These are my research notes from diving deep into Google’s Agent Payments Protocol (AP2) v0.1 and the underlying Agent-to-Agent (A2A) protocol. I’ve verified everything against the official specs and included all my sources.
What I’ve Learned About AP2
After digging through the documentation, here’s the simplest way I can explain it: AP2 is Google’s answer to “how do we let AI agents buy things without everything going horribly wrong?”
It’s an open protocol that sits on top of their Agent-to-Agent (A2A) communication protocol and plays nice with the Model Context Protocol (MCP) that everyone’s already using. The whole thing revolves around creating cryptographically secure “receipts” (they call them mandates) that prove who authorized what, when, and under which constraints.
Check out the official AP2 documentation if you want to dive into the specs yourself.
The Three Key Documents (Mandates)
Think of these like contracts that get passed around:
- Cart Mandate - When you’re physically there approving a purchase (like clicking “buy now”)
- Intent Mandate - When you tell your agent “buy concert tickets if they’re under $120” and walk away
- Payment Mandate - The receipt that goes to the payment processor saying “yes, an agent was involved”
Where Things Stand Today (v0.1 Reality Check)
The initial spec dropped on September 16, 2025. Here’s what actually works right now:
- Human-present purchases (you have to approve each one)
- Credit/debit card payments
- Basic framework for future autonomous purchases
What’s coming but not ready yet:
- Full autonomous purchasing (the holy grail)
- Bank transfers and real-time payments
- Cryptocurrency and stablecoin support
- Integration with the x402 micropayments spec
You can find all the code samples and the v0.1 release on GitHub: google-agentic-commerce/AP2.
The Partner Landscape
This isn’t just a Google science project. Over 60 major players have signed on:
- Payment Networks: Mastercard, American Express, UnionPay International
- Processors: PayPal, Worldpay, Stripe
- Merchants: Salesforce, Etsy, Shopify
- Crypto: Coinbase
See the full list on the AP2 Partners page.
How the Security Model Works
One thing I really appreciate about AP2 is how paranoid it is about security. The architecture enforces strict separation between different roles:
The Players:
- You (the User): Sign off on purchases
- Your Shopping Agent: Finds deals, negotiates prices, but NEVER sees your credit card
- Credentials Provider: Your digital wallet that holds the actual payment info
- Merchant: Sells stuff, validates carts
- Payment Processor: Handles the actual money movement
The key insight? Your chatbot never touches your credit card number. Ever. That stays locked in the Credentials Provider, which only releases tokenized versions.
More details in the AP2 Privacy and Security docs.
How a Purchase Actually Happens
When You’re There (Human-Present)
This is what works today in v0.1:
- Your agent finds what you want
- Merchant validates and signs the cart
- Your wallet provides a tokenized payment method
- You see the cart on your screen and approve it
- System creates a signed Cart Mandate
- Payment goes through with the Payment Mandate attached
- If needed, you do 3D Secure or enter a PIN
- You get your receipt
Check out the full flow in AP2 Life of a Transaction.
When You’re Not There (Human-Not-Present)
This is the future (v1.x) - documented but not implemented yet:
- You pre-approve purchases with constraints (“buy if price drops below $100”)
- Agent shops within those boundaries
- Merchant can force you to come back and approve if something seems fishy
The Protocol Stack
Here’s how AP2 fits with everything else:
- MCP (Model Context Protocol): How your agent talks to tools and APIs
- A2A (Agent-to-Agent): How agents talk to each other
- AP2: Adds the payment layer on top of A2A
Right now, AP2 rides on top of A2A for all the mandate exchanges. The AP2 team is working on MCP servers, but they’re not ready yet.
Extension URI you’ll need:
https://github.com/google-agentic-commerce/AP2More on this in AP2, A2A and MCP.
What the Data Actually Looks Like
Here are the actual JSON structures you’ll be working with:
Your Agent’s ID Card
{
"name": "Shopping Assistant",
"capabilities": {
"extensions": [{
"uri": "https://github.com/google-agentic-commerce/AP2",
"params": {
"roles": ["shopper"]
}
}]
}
}Pre-Approval for Autonomous Purchase (Intent Mandate)
{
"natural_language_description": "Buy 2 concert tickets under $120 each",
"required_refundability": true,
"intent_expiry": "2025-10-01T00:00:00Z",
"user_cart_confirmation_required": false
}Shopping Cart (Cart Mandate)
{
"id": "order_123",
"total": {
"currency": "USD",
"value": 238.00
},
"merchant_signature": "sig_merchant_abc",
"timestamp": "2025-09-16T19:36:36Z"
}See all the data structures in the AP2 A2A Extension docs.
Implementation Checklist
If you’re building with this, here’s what you need to handle:
Security Must-Haves
- Keep payment data completely isolated from your agent
- Implement proper signature verification on all mandates
- Store mandate hashes for audit trails
- Add device and agent identity to Payment Mandates
- Handle 3D Secure challenges properly
- Rotate keys regularly
For Human-Present Purchases (Available Now)
- Implement A2A communication with AP2 extension
- Set up merchant cart validation
- Build trusted UI for cart presentation
- Handle payment authorization flow
- Support challenge/verification loops
For Autonomous Purchases (Design Now, Deploy Later)
- Design Intent Mandate schemas
- Plan for merchant step-up flows
- Wait for v1.x before production deployment
What About Crypto and Micropayments?
AP2 is designed to be payment-method agnostic. They’re actively working with the x402 folks on micropayments and web-native payments. The architecture supports it, but it’s not ready yet.
Learn more: AP2 and x402
Common Questions I Had
Do I need Google’s tools? Nope. The samples use Google’s Agent Development Kit, but AP2 works with any framework.
Is this production-ready? It’s v0.1 - treat it as a pilot. The protocol will evolve.
What about other payment methods? Cards work now. Everything else is coming.
Where are the MCP servers? Still in development. Use A2A for now.
Quick Start Path
Want to build something? Here’s the minimum viable path:
-
Get A2A Working
- Set up agent communication
- Add AP2 extension to your AgentCard
-
Build Basic Purchase Flow
- Cart creation and signing
- Payment mandate assembly
- Simple authorization
-
Add Security
- 3D Secure handling
- Mandate hash storage
- Audit logging
-
Plan for the Future
- Design Intent Mandate schemas
- Prepare for autonomous flows
- Keep payment method abstracted
Resources That Actually Helped
Core Documentation
- AP2 Protocol Documentation - Start here
- AP2 GitHub Repository - Code samples and releases
- A2A Protocol Documentation - The underlying protocol
- Model Context Protocol - For tool integration
- Google Cloud AP2 Announcement - The launch blog post
My Take
AP2 represents a massive shift in how we think about AI agents and commerce. The v0.1 spec is conservative (human-approved card payments only), but the architecture clearly shows where this is heading: autonomous agents conducting complex transactions across multiple payment rails.
The security model is well thought out - keeping payment credentials isolated from the AI agent is crucial. The mandate system provides the audit trail we’ll need when things inevitably go wrong.
If you’re building in this space, I’d suggest:
- Start with the human-present flow to learn the protocol
- Keep your payment abstraction clean for future methods
- Plan for autonomous flows but don’t deploy them yet
- Pay attention to the security requirements - they exist for good reasons
The protocol will evolve rapidly. What we have in v0.1 is the foundation. The interesting stuff comes when full autonomous purchasing lands in v1.x and we start seeing agents negotiating with each other, handling complex multi-step transactions, and working with diverse payment methods.
For now, it’s about understanding the architecture, building clean implementations, and positioning yourself for what’s coming next in agentic commerce.
These notes are based on the AP2 v0.1 specification released September 16, 2025. The protocol is evolving quickly, so always check the official documentation for the latest updates.