How do AI agents actually pay for things?

They pay through new agent-payment standards that issue scoped, tokenized credentials rather than handing the agent a raw card number. Mastercard Agent Pay uses 'Agentic Tokens' and Payment Passkeys with built-in spend limits and allowlists, Visa Intelligent Commerce tokenizes a card so an approved assistant can spend within set rules, and Google's AP2 carries signed Intent, Cart and Payment Mandates as verifiable credentials. The common idea is a cryptographically verifiable record of what the user authorized, so the merchant and the network can trust the transaction.

What is the Agentic Commerce Protocol (ACP)?

The Agentic Commerce Protocol is an open standard co-developed by Stripe and OpenAI and released in late September 2025. It creates a shared language between merchants and AI agents so a single integration lets a business sell through agents while keeping control over what is sold, how its brand appears, and how orders are fulfilled. It powers Instant Checkout in ChatGPT, works with payment providers other than Stripe, and was joined by Salesforce support in October 2025.

Is agentic commerce safe for businesses to allow?

It can be, because the new standards were designed around control rather than blind trust. Spend limits, counterparty allowlists, transaction-category restrictions, tokenized credentials and signed mandates all exist so an agent can only do what it was authorized to do. Visa's Trusted Agent Protocol even helps merchants tell legitimate shopping agents apart from malicious bots. The risk is real but bounded, and the safe pattern is the same as any agentic system: tight scope, hard limits, and a human approval gate on anything irreversible.

How big could agentic commerce get?

Forecasts vary widely because firms draw the boundary of 'agentic' differently. Morgan Stanley estimates agentic shoppers could account for 190 to 385 billion dollars of US e-commerce spending by 2030, Bain puts the US figure at 300 to 500 billion dollars or roughly 15 to 25 percent of online retail, and Juniper Research projects global agent-driven transaction value rising from about 8 billion dollars in 2026 to 1.5 trillion dollars by 2030. The numbers differ, but every major analyst expects steep growth.

What does agentic commerce mean for automation builders?

It opens a new category of work. Businesses need to make their catalogs and checkout 'agent-readable' so AI assistants can find and buy from them, they need procurement and reordering workflows where an agent can place a purchase within strict guardrails, and they need the logging, approval and reconciliation layers that make agent spending auditable. Automation platforms such as n8n, Make, Zapier and Power Automate are the natural place to wire these guardrails around the new payment APIs.

How is agentic commerce different from a normal chatbot or recommendation engine?

A chatbot suggests; an agentic-commerce system acts. A recommendation engine can tell a shopper what to buy, but an agent in this new model can complete the transaction end to end, including authorizing payment within the limits the user set. That shift from advice to action is the whole point, and it is why the payment networks, not just the AI labs, had to build new infrastructure before it could happen at scale.

Should small businesses act on this now or wait?

Most small businesses should prepare rather than rush. The sensible early moves are making product data clean and structured, watching whether your e-commerce or payment provider supports the new protocols, and piloting agent-assisted purchasing internally for low-risk, repeatable buying before exposing anything customer-facing. The technology is moving fast, but the durable advantage comes from clean data and tight guardrails, not from being first.

Agentic Commerce: When AI Agents Start to Buy and Pay

For two years the conversation about AI agents stopped politely at the checkout button. Agents could research a purchase, fill a cart and recommend the best option, but a human always had to step in to actually pay. That line moved in late 2025. Within a few weeks of each other, OpenAI and Stripe, Google, Visa and Mastercard all shipped infrastructure that lets an AI agent complete a transaction on your behalf — with real money, real cards and real guardrails. Agentic commerce stopped being a slide in a keynote and became a set of live protocols. This article explains what actually launched, how agent payments work under the hood, what the analysts are forecasting, and — most importantly for anyone who builds automations — where the practical opportunities and risks now sit.

What agentic commerce actually means

Agentic commerce is commerce in which an AI agent discovers a product, assembles a cart and completes the purchase on a person's or a business's behalf, rather than a human clicking through a checkout page. The distinction that matters is the one between advice and action. A recommendation engine can tell a shopper what to buy; a chatbot can answer questions about a product. An agentic-commerce system does the buying, including authorizing payment within whatever limits the user has set in advance.

That last clause is why this took until late 2025 to arrive. The reasoning models were capable of choosing a product long before they were trusted to pay for one. The missing piece was never intelligence — it was a way for a merchant and a card network to trust that a transaction initiated by software was genuinely authorized by a human, and bounded to what that human allowed. Building that trust layer required the payment industry, not just the AI labs, which is exactly what happened over a remarkable few weeks at the end of last year.

The weeks that made it real

The pace of the 2025 rollout is the story in itself. In mid-September, Google announced the Agent Payments Protocol, or AP2, with more than sixty launch partners. Two weeks later, OpenAI and Stripe unveiled Instant Checkout in ChatGPT alongside the open Agentic Commerce Protocol. Through October, Visa and Mastercard pushed their own agent frameworks into production and signed up the major AI labs as partners. By the start of 2026, every layer of the payment stack had a public answer to the question "how does an agent pay?"

Here is who shipped what, and why each piece matters.

OpenAI and Stripe — Instant Checkout and the Agentic Commerce Protocol (late September 2025). ChatGPT users in the US can now buy directly inside the chat, starting with US-based Etsy sellers and expanding to more than a million Shopify merchants. The underlying Agentic Commerce Protocol (ACP) is an open standard: merchants can adopt it with their existing payment provider, and a business already on Stripe can reportedly enable agentic payments in as little as one line of code. Salesforce announced support for ACP on October 14, 2025, signalling that this is aimed at enterprise commerce, not just consumer chat.
Google — Agent Payments Protocol, AP2 (September 16, 2025). AP2 introduces three signed "Mandates" — Intent, Cart and Payment — carried as W3C Verifiable Credentials, so there is a cryptographic record of exactly what the user authorized at each step. It treats stablecoin rails as first-class alongside cards and bank transfers, with Coinbase and MetaMask shipping stablecoin extensions at launch. Partners spanned card networks, processors, wallets and merchants including Mastercard, PayPal, American Express, Adyen, Salesforce, Intuit, Etsy and Lowe's.
Mastercard — Agent Pay (announced April 2025, live transactions later in the year). Agent Pay centres on "Agentic Tokens" — credentials scoped specifically to an AI agent — combined with Mastercard Payment Passkeys and programmable controls for spend limits, counterparty allowlists and transaction categories. Mastercard reported live authenticated agentic transactions in Hong Kong and Thailand as proof the model works in the real world.
Visa — Intelligent Commerce and the Trusted Agent Protocol (October 2025). Visa's approach tokenizes a card so an approved assistant can spend within set rules, and its Trusted Agent Protocol, built with more than ten partners, helps merchants distinguish legitimate shopping agents from malicious bots. Visa named Anthropic, OpenAI, Microsoft and Perplexity among its launch partners and said it had already processed hundreds of controlled, real-world agent-initiated transactions, predicting that millions of consumers would use agents to buy by the 2026 holiday season.

The pattern beneath the noise: none of these systems hands an agent a raw card number. Every one of them issues a scoped, tokenized, or cryptographically signed credential that encodes what the user authorized. The agent gets permission to act, not unlimited access to your wallet. That design choice is what makes the whole category plausible for businesses.

How an agent payment works under the hood

Strip away the branding and the competing protocols converge on a similar flow. The agent never simply types your card details into a form the way a human would. Instead, the user grants a bounded authorization once, and every subsequent purchase is checked against that authorization before money moves.

The user expresses an intent and sets limits — for example, "reorder printer supplies when stock is low, up to €200 a month, only from these two vendors." In AP2 terms this becomes a signed Intent Mandate.
The agent shops and assembles a specific cart. That cart is captured as its own signed record, so there is no ambiguity later about what was actually being bought.
A tokenized or scoped credential — an Agentic Token, a Visa-tokenized card, or a Payment Mandate — authorizes the charge, carrying the limits and allowlists with it.
The merchant and the network verify the credential and the mandate, confirm the purchase falls within the authorized scope, and settle the transaction.
Every step leaves a verifiable trail, which is what makes disputes, refunds and audits tractable when a piece of software, not a person, pressed "buy."

This is the same discipline we describe in our guide to what agentic automation is: the agent supplies the judgment about what to buy, while deterministic rules and signed credentials supply the safety around the part that actually spends money. Payment is precisely the kind of irreversible, sensitive action that should never sit behind an agent's unconstrained discretion.

The protocols at a glance

The four big launches solve overlapping problems with different emphases. The table below is a simplified map, not a spec sheet, but it captures where each one puts its weight.

Initiative	Led by	Core mechanism	Notable emphasis
Agentic Commerce Protocol (ACP)	Stripe & OpenAI	Open merchant-to-agent standard powering Instant Checkout	Merchant control and one-integration onboarding
Agent Payments Protocol (AP2)	Google + 60 partners	Signed Intent, Cart and Payment Mandates as verifiable credentials	Cross-rail, including stablecoins as first-class
Agent Pay	Mastercard	Agentic Tokens plus Payment Passkeys	Programmable spend limits and allowlists
Intelligent Commerce / Trusted Agent Protocol	Visa	Tokenized cards plus agent-versus-bot verification	Distinguishing trusted agents from malicious bots

Notice that these are not all competitors in the zero-sum sense. Mastercard, PayPal and American Express appear as partners inside Google's AP2; OpenAI appears as a partner of both Stripe and Visa. The likely near-term reality is an interoperable mesh in which a merchant supports one or two standards and the networks bridge the rest — much like the way agent-to-agent and tool-calling standards are settling, a topic we cover in MCP vs A2A for multi-agent automation.

How big is this, really?

Forecasts for agentic commerce vary by an order of magnitude, and the reason is instructive: each firm draws the boundary of "agentic" in a different place. Some count only direct purchases made inside an AI platform; others include any purchase an agent influenced. With that caveat, the headline numbers still point the same direction.

Morgan Stanley estimates agentic shoppers could reach between 190 and 385 billion dollars of US e-commerce spending by 2030, which it frames as roughly a 10 percent share of online retail in the base case and up to 20 percent in the optimistic one.
Bain & Company puts the US agentic-commerce market at 300 to 500 billion dollars by 2030, or about 15 to 25 percent of overall e-commerce.
Juniper Research projects global agent-driven transaction value climbing from around 8 billion dollars in 2026 to 1.5 trillion dollars by 2030.
McKinsey sets a wider global range of 3 to 5 trillion dollars by 2030 when broader ecosystem effects are included, while eMarketer, using the narrowest definition, sees over 20 billion dollars in 2026 rising to 144 billion dollars by 2029.

The spread is enormous, and you should treat any single figure with caution. But when Morgan Stanley, Bain, McKinsey, Juniper and eMarketer all forecast steep growth from different starting assumptions, the signal is hard to dismiss. Even the conservative numbers describe a channel that did not meaningfully exist eighteen months ago.

What this changes for businesses

For most companies the immediate question is not "should we let an agent run our budget" but "can an AI assistant even find and buy from us." When a shopper asks ChatGPT or a Gemini-powered assistant to handle a purchase, the agent has to be able to read your catalog, understand your prices and stock, and complete checkout through a supported protocol. Businesses that are invisible or unreadable to agents simply will not appear in that funnel.

That reframes a familiar discipline. The SEO of the last two decades optimized pages for human readers and search crawlers; agentic commerce adds a third audience — the buying agent — that wants clean, structured, machine-readable product data and a checkout it can complete programmatically. The work splits into two broad directions:

The sell side: making your products discoverable and purchasable by agents. That means structured product feeds, accurate real-time inventory and pricing, and adopting at least one agent-checkout standard through your e-commerce or payment platform.
The buy side: letting your own agents handle repetitive procurement — reordering supplies, renewing subscriptions, booking recurring services — inside hard guardrails so spending stays controlled and auditable.

Both sides lean heavily on automation infrastructure, which is where this stops being someone else's story and becomes a concrete build.

Where automation builders fit in

The payment networks have built the rails. What they have not built is the workflow that decides when an agent should buy, checks that a purchase is sensible, routes anything unusual to a human, and reconciles the result against your books. That connective tissue is exactly what automation platforms are for, and it is platform-neutral: n8n, Make, Zapier and Microsoft Power Automate can each sit between a triggering event and a new agent-payment API.

Concrete patterns that are now buildable include:

Guardrailed reordering. An inventory webhook fires, an agent assembles the right cart, and a deterministic rule checks the total against a monthly budget and a vendor allowlist before the tokenized payment is allowed through.
Approval-gated procurement. Anything above a threshold pauses for one-click human approval in Slack or email, so the agent handles the routine 90 percent and a person signs off on the exceptions.
Reconciliation and logging. Every agent purchase is written to your accounting system and a ledger, with the signed mandate or token reference attached, so finance can audit who authorized what.
Agent-readable catalog sync. A workflow keeps your structured product feed, prices and stock levels continuously updated so the assistants shopping on your behalf — and on your customers' behalf — always see the truth.

The opportunity for service providers: "make our store agent-ready" and "let us buy through an agent safely" are new, fundable projects that did not exist before late 2025. They combine structured-data work, payment-API integration and the guardrail engineering that buyers actually pay for. If you build automations for clients, this is a fresh category to lead with rather than another generic single-task workflow.

The risks you cannot wave away

Letting software spend money concentrates every agentic risk into its sharpest form. A misrouted email is recoverable; a wrong purchase is not, at least not without friction. The protocols were explicitly designed around this — scoped tokens, spend limits, allowlists and signed mandates all exist precisely because nobody trusts an unconstrained agent with a card. But the controls only help if you use them.

Over-broad authorization. The convenience of "let the agent handle it" tempts people to grant wider limits than they need. Scope every mandate to the narrowest budget, vendor set and category that still gets the job done.
Prompt injection at the point of sale. A shopping agent reads web content, and hostile content can try to redirect a purchase. Treat anything the agent ingests as untrusted, and validate the final cart against your own rules before payment.
Wrong-but-plausible buys. An agent can confidently order the wrong variant or quantity. Deterministic sanity checks on price, quantity and vendor catch most of these before settlement.
Compliance and disputes. When an agent buys, you still own the consumer-protection, tax and record-keeping obligations. The verifiable-credential trail helps, but you need a logging and reconciliation layer to make use of it.

These are governance problems more than technical ones, and they sit squarely inside the discipline covered in our guide to automation security and compliance. The rule from ordinary agentic automation holds with extra force here: never let an agent take an irreversible action — and a payment is the definitive irreversible action — without a hard limit, a deterministic check, or a human in the loop.

What to do in the next ninety days

You do not need to rebuild your business around agentic commerce this quarter, and rushing is how teams grant over-broad permissions they later regret. The durable advantage comes from clean data and tight guardrails, not from being first. A measured plan looks like this:

Audit your product data. If your catalog, pricing and inventory are not clean and structured, start there — it is the foundation for being discoverable by any buying agent.
Ask your platform. Find out whether your e-commerce or payment provider already supports ACP, AP2, Agent Pay or Visa Intelligent Commerce, and what enabling it would take.
Pilot the buy side internally. Choose one low-risk, repetitive purchase — office supplies, a recurring SaaS renewal — and build a guardrailed agent workflow for it before you touch anything customer-facing.
Instrument everything. Stand up logging and reconciliation from day one, so every agent action is auditable. Retrofit observability and you will regret it.
Keep a human gate on the exceptions. Automate the routine, escalate the unusual. That balance is what keeps agent spending both efficient and safe.

Build the guardrails before the agents start spending

Wrap the new agent-payment APIs in approval gates, budgets and reconciliation with a real n8n workflow — flexible where it helps, controlled where it counts.

Explore n8n AI and ML workflows

FAQ

What is agentic commerce in one sentence?

It is commerce in which an AI agent discovers, carts and completes a purchase on your behalf within limits you set, rather than you clicking through checkout yourself.

When did agentic commerce become real?

In late 2025, when Google launched AP2 on September 16, OpenAI and Stripe launched Instant Checkout and the Agentic Commerce Protocol about two weeks later, and Visa and Mastercard pushed their agent frameworks into production through October.

How does an agent pay without exposing my card?

Through scoped, tokenized or cryptographically signed credentials — Mastercard's Agentic Tokens, Visa's tokenized cards, or Google's signed Payment Mandates — that encode what you authorized rather than revealing your raw card number.

Which standard should a merchant adopt?

Often whichever your e-commerce or payment provider already supports. The Agentic Commerce Protocol is open and provider-agnostic, and the networks increasingly act as partners across each other's standards, so an interoperable mesh is the likely outcome.

How big could the market get?

Estimates range from eMarketer's narrow 144 billion dollars by 2029 to McKinsey's broad 3 to 5 trillion dollars globally by 2030, with Morgan Stanley and Bain placing US spending in the hundreds of billions — all pointing to steep growth.

What is the biggest risk?

Granting an agent broader spending authority than it needs and skipping the deterministic checks. Payment is irreversible, so scope every mandate tightly and gate exceptions to a human.

Where do automation tools come in?

They sit between the triggering event and the payment API, deciding when an agent may buy, validating the cart, routing exceptions for approval, and logging every transaction for audit — work that platforms like n8n, Make, Zapier and Power Automate are built for.

Should a small business act now?

Prepare rather than rush: clean up product data, ask your platform about protocol support, and pilot internal guardrailed purchasing before exposing anything customer-facing.