Table of Contents
One of the hottest AI topics of 2026 is agentic commerce, and we’re finally starting to see an explosion of real-world usage:
OpenAI’s Instant Checkout is in production serving ChatGPT’s 900 million weekly active users.
Mastercard Agent Pay has completed authenticated transactions across four continents.
Shopify is activating agentic storefronts for over one million merchants worldwide.
Hype aside, the natural question on developers’ minds is which protocols and standards are best positioned to enable the future of agentic commerce. This is where most organizations feel lost: “Where should we invest, and what infrastructure do we need to enter the agentic age of commerce?”
This guide will cover all of the major protocols in agentic commerce, the expected integration points, and the identity layer that makes all of it work together.
The agentic commerce landscape
Out of all of the ideas and proposals in the agentic commerce space, five protocols stand out as solutions to the challenge of enabling agents to transact on a user’s behalf: Agentic Commerce Protocol (ACP), Universal Commerce Protocol (UCP), Agent Payments Protocol (AP2), x402, and Machine Payments Protocol (MPP).
At a high level, these protocols answer different questions in the agentic commerce space:
Commerce orchestration (ACP, UCP): How do agents, merchants, and platforms conduct commerce?
Trust / authorization (AP2): How does an agent prove it can act and pay on a user’s behalf?
Machine payments (x402, MPP): How do two machines exchange payments programmatically?
Protocol | Type | Main backers | Adoption | Interoperability |
|---|---|---|---|---|
Agentic Commerce Protocol (ACP) | Commerce orchestration | Stripe, OpenAI | Powers ChatGPT Instant Checkout, Copilot Checkout | • Fits into MCP/A2A’s JSON-RPC • Payment service provider-agnostic |
Universal Commerce Protocol (UCP) | Commerce orchestration | Google, Shopify, Etsy, Wayfair, Target, and Walmart | • Powers checkout in Google AI Mode and Gemini • Supported by Shopify and Salesforce | • A2A / MCP / REST-compatible • Supports AP2 and other payment handlers |
Agent Payments Protocol (AP2) | Trust and authorization | Google, Mastercard, American Express, PayPal, Adyen, Worldpay, UnionPay | • Production-ready reference phase • No notable consumer-facing implementations yet | • Works alongside ACP and UCP • Interoperable with Mastercard Agent Pay |
x402 | Machine payments | Coinbase, Cloudflare, x402 Foundation (Linux Foundation) | Adopted in some crypto ecosystems but real transactions are fewer than initially thought | Adapters for LangChain, Crew AI, AutoGPT, OpenAI Assistants, but limited outside crypto ecosystems |
Machine Payments Protocol (MPP) | Machine payments | Stripe, Tempo Labs | 100+ services in payments directory (Browserbase, PostalForm, Prospect Butcher Co.) | • Payment method-agnostic • Shares both method and limitations with x402 |
Let’s dive into each of these protocols to learn more about what they can do for your agentic commerce solutions.
Agentic Commerce Protocol (ACP)
First up is the Agentic Commerce Protocol (ACP). ACP is sponsored by Stripe and OpenAI, and is open-source via the Apache 2.0 license. This protocol sits at the first layer of agentic commerce orchestration, defining how AI agents discover products, build carts, and handle checkout on behalf of users. Real-world usage is growing, with ACP powering ChatGPT Instant Checkout and Microsoft Copilot Checkout.
OpenAI has recently pivoted from in-chat checkout toward merchant-hosted experiences: agents simply handle product discovery and cart building before redirecting the user to the merchant’s own checkout environment for payment completion. This new approach maintains the merchant as the merchant-of-record while preserving customer relationships and existing UX flows.
ACP’s core innovation is the Shared Payment Token (SPT), created by Stripe. An SPT is a scoped, time-limited credential that represents a bounded authorization to charge a specific amount to a specific seller. The flow works as follows:
The AI agent creates an SPT via Stripe’s API, scoped to a specific seller and bounded amount
The agent sends the SPT (not card details) to the merchant
The merchant creates a Stripe PaymentIntent using the SPT
Stripe connects the SPT back to the original payment method and processes the charge
No raw payment credentials are ever exposed to the agent or transmitted in the clear
SPTs are the first implementation of ACP’s Delegated Payment Spec, which is designed to be Payment Service Provider (PSP)-agnostic. Other major players in the space like PayPal, Checkout.com, Mollie, Worldpay, Worldline, Spreedly, FIS, and Nexi are currently building compatible implementations.
Universal Commerce Protocol (UCP)
Universal Commerce Protocol (UCP) is a comprehensive agentic commerce protocol co-developed by Google, Shopify, Etsy, Wayfair, Target, and Walmart. Similar to ACP, UCP is also open-source with an Apache 2.0 license. UCP covers the full commerce lifecycle from product discovery through post-purchase support and supports payment protocols that verify proof of consent such as Google’s Agent Payments Protocol (AP2).
Google says UCP is built to integrate with existing retail infrastructure as best as possible, and their documentation says merchants can use existing payment integrations through payment handlers. This way, the merchant remains the merchant-of-record while integrating with the protocol.
At a high level, the flow works as such:
Merchant advertises capabilities and payment handlers in its UCP profile.
The app/agent/platform creates a checkout with the merchant.
The app/agent/platform discovers which payment handlers are accepted.
The app/agent/platform collects the buyer’s payment instrument using the relevant handler.
The app/agent/platform puts that instrument into the checkout’s
payment.instrumentsarray.The merchant or its PSP processes payment using the handler’s rules.
Under the hood, UCP uses strongly typed request/response schemas that are transport-agnostic, meaning they work over REST and JSON-RPC, which is used by the MCP and A2A protocols. While still in development, Google Search AI Mode and Gemini shopping will be powered by UCP.
Agent Payments Protocol (AP2)
Like UCP, Google created the Agent Payments Protocol (AP2) in collaboration with other organizations including Mastercard, American Express, PayPal, Adyen, Worldpay, and UnionPay. AP2 is purpose-built for the hardest problem in agentic commerce: proving that a human authorized a payment when no human is present at checkout. It uses W3C Verifiable Credentials as mandates, which are cryptographically signed, tamper-evident digital objects that provide proof of authorization.
AP2 defines the following types of mandates:
Intent Mandate: Authorizes an agent to make purchases within defined constraints when the human is not present. Specifies agent identity, maximum amount, merchant restrictions, time window, and includes the user’s cryptographic signature. Used for autonomous shopping scenarios.
Cart Mandate: Captures explicit user authorization for a specific cart of items at a specific price. The user reviews and cryptographically signs the exact transaction. Used when the user is in the loop but the agent handles execution.
Payment Mandate: Minimal credential appended to the authorization, derived from the Cart or Intent Mandate. It provides issuers and payment networks with visibility into agent presence and operation mode without altering existing authorization flows.
Mandates produce verifiable, non-repudiable proof that the human authorized the action. This is critical for chargeback disputes, as the merchant receives cryptographic evidence that the cardholder authorized the agent purchase.
x402 and MPP: machine-to-machine payments
The remaining two protocols, x402 and Machine Payments Protocol (MPP), take a different approach: they define how two machines exchange payments programmatically without a human in the loop at all. Both leverage the same mechanism, HTTP 402, and have thus far appealed primarily to crypto communities.
x402 was created by Coinbase and Cloudflare and is now governed by the x402 Foundation (part of the Linux Foundation). It’s supported by Google, Visa, Microsoft, and AWS. x402 revives the HTTP 402 Payment Required status code as a programmable payment rail for autonomous agents.
When an agent requests a paid resource, the server responds with HTTP 402 and payment details. The agent’s crypto wallet automatically signs and submits a USDC stablecoin payment on-chain, then retries the request with proof of payment. In this structure, there’s no need for accounts, API keys, or any manual intervention by the user. One major limitation for x402 is the lack of a consumer agent that abstracts the cryptocurrency logic from the end user, which has kept adoption largely confined to the cryptocurrency community.
Adoption of x402 has been modest but meaningful within crypto-native ecosystems.. Even prior to x402’s standardization in September 2025, sites on Cloudflare sent over 1 billion HTTP 402 responses daily. LangChain, CrewAI, AutoGPT, and OpenAI Assistants have all shipped x402 adapters, and live integrations include Circle (USDC), Neyner(Farcaster data), Hyperbolic (GPU inference), and Token Metrics (crypto analytics).
However, actual transaction values are unclear, with early estimates (like Bloomberg’s claim of $24 million in a month) being called into question by industry insiders (who place the number closer to $1.6 million).
MPP (Machine Payments Protocol), created by Stripe and Tempo Labs, shares x402’s HTTP 402 mechanism but attempts to be payment-method agnostic. Where x402 leans crypto-native, MPP supports stablecoins, cards, Stripe-supported wallets, Lightning, and custom methods via Stripe’s Shared Payment Tokens (SPTs). It also adds a richer model for payment intents, including both one-time charges and streaming sessions. A client requests a paid resource, the server returns a 402 payment challenge, the client completes payment, retries with an Authorization: Payment credential, and the server returns the resource plus a Payment-Receipt.
Both x402 and MPP are the earliest along in their adoption journeys, with usage constrained to smaller ecosystems versus higher-level commerce protocols, or AP2’s payment authorization spec.
Where MCP fits into agentic commerce
While Model Context Protocol (MCP) itself is a tool connectivity protocol rather than a payments protocol, the MCP ecosystem has become a significant commerce channel through merchant-specific MCP servers that connect AI agents directly to commerce infrastructure.
Both major commerce protocols (ACP and UCP) are architected to fit into MCP’s JSON-RPC remote procedure calling protocol. The co-creators of both, Google/Shopify, and Stripe/OpenAI, explicitly state that their protocols handle only commerce semantics such as discovery, cart, checkout, and order flow, and that these protocols may be implemented within an MCP server. The payment authorization and payment processing protocols (AP2, MPP, and x402) fit within the agentic commerce layer, meaning that a real-world agentic commerce stack looks like this:
MCP powering the ‘App Store’ experience within agentic clients (ChatGPT, Claude, Gemini etc.)
ACP / UCP powering the commerce orchestration
AP2 powering payment authorization (optional)
Shopify’s Catalog MCP Server is a clear example of these protocols working together for end users. Another is Target’s shopping experience with Gemini, which uses MCP for agent-resource connectivity while implementing UCP under the hood.
As ChatGPT’s App Store and Claude’s Connector Marketplace become the primary ways companies integrate with leading AI agents, MCP, the protocol powering both ecosystems, is only becoming more important in the era of agentic commerce. It is the de facto way of connecting agents to external resources.
Securing the identity layer underneath
Each of the commerce and payment protocols covered in this guide has its own trust mechanisms: ACP has Shared Payment Tokens, AP2 has cryptographic mandates, x402 has wallet signatures, and so on. These protocols handle trust within transactions, but they all assume that a foundational question has already been answered: who is this agent, who is it acting on behalf of, and what is it authorized to do?
That question is actually answered upstream, at the MCP layer. Before ACP or UCP ever fires, an agent connecting to a merchant’s MCP server needs to authenticate itself, confirm the identity of the user it represents, and establish the scope of its delegation. And this is already a part of the auth spec, as MCP requires OAuth 2.1 for server connections. When you layer commerce on, however, the identity requirements compound into each other: the agent needs scoped authorization to browse, build a cart, initiate payments. Each of these touchpoints across these protocols can potentially come with different constraints and expiration windows.
This is a delegated identity problem. The user isn’t present at the point of interaction, but their authorization must be provable and bounded. The agent is acting autonomously or semi-autonomously, but its permissions must be verifiable by every service in the chain of trust. That very trust chain that begins with MCP authentication needs to flow through the commerce layer and into payment authorization with total observability and without gaps.
Descope’s Agentic Identity Hub provides the infrastructure for this stack, handling MCP authentication, user-to-agent delegation, and scoped authorization across the protocols that power agentic commerce.
Get started with Descope by signing up for a Free Forever account. Join AuthTown, our dev community, to connect with other developers building AI-powered commerce. And reach out to our team of auth experts to see how Descope can help your agentic project move from prototype to production.
