard, Stripe, OpenAI, PayPal, Microsoft, Coinbase, and Cloudflare all pushing in the same direction. The rails are being laid for agents to move money at a scale that dwarfs the early internet.
Every one of these protocols answers the same question with increasing sophistication: is this payment valid? The cryptographic tooling is impressive. The tokenization is sound. The fraud detection is state of the art.
None of them answer the question that financial regulation is beginning to require: was this specific action approved by this specific human at this specific moment?
The EU AI Act's Article 14 enforcement begins on August 2, 2026. FINRA flagged AI agents acting beyond intended scope as an emerging risk. The gap between what the payment rails verify and what regulators will demand is not a feature request. It is a structural absence — the layer that should sit between 'the credential is valid' and 'the money moved' does not exist in any shipping protocol.
The payment rail is being built. It is being built well. It is being built first, as payment rails always are. The authorization rail — the one that proves a human was present, that verifies what they approved, that binds intent to action with biometric certainty — is not being built by anyone in this race.
The market that moves trillions of dollars through AI agents will eventually need to prove who authorized each dollar. Today, nobody can.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)