Agent Payments Protocol: Google Donates AP2 to FIDO Alliance

The dawn of agentic commerce has officially arrived, and with it, a fundamental rewriting of the digital trust architecture. On April 28, 2026, Google made a landmark move by donating its proprietary Agent Payments Protocol (AP2) to the FIDO Alliance. This decision is not merely a corporate contribution; it is the catalyst for the world’s first open industry standard for secure, autonomous AI agent authentication. As artificial intelligence evolves from a conversational assistant into an active economic participant, the Agent Payments Protocol provides the missing cryptographic bridge that allows AI systems to transact on behalf of humans without the catastrophic risks of credential exposure.

For years, the cybersecurity industry has been sounding the alarm on “shadow purchasing” and sophisticated social engineering attacks targeting AI systems. In 2026, these threats have reached a fever pitch, as autonomous agents increasingly manage everything from routine grocery restocking to complex enterprise procurement. By moving AP2 into the stewardship of the FIDO Alliance—the same body that pioneered passkeys and the FIDO2 standard—the industry is signaling that the era of “shared secrets” and vulnerable bearer tokens is over. The Agent Payments Protocol ensures that the future of commerce is grounded in phishing-resistant, device-bound security, even when the human is no longer present at the keyboard.

The Technical Architecture of the Agent Payments Protocol

The Agent Payments Protocol is built upon the robust foundations of FIDO2 and WebAuthn, but it extends these capabilities into the unique domain of delegated authority. Unlike traditional authentication, which seeks to prove that a human is interacting with a device, AP2 is designed to prove that an agent has been granted a specific, time-bound, and scoped mandate to act. At the heart of this protocol are three core technical components:

• Delegation Tokens: These are cryptographically signed credentials that encode the AI agent’s permissions, the user’s verified identity, and a strictly defined validity period. These tokens prevent “scope escalation,” ensuring an agent authorized to buy a $20 book cannot suddenly execute a $2,000 electronics purchase.
• The Mandate System: AP2 introduces a tripartite mandate structure—IntentMandate, CartMandate, and PaymentMandate. These function as tamper-proof digital contracts. An IntentMandate captures the initial user instruction, while the CartMandate ensures that the final checkout items exactly match what the agent presented to the user (or what the user pre-approved).
• Cryptographic Binding: Every transaction is bound to a hardware-backed root of trust. This means the Agent Payments Protocol leverages the Secure Enclave or TPM (Trusted Platform Module) of the user’s primary device to sign the delegation, making the process resistant to remote interception and phishing.

Solving the “Confused Deputy” Problem in AI Commerce

One of the primary security gaps in 2025-era AI agents was the “confused deputy” vulnerability, where a malicious third party could trick an agent into using its legitimate permissions for an unauthorized action. The Agent Payments Protocol mitigates this by requiring explicit, verifiable intent. Because the protocol is payment-agnostic, it can handle traditional credit/debit rails, real-time bank transfers, and even stablecoin transactions, all while maintaining a consistent audit trail of who authorized what, when, and under what constraints.

Beyond Passkeys: The “Human Not Present” Revolution

Perhaps the most significant advancement introduced in AP2 v0.2, released alongside the FIDO donation, is the framework for “Human Not Present” (HNP) payments. Until now, secure online payments have almost always required a real-time human trigger—a biometric scan, a hardware key tap, or a one-time code. However, the true utility of AI agents lies in their ability to act autonomously.

The Agent Payments Protocol allows for the creation of “autonomous execution windows.” A user can pre-authorize an agent to monitor a specific marketplace and execute a purchase the millisecond a limited-edition item becomes available, provided it meets pre-set price and quality parameters. This is achieved through a “Verifiable Intent” framework, co-developed with Mastercard. This framework creates a cryptographically signed log of the user’s original instructions, which the merchant’s payment processor can verify independently without needing the user to be online at the moment of the transaction.

Key Benefits of HNP via AP2:

• Reduced Transaction Friction: No more waiting for “Push to Approve” notifications for routine, low-risk purchases.
• Enhanced Privacy: AI agents do not need to see or store the user’s primary credit card details or bank passwords; they operate using single-use, scoped payment mandates.
• Phishing Resistance: Since the authentication is device-bound and cryptographic, there is no “password” for an attacker to steal through social engineering.

Industry Alignment: Why FIDO Governance Matters

Google’s decision to donate the Agent Payments Protocol to the FIDO Alliance is a strategic masterstroke for industry interoperability. Had Google kept AP2 as a proprietary Google Cloud or Android feature, the agentic ecosystem would have fractured into “walled gardens.” Instead, the formation of the Agentic Authentication Technical Working Group within FIDO ensures that Apple, Microsoft, Amazon, and OpenAI can all contribute to and adopt the same standard.

The governance of this working group reflects a powerhouse coalition. Chaired by representatives from Google, OpenAI, and CVS Health, and supported by vice-chairs from Amazon and Okta, the group is tasked with defining the global standards for how AI systems identify themselves to services. In parallel, a Payments Technical Working Group, led by Mastercard and Visa, is integrating AP2 mandates into the global financial switching fabric. This ensures that when an AI agent presents a PaymentMandate to a merchant, the merchant’s bank knows exactly how to process it as a “high-trust” delegated transaction.

The Role of Mastercard’s Verifiable Intent

Mastercard’s contribution of the Verifiable Intent framework is a critical piece of the puzzle. While the Agent Payments Protocol handles the “how” of the transaction (the secure channel and the token exchange), Verifiable Intent handles the “what” and “why.” It provides a standardized way to record and prove that a human actually intended for an action to occur. This dual-layer approach is essential for resolving disputes and preventing fraud in a world where software is making the buying decisions.

The 2026 Security Landscape: Combatting Agentic Fraud

The timing of the AP2 donation is no accident. In the first quarter of 2026, the industry saw a 400% increase in “Agent Hijacking” attempts, where attackers used prompt injection to redirect an AI agent’s purchasing power to malicious endpoints. Traditional fraud detection systems, which rely on analyzing human behavioral biometrics like typing speed or mouse movements, are useless when the actor is a cloud-based LLM. There are no behavioral biometrics for an AI.

The Agent Payments Protocol shifts the defense from behavioral analysis to cryptographic certainty. By requiring every agent to prove its identity through a Decentralized Identifier (DID) and a signed mandate, the protocol makes identity spoofing nearly impossible. If an agent tries to execute a transaction outside its defined scope, the signature verification fails instantly at the payment processor level, long before any funds are moved. This “Zero Trust” approach for AI agents is the only way to scale agentic commerce to the projected $5 trillion global market by 2030.

The Future: From Micro-Payments to Enterprise Procurement

Looking ahead, the impact of the Agent Payments Protocol will extend far beyond consumer shopping. We are already seeing the emergence of the “Pay-per-API” economy, where AI agents pay each other in micro-transactions for data processing, research, or specialized tasks. AP2 provides the necessary efficiency for these high-velocity, low-value exchanges, which would be prohibitively expensive and slow under current credit card protocols.

In the enterprise sector, AP2 will revolutionize supply chain management. Imagine an autonomous procurement agent that can negotiate prices with multiple vendor agents, verify compliance with corporate sustainability policies via Verifiable Credentials, and execute the payment—all within seconds and with a perfect, immutable audit trail. This is the promise of the Agent Payments Protocol: a world where the speed of commerce is limited only by the speed of the network, not by the bottlenecks of human approval cycles.

As we move into the second half of 2026, the focus will shift to consumer adoption and trust. While the technical foundation is now solid, surveys suggest that only about 30% of consumers currently feel comfortable letting an AI agent make purchases over $50. The challenge for the FIDO Alliance and its members will be to use the security of AP2 to build that “trust bridge,” proving to the public that letting an agent handle their finances is actually safer than manually entering a credit card number into a web form.

In summary, the donation of the Agent Payments Protocol to the FIDO Alliance marks the end of the experimental phase of AI agents and the beginning of their role as mature, secure economic actors. By grounding autonomous transactions in the same phishing-resistant principles that eliminated the password, Google and its partners have laid the tracks for a new era of global commerce—one that is faster, more private, and inherently more secure than anything that came before it.