AI Deep Dive

Agentic Payments, Explained: How AI Agents Are Learning to Spend Money

AI agents can already write code, browse, and run tools. The next thing they are learning to do is pay. This is a builder's map of agentic payments: the protocols, the companies, the trust layer that keeps an agent from draining your account, and the problems still unsolved.

Illustration of an AI agent holding a payment card inside a policy guardrail ring, connected to bank, card-network, and API nodes
Agentic payments in one picture: an agent that can spend, wrapped in a layer that decides whether it may.

Get the latest on AI, LLMs & developer tools

New MCP servers, model updates, and guides like this one — delivered weekly.

What Agentic Payments Means

Agentic payments are transactions an autonomous AI agent initiates and executes on behalf of a person or business, inside rules the user set in advance. The agent decides when to pay; a trust layer decides whether it may pay this payee, this amount, with this authorization, and records that it happened.

That second half is the whole story. Letting an agent spend is not hard to build. The hard part is the same one a CFO would ask about a new employee with a company card: who approved this, what are the limits, and can we prove what happened? Ghali Bennani Laafiret, co-founder of the agentic-payments startup Ralio, frames the core issue as trust rather than plumbing: how do you trust a non-deterministic system to run actions inside your accounts?

At a glance
  • Agentic commerce is projected to grow from roughly $8B in 2026 to about $1.5 trillion by 2030 (Juniper Research projection, as of 2026).
  • Four overlapping protocols matter: AP2 (authorization), ACP (checkout), x402 and MPP (machine-to-machine payments).
  • Every major network shipped something in 2025–2026: Visa, Mastercard, Stripe, PayPal, Google, OpenAI, Amazon, Coinbase.
  • The differentiated lane for startups is the trust layer: identity, spend limits, allowlists, and audit for business payments.

Why This Is Happening Now

Two curves crossed. Agents got good enough to take multi-step actions reliably, and the payments industry decided the market was too large to cede. Juniper Research projects agentic commerce will grow from around $8 billion in 2026 to roughly $1.5 trillion by 2030, and McKinsey has estimated AI agents could orchestrate up to $1 trillion in U.S. business-to-consumer retail alone. Those are projections, not facts, but they explain why Visa, Mastercard, Stripe, and Google all moved within months of each other.

For developers, the practical signal is simpler: the tools your agents already use are starting to charge per call. An agent that spins up a browser, calls a paid API, or buys compute now has a reason to hold spending authority. That is the bridge from “agents that read” to “agents that transact.”

How an Agent Actually Pays

Strip away the branding and almost every approach follows the same five steps. This is the mental model worth memorizing, because each vendor is really just implementing one or two of these steps well.

  1. Intent. The agent forms a goal: “renew this subscription,” “pay this invoice,” “buy these running shoes under $120.”
  2. Authorization. That intent is tied to proof the user allowed it. In Google's AP2 this is a signed Intent Mandate; for delegated tasks the user signs upfront with rules, and the agent later generates a Cart Mandate when conditions are met.
  3. Policy check. A trust layer verifies the agent's identity and checks the payment against limits, allowed payees, and approval thresholds.
  4. Execution. The payment runs on a rail: a card network, a real-time bank transfer, or a stablecoin transaction over HTTP.
  5. Audit. An immutable record ties the payment back to the agent, the prompt, and the policy that allowed it. AP2 calls this a non-repudiable audit trail.

AP2's design names the three questions this flow has to answer: authorization (did the user grant this specific authority?), authenticity (does the request reflect the user's true intent?), and accountability (who is responsible if it goes wrong?). Keep those three words; they are the rubric for judging any agentic-payments product.

The Protocol Landscape: AP2, ACP, x402, MPP

There is a quiet standards race underneath the headlines. The four protocols below are not strictly competitors; they tend to stack. AP2 handles authorization, ACP handles merchant checkout, and x402 and MPP move money between machines. A real product often uses more than one.

ProtocolBacked byWhat it standardizesRailsStatus
AP2 (Agent Payments Protocol)Google + 60 launch partnersAuthorization, via cryptographically signed Intent, Cart, and Payment Mandates. Built on A2A and MCP.Payment-agnostic: cards, stablecoins, real-time bank transfers (x402 for crypto)Announced Sep 17, 2025
ACP (Agentic Commerce Protocol)OpenAI + StripeAgent-to-merchant checkout and order flow, using Shared Payment Tokens.Cards / fiat via StripePowers ChatGPT commerce; standalone Instant Checkout reportedly wound down Mar 2026
x402Coinbase (with Ethereum Foundation, MetaMask)Stablecoin micropayments over HTTP by reviving the 402 status code; machine-to-machine and API monetization.Stablecoins / cryptoShipped as AP2's crypto extension
MPP (Machine Payments Protocol)Stripe + TempoProgrammatic agent-to-service payments (also revives HTTP 402); microtransactions and recurring billing.Stablecoins + fiat via Shared Payment Tokens; settles on Tempo L1Announced Mar 18, 2026

One detail developers love: both x402 and MPP revive the long-dead HTTP 402 Payment Required status code, so a server can demand payment from an agent inline, in the same request. Google's broader Universal Commerce Protocol (UCP) sits one layer up again, standardizing how merchants connect to agents in the first place.

Who Is Building the Rails

The map below is the fastest way to see who is doing what. Notice that the giants are racing to own the rails and the consumer surface, while startups are carving out the governance layer for business spending.

PlayerMoveAngle
VisaIntelligent Commerce; payments partnership with OpenAI announced Jun 10, 2026Network, tokenization, agent identification, fraud monitoring, plus consumer-set spend guardrails
MastercardAgent Pay and Agent Pay for Machines (Jun 2026)High-frequency, low-latency, always-on machine payments
StripeCo-author of ACP (with OpenAI) and MPP (with Tempo)Rails for both human-checkout and pure machine-to-machine payments
PayPalPositioning as the trust layer for the agentic web; AP2 launch partnerAgent identity, secure vaults, transaction graph
GoogleAP2 plus the Universal Commerce Protocol (UCP); checkout in Gemini and SearchAuthorization standard plus a merchant-connection standard
AmazonBuy for Me, powered by the Rufus assistantDelegated purchasing across external merchant sites
Coinbasex402Stablecoin rail for machine payments and API monetization
Startups (e.g. Ralio)A guardrail and trust layer for business finance operationsAgent identity, per-workflow spend limits, payee allowlists, and audit trails

Stripe and Tempo's MPP launch came with concrete early adopters that show what machine payments look like in practice: Browserbase lets agents pay per headless-browser session, PostalForm lets an agent pay to print and mail a physical letter, and one New York shop lets agents order sandwiches for pickup. Small, but these are real agents spending real money per task.

The Trust Layer: Guardrails, Identity, and Audit

If the protocols are the roads and the networks are the cars, the trust layer is the driving test, the speed limit, and the dashcam. It is where most of the real product value, and most of the risk, lives. Visa describes building spending limits, approval thresholds, and permission layers so the buyer stays in command even when an agent executes. PayPal is openly positioning itself as the “trust layer for the agentic web.” And startups such as Ralio sell this as a dedicated control plane for business finance operations: verify the agent, scope per-workflow spend limits, allowlist payees, and tie every payment to the agent, prompt, and policy that triggered it.

The mental model is identity and access management, spend policy, and audit, rebuilt for agents instead of humans. Here is that pattern as illustrative pseudocode. No matter which vendor or protocol you choose, the gate looks roughly like this:

# Illustrative pattern, not a specific vendor SDK.
# Every agent-initiated payment passes through a policy gate, then an audit log.

def agent_pay(agent_id, payee, amount_usd, intent, policy):
    # 1. Identity: is this agent allowed to spend at all?
    if not policy.is_verified(agent_id):
        return reject("unverified_agent")

    # 2. Allowlist: can it pay THIS payee?
    if payee not in policy.allowed_payees(agent_id):
        return reject("payee_not_allowed")

    # 3. Limits: per-transaction, per-window, per-workflow caps.
    if amount_usd > policy.max_per_txn(agent_id):
        return reject("over_txn_limit")
    if policy.spent_today(agent_id) + amount_usd > policy.daily_cap(agent_id):
        return reject("over_daily_cap")

    # 4. Human-in-the-loop above a threshold.
    if amount_usd > policy.approval_threshold(agent_id):
        require_human_approval(agent_id, payee, amount_usd, intent)

    # 5. Execute on the chosen rail, then write an immutable audit record.
    receipt = rail.charge(payee, amount_usd)
    audit.log(agent_id, intent, policy.id, payee, amount_usd, receipt)
    return receipt

The point of the gate is that the agent never touches a raw payment credential and can never act outside policy, even if its prompt is hijacked. That last clause matters: a prompt-injected agent with an unguarded key is a wire transfer waiting to happen.

If You Build Agents: A Practical Checklist

You do not need to wait for the protocol war to settle to give an agent spending power safely. You need a boundary and an audit trail. If you are wiring payments into an agent, whether it is buying APIs, paying invoices, or topping up compute, work through this:

1. Define the trust boundary: what can the agent spend without a human in the loop?
2. Scope limits per workflow, not per key: a payroll agent and a research agent get different caps.
3. Add velocity limits: cap amount per transaction, per hour, and per day.
4. Allowlist payees: the agent can only pay an approved set of merchants or accounts.
5. Bind every payment to a signed authorization (a mandate) that ties it to user intent.
6. Set a human-approval threshold above which a person must confirm.
7. Log everything to an immutable audit trail: agent, prompt, policy, amount, payee, timestamp.
8. Plan the failure path first: refunds, disputes, mistaken orders, and who is liable.
9. Pick the rail by use case: card checkout favors ACP/AP2; API and machine micropayments favor x402/MPP.

If you are already building multi-step agents, this slots in next to the orchestration and tool-use patterns covered in our OpenAI Agents Python guide and multi-agent orchestration guide. Spending authority is just another tool the agent calls, with a much stricter policy gate.

The Hard Problems Still Unsolved

Agentic payments are not a finished product. The technology to move money is the easy part; the trust, liability, and compliance questions are where 2026 is still messy.

  • Agent identity. Proving an agent is who it claims to be, and is authorized, is unsolved at scale. AP2 mandates, Visa's agent identification, and Mastercard's Agent Pay each propose a different authentication path.
  • Liability and chargebacks. If an agent buys the wrong thing, who pays? Dispute and chargeback rules built for humans do not cleanly map to autonomous purchases.
  • Compliance gaps. OpenAI reportedly wound down its standalone Instant Checkout in March 2026; press coverage cited limited merchant adoption and an unresolved U.S. state sales-tax gap. Even well-funded players hit boring, real obstacles.
  • Human-in-the-loop fatigue. Approve everything and you lose the point of automation; approve nothing and you lose control. Setting the threshold is a product problem, not just a security one.
  • Fragmentation. Four protocols and a dozen networks mean integration risk. Expect consolidation, and design so you can switch rails.

For builders in regulated or finance-heavy contexts, it is worth reading how one vendor packages agents, skills, and connectors for this world: our deep dive on Anthropic's financial services tooling covers the adjacent guardrails question for enterprise agents.

FAQ

What are agentic payments?

Agentic payments are transactions initiated and executed by an autonomous AI agent on behalf of a person or business, within rules the user set in advance. The agent decides when to pay, and a trust layer enforces who it can pay, how much, and with what authorization and audit trail.

How does an AI agent actually pay for something?

The agent forms an intent, that intent is checked against a policy (spend limits, allowed payees, approval thresholds), a signed authorization links the payment to the user's instruction, the payment executes on a rail such as a card network or stablecoin, and the whole event is written to an audit trail.

What is the difference between AP2, ACP, x402, and MPP?

AP2 (Google) standardizes authorization with signed mandates and is payment-agnostic. ACP (OpenAI and Stripe) standardizes agent-to-merchant checkout. x402 (Coinbase) carries stablecoin micropayments over HTTP. MPP (Stripe and Tempo) is a machine-to-machine payment protocol that also revives HTTP 402 and settles on the Tempo blockchain. They overlap but solve different layers.

Can I let an AI agent use my company's bank account safely?

Only behind a trust layer. Do not hand an agent a raw key. Give it scoped, per-workflow spending limits, an allowlist of payees, velocity caps, a human-approval threshold, and an immutable audit trail. Several startups, including Ralio, sell exactly this control layer for business finance operations.

Who is liable if an agent makes a wrong purchase?

This is still being worked out across the industry. AP2's signed mandates are designed to create a non-repudiable record of authorization so accountability is clearer, but chargebacks, mistaken orders, and disputes for agent-led purchases are an open problem that payment networks and regulators are actively addressing as of 2026.

Is agentic payments the same as agentic commerce?

They are related but not identical. Agentic commerce is the broader activity of agents discovering, comparing, and buying products. Agentic payments is the narrower money-movement and authorization layer underneath it.

Glossary

TermMeaning
AgentAn autonomous software program, usually LLM-driven, that can take actions such as calling tools, browsing, and now paying, with limited human oversight.
MandateIn AP2, a cryptographically signed, tamper-proof record of what a user authorized. Intent Mandates capture the goal; Cart Mandates lock the exact items and price.
HTTP 402The long-dormant 'Payment Required' status code, revived by both x402 and MPP so a server can demand payment from an agent inline over HTTP.
StablecoinA crypto token pegged to a fiat currency, used as a fast settlement rail for high-frequency machine payments.
Shared Payment Token (SPT)A token used by ACP and MPP that lets a merchant or service charge an agent without the agent holding raw card credentials.
Trust layerThe governance layer between an agent and the payment rails that enforces identity, spend limits, allowlists, approvals, and audit.

Sources

Primary and official sources are listed first. Market-size figures are third-party projections and are labeled as such in the text.

Protocols and primary sources

Analysis and market context

Companies in the trust layer

Sponsored AI assistant. Recommendations may be paid.