An AI agent that can browse products is an interesting novelty. An AI agent that can spend money is a profound engineering and security challenge. As we move toward a world of autonomous commerce, where agents act on our behalf to make purchases, we face a critical question: how does a user grant an agent financial permissions in a way that is secure, auditable, and precisely controlled?
A simple API key or static credential is catastrophically insufficient. If stolen, it would grant a malicious actor unlimited and untraceable purchasing power. The core problem is the lack of a secure, fine-grained, and verifiable standard for delegating a specific financial intent to an autonomous agent for a single, user-approved task.
The Agent Payment Protocol (AP2) solves this by introducing a core security primitive: the Intent Mandate. An Intent Mandate is a short-lived, cryptographically signed JSON Web Token (JWT) that represents a single, explicit, and user-approved financial action.
The architecture involves a clear flow of trust: 1. Intent Creation: A user gives a goal to their agent, such as, "Buy the items in my cart at Acme Corp." 2. Mandate Construction: The user's Wallet App (or a trusted banking application) constructs the Intent Mandate JWT. This token's payload contains highly specific claims detailing the exact nature of the permission being granted. 3. Cryptographic Signature: The user, via their device's secure hardware (e.g., a Secure Enclave or TPM), signs the JWT with their unique private key. This signature is non-repudiable proof of their consent. 4. Delegation: The signed JWT is given to the AI agent. The agent cannot modify the mandate, but it can present it as a bearer token to execute the approved transaction. 5. Verification and Execution: The agent presents the JWT to the merchant's server. The merchant uses the user's public key (retrieved from a trusted directory) to cryptographically verify the signature. If the signature is valid and the claims match the transaction details (e.g., cart total, currency), the merchant executes the payment.
+----------+ 1. "Buy cart" +---------+ 2. Construct JWT +-----------------+
| User |-------------->| Agent |------------------->| User's Wallet App |
+----------+ +---------+ +-----------------+
^ | 3. Sign JWT w/
| 4. Receives Signed JWT v Private Key
| +-------------+
| 5. Presents JWT | Signed |
`------------------------->| Intent |
| Mandate |
+------+------+
| 6. Verifies & Executes
v
+-----------------+
| Merchant Server |
+-----------------+
An Intent Mandate is a standard JWT with a set of AP2-specific claims in its payload.
Header: Specifies the signing algorithm.
json
{
"alg": "ES256", // ECDSA using P-256 and SHA-256
"typ": "JWT",
"kid": "user-key-pub-v1" // Key ID to help the verifier find the right public key
}
Payload: Contains the standard JWT claims for security, plus the fine-grained ap2_scope which defines the agent's permissions.
```json
{
"iss": "https://wallet.example-bank.com", // Issuer: Who created the token
"sub": "user-uuid-12345", // Subject: The user granting permission
"aud": "acme-corp-merchant-id", // Audience: The only merchant who can accept this
"exp": 1735699200, // Expiration Time: Must be short-lived (e.g., 5 mins)
"jti": "unique-nonce-per-transaction", // JWT ID: Prevents replay attacks
// --- AP2 Specific Claims --- "ap2_intent": "CART_PURCHASE_V1", // The specific, standardized intent "ap2_scope": { "max_amount": "99.50", "currency": "USD", "cart_hash": "sha256-a1b2c3d4...", // A hash of the cart contents, locking the mandate to this specific purchase "allow_agent_id": "google-adk-agent-xyz" // Binds this mandate to a single agent instance } } ```
Signature: The header and payload are signed using the user's private key, creating an tamper-proof seal.
Conceptual Verification Code (Python on Merchant Server): ```python
import jwt from key_directory_service import get_user_public_key
def process_agent_payment(intent_mandate_jwt: str, current_cart_hash: str): try: # 1. Decode header to find the public key needed header = jwt.get_unverified_header(intent_mandate_jwt) public_key = get_user_public_key(key_id=header['kid'])
# 2. Verify the entire JWT (signature, exp, aud)
claims = jwt.decode(
intent_mandate_jwt,
public_key,
algorithms=["ES256"],
audience="acme-corp-merchant-id"
)
# 3. Verify AP2-specific claims
scope = claims['ap2_scope']
if scope['cart_hash'] != current_cart_hash:
raise Exception("Cart has been modified; mandate is invalid.")
# ... logic to check amount against scope['max_amount'] ...
# 4. If all checks pass, process the payment
return {"status": "success", "transaction_id": "txn_..."}
except jwt.InvalidTokenError as e:
# Signature, expiration, or audience failed
return {"status": "error", "message": f"Invalid Mandate: {e}"}
```
Performance: Public key cryptography is computationally efficient for verification. A merchant server can instantly verify a mandate's authenticity without needing to make a slow, synchronous API call back to the user's bank. This enables a low-latency checkout experience critical for modern commerce.
Security: The Intent Mandate design provides a multi-layered security model.
* Non-Repudiation: The cryptographic signature is undeniable proof that the user authorized the specific intent defined in the payload.
* Fine-Grained Control: The ap2_scope is not a blanket permission. The agent is strictly limited to the defined amount, currency, and shopping cart. It cannot use this mandate to buy different items or overspend.
* Replay Attack Prevention: The jti claim is recorded by the merchant's system, ensuring that the same mandate cannot be intercepted and submitted a second time.
* Agent and Audience Binding: The aud and allow_agent_id claims ensure the mandate can only be used at the intended merchant and by the specific agent it was delegated to, preventing its use if stolen.
The AP2 Intent Mandate provides a robust, standardized, and cryptographically secure foundation for the future of autonomous commerce. It moves beyond simple, vulnerable API keys to a model of explicit, verifiable, and limited-time consent.
The return on this architectural investment is the creation of a trustworthy ecosystem: * Users gain the confidence to delegate financial tasks to agents, knowing their permissions are strictly limited. * Merchants gain a high degree of assurance that incoming agent-led transactions are authentic and user-approved, reducing fraud risk. * Banks and financial networks have an auditable, cryptographically-signed trail for every transaction.
This cryptographic approach to delegating permissions is the fundamental prerequisite for enabling secure, mainstream, agent-driven commerce.