For most of the web's history, a payment assumed a human was present. Someone typed a card number, passed a fraud check, tapped to confirm. In 2026 that assumption is breaking. AI agents are beginning to complete purchases on a shopper's behalf, inside ChatGPT, Gemini, Copilot and beyond, and a quiet contest over the plumbing has begun. The phrase you will hear most is agentic commerce protocol, and three sets of letters keep recurring: ACP, AP2 and a growing roster of card-network frameworks from Mastercard, Visa and PayPal. The temptation is to read these as rival standards fighting for one prize. That framing is wrong, and getting it wrong makes the whole landscape harder to follow. The protocols mostly sit at different layers of the same stack. This guide walks through each one factually, names the players neutrally, and ends with the part that matters for brands.
Why agentic commerce needs new protocols at all
The existing card rails were designed around a person at a checkout. They lean on signals like a present cardholder, a one-time CVV, a 3-D Secure challenge, and the assumption that whoever is paying is the same entity that owns the card. An autonomous agent breaks every one of those assumptions. If an AI assistant holds your card details and spends on your behalf, the network has no clean way to tell an authorised agent from a compromised one, no standard way to know the human actually approved this specific cart, and no agreed method to apportion blame if a purchase goes wrong. Those three gaps, often summarised as authorisation, authenticity and accountability, are exactly what the new protocols try to close. To understand why this is suddenly urgent rather than theoretical, it helps to be clear on what agentic AI is and how it differs from a chatbot that only answers questions. An agent does not just describe a product; it can act, and acting on a payment network without new guardrails is something the networks will not allow at scale.
ACP: the OpenAI and Stripe checkout standard
The Agentic Commerce Protocol (ACP) is an open standard co-developed by OpenAI and Stripe, launched on 29 September 2025 alongside ChatGPT's Instant Checkout feature (Stripe newsroom). Both companies are listed as founding maintainers, the specification is published in beta on GitHub, and they have stated an intent to move it toward neutral, foundation-style stewardship over time. ACP defines the merchant checkout layer: a set of REST endpoints that let an AI surface create, update, complete and cancel a checkout session against a merchant's commerce backend. Its most novel piece is the Shared Payment Token, a payment primitive Stripe issues so that an app like ChatGPT can initiate a charge without ever handling raw card credentials, scoped to a specific merchant and a specific cart total (Stripe blog). It launched with Etsy's US sellers on day one and a small set of Shopify brands including Glossier, Vuori and SKIMS, with PayPal joining as a payment provider on 28 October 2025. The honest caveat is that early adoption was thin, only a handful of merchants shipped against the first release, though the specification has since expanded to cover carts, product feeds, orders and authentication. If you sell through ChatGPT, this is the layer behind the buy button, and it connects directly to the ChatGPT shopping experience brands have been watching since early 2026.
AP2: Google's authorisation layer
Google's Agent Payments Protocol (AP2) was announced on 16 September 2025 with more than sixty launch partners, including Mastercard, PayPal, American Express, Adyen, Coinbase, Worldpay, Revolut and Intuit (Google Cloud blog). Where ACP handles the checkout, AP2 operates one layer up, at trust and authorisation. It is an extension of Google's Agent2Agent (A2A) protocol and the Model Context Protocol, and it is deliberately payment-agnostic, working across cards, real-time bank transfers and stablecoins. Its core idea is the Mandate, a cryptographically signed record built on W3C Verifiable Credentials that proves a human authorised an action. There are two kinds. An Intent Mandate captures a request and can pre-authorise a purchase when the human is not present, scoped to a seller, a category, a price ceiling and a time window. A Cart Mandate is a signed approval of an exact cart before money moves (AP2 specification). Together they create a tamper-evident trail answering who approved what, which is the accountability problem the card networks care about most. The specification is open on GitHub and Google describes it as aligned with the FIDO Alliance for verifiable credentials.
UCP and the Shopify catalogue layer
There is a third protocol most merchants will actually meet, and it sits at yet another layer: the catalogue. The Universal Commerce Protocol (UCP), co-developed by Shopify and Google, launched at the NRF retail conference on 11 January 2026 with endorsement from more than twenty partners including Walmart, Target, Etsy, Stripe, Visa, Mastercard and American Express (Shopify). Its job is to make a merchant's product catalogue legible and purchasable across many AI surfaces at once, rather than integrating each one by hand. Shopify built on this with Agentic Storefronts, which syndicate a merchant's catalogue into ChatGPT, Copilot, Gemini, Meta and Perplexity with order-referral attribution and, in Shopify's words, no additional transaction fees beyond standard processing. Google followed with a Universal Cart spanning Search, Gemini, YouTube and Gmail. For the large share of brands running on Shopify, UCP is likely the layer they touch first, because the platform abstracts the checkout and rail details underneath. This is also where the upstream question gets sharp: before any cart exists, the agent has to choose your product, which is governed less by protocol and more by how AI shopping agents choose products.
The payment-rail race: Mastercard Agent Pay and Visa Intelligent Commerce
Underneath checkout and authorisation sits the rail itself, the layer where a credential becomes money, and here the card networks have moved in parallel. Mastercard announced Agent Pay on 29 April 2025, built around Agentic Tokens that extend its existing tokenisation system to bind a tokenised credential to a specific agent, a merchant scope and a consent policy (Mastercard). Visa followed with Intelligent Commerce, which issues scoped, tokenised credentials to agents and supports machine-initiated authorisation, with integrations spanning OpenAI, Anthropic and Microsoft, later consolidated into a single merchant integration called Intelligent Commerce Connect (TechInformed). The networks are also linking up rather than purely competing: PayPal expanded its Mastercard partnership in late October 2025 to pilot Agent Pay's acceptance framework, which is designed to interoperate with AP2. For merchants the practical reality is about payment service providers. As of early 2026, Stripe, Adyen and Checkout.com support both networks' agent frameworks, while smaller PSPs often support only one. There is also a settlement layer for pure machine-to-machine payments, the x402 standard, that fills in where card credentials are not the right tool.
Want to see this in action?
See how every major AI model talks about your brand. Free to start.
How the protocols fit together (not rivals)
The single most useful thing to internalise is that ACP, AP2, UCP and the card frameworks largely stack rather than collide. AP2 establishes that a human authorised the action; ACP and UCP carry out the merchant-side checkout; Mastercard and Visa supply the scoped credential that the rail will accept; x402 handles agent-to-agent settlement at the edges. A single purchase can touch several of these at once, which is why the analyst framing of a layered stack is more accurate than a winner-take-all race (Orium). The table below maps the main pieces by who backs them, which layer they occupy, when they arrived and the primitive that defines each.
| Protocol | Backer | Layer | Launched | Key primitive |
|---|---|---|---|---|
| ACP | OpenAI, Stripe | Checkout | Sep 2025 | Shared Payment Token |
| AP2 | Google (60+ partners) | Authorisation | Sep 2025 | Signed Mandates |
| UCP | Shopify, Google | Catalogue | Jan 2026 | Syndicated catalogue feed |
| Mastercard Agent Pay | Mastercard | Payment rail | Apr 2025 | Agentic Tokens |
| Visa Intelligent Commerce | Visa | Payment rail | May 2025 | Scoped agent credentials |
| x402 | Open (A2A extension) | Settlement | 2025 | Machine-to-machine payment |
What merchants and brands need to know
The reassuring news is that you almost certainly do not have to pick one protocol and bet the business on it. Your payment service provider and your commerce platform abstract most of this away; a Shopify merchant on Stripe inherits coverage of multiple frameworks without writing protocol code. The work that does land on merchants is real but bounded: keep a clean, structured, machine-readable product catalogue with accurate price, availability and policy data, make sure your PSP supports the agent frameworks your customers' AI surfaces use, and understand the consent and refund flows so a disputed agent purchase does not become a support nightmare. Sizing the opportunity remains genuinely uncertain. eMarketer projects AI platforms will reach roughly 1.5% of US retail ecommerce in 2026, about $20.6 billion and roughly four times 2025 (eMarketer), while 2030 forecasts range from Morgan Stanley's $190 billion to McKinsey's multi-trillion estimates, a spread wide enough that honesty means admitting nobody knows the size yet. For the broader context of where this fits, our explainer on what agentic commerce is covers the demand side these protocols are built to serve.
The upstream question the protocols don't answer
All of this machinery decides how a purchase completes. None of it decides which brand the agent chose in the first place. By the time a Shared Payment Token is issued or a Cart Mandate is signed, the selection has already happened, upstream, when the agent decided your product was the one worth buying. That decision turns on the same signals that govern AI recommendations more broadly: whether your brand is named in the sources these models trust, whether your product data is clean and consistent, and whether third-party reviews and listings reinforce the same story. The protocols are settling the checkout question quickly. The selection question is the older, harder one, and it is upstream of every rail and every mandate. It is also the part you can only manage by measuring it: seeing where agents surface your brand, where they pick a competitor, and why. Being recommended by AI, and increasingly being bought by AI agents, is not something you can set and forget. It is something you have to watch to improve.
The bottom line
The agentic commerce protocol landscape looks crowded because several layers launched at once, but the shape is coherent. AP2 handles trust, ACP and UCP handle checkout, Mastercard and Visa handle the rail, and x402 handles the edges. Most merchants will meet this stack through their existing platform and PSP rather than by integrating standards directly, so the engineering burden is lighter than the headlines suggest. The standards are still in beta, partnerships are still forming, and some details, including how specific surfaces evolve, will keep shifting through 2026. What will not shift is the underlying move: payments are being rebuilt so that software, not just people, can complete them safely. The brands that benefit will be the ones whose products are easy for an agent to find, trust and select, long before any token is issued.
