An AI agent browsed your company's catalog this morning. It tried to place an order. Your checkout wouldn't accept it. That is not a user experience problem. According to Google Cloud's head of Web3 strategy, it is a structural impossibility inside the traditional financial system, and the specification to fix it just became an open standard.
What Actually Happened
On April 28, 2026, Google donated the Agent Payments Protocol (AP2) to the FIDO Alliance, the standards body best known for developing passkeys and hardware authentication for human logins. The donation came with 120 partner organizations co-signing the launch, including PayPal, Mastercard, American Express, Adyen, Coinbase, Etsy, Forter, Intuit, JCB, Mysten Labs, Revolut, Salesforce, ServiceNow, UnionPay International, and Worldpay. It represented one of the broadest simultaneous endorsements of a new payment standard since the original EMV chip card specification, spanning both traditional finance giants and crypto-native infrastructure providers in a single announcement.
AP2 v.0.2, the version submitted to FIDO, introduces a formal category called "Human Not Present" payments. Under this framework, an AI agent executes a purchase autonomously based on pre-authorized user instructions, without requiring real-time human approval of each individual transaction. Alongside AP2, Google and Mastercard co-developed a companion standard called Verifiable Intent, a tamper-proof cryptographic log of every action an agent is authorized to take, also donated to FIDO. Together the two specifications address the accountability question that has blocked enterprise adoption of autonomous purchasing: how does a merchant verify that an agent's transaction actually reflects what the human authorized, and how does an auditor reconstruct the chain of delegation six months later?
Why This Matters More Than People Think
The problem AP2 solves is not technological but structural. Richard Widmann, Google Cloud's global head of Web3 strategy, stated it directly at Consensus Miami on May 10: "An agent cannot get a bank account. It's not hard, it just is impossible." Traditional payment rails require a legal entity, a verified identity, a chargeback dispute process, and human-readable authentication flows. Credit cards require human cardholders. ACH requires bank accounts with human or corporate signatories. Swift requires correspondent banking relationships. AI agents operating continuously, across jurisdictions, without persistent legal personhood cannot access any of these, and no amount of API wrapping changes the underlying regulatory structure that governs who can send and receive money.
A PayPal survey released at Consensus Miami forces the urgency into numbers. 95% of merchants are already seeing AI agent traffic on their sites. Only 20% have machine-readable product catalogs that an agent can actually parse and transact against. This gap between agent arrival and merchant readiness is where McKinsey projects $3 trillion to $5 trillion of global commerce will be mediated by agentic systems by 2030. AP2's "Human Not Present" category is the specification that lets the 80% of merchants currently built for human-only infrastructure handle agent-driven orders before they start losing revenue to competitors who are already prepared.
The Competitive Landscape
AP2 is not the only protocol competing to govern agentic payments. Coinbase and Cloudflare developed x402, a crypto-native open standard that reactivates the HTTP 402 "Payment Required" response code to let agents settle stablecoin transactions programmatically on a per-request basis, donated to the Linux Foundation. On May 11, 2026, Cryptorefills launched x402 payments at checkout, enabling AI agents to autonomously purchase gift cards, mobile top-ups, and eSIMs using USDC on the Base network. The x402 approach prioritizes settlement speed and simplicity: no identity infrastructure required, stablecoin settlement in seconds, built for agents that pay per API call or per data packet at machine-to-machine frequency. Coinbase CEO Brian Armstrong has described x402 as "the missing payments layer of the internet."
Google's choice of the FIDO Alliance over the Linux Foundation is the most strategically revealing signal in this story. FIDO is the standards body that solved online authentication for humans via passkeys and hardware security keys. By routing AP2 through FIDO, Google is asserting that the central unsolved problem in agentic commerce is not payment settlement speed but agent identity and the authorization chain: matching x402's settlement capability with the accountability trail that enterprise procurement departments, regulated industries, and global financial regulators will require. The 120 AP2 partners include both crypto infrastructure (Coinbase, Mysten Labs) and traditional finance (American Express, Mastercard, UnionPay International), signaling AP2 is designed to bridge existing financial rails rather than replace them with a crypto-only stack.
The risk is that AP2 becomes another failed attempt at voluntary payment standards coordination. The payments industry has a poor track record here: EMVCo's 3D Secure standard required years of explicit card network mandates before merchants actually implemented it, and ISO 20022 adoption has dragged on for over a decade. Critics argue that without a regulatory backstop or a major platform forcing function, the 80% of merchants lacking machine-readable catalogs will resist the engineering investment AP2 requires. Getting large enterprise retailers to retrofit product databases and checkout flows for AI agents requires either a visible market penalty in lost agent-driven revenue or a regulatory mandate. Neither is yet on a firm timeline for 2026 or 2027.
Hidden Insight: The 20% Who Are Ready Will Win the First Trillion
Every analysis of agentic commerce focuses on the trust question: will humans delegate purchasing decisions to AI agents? The PayPal merchant data shifts the frame. The bottleneck is not consumer psychology but merchant infrastructure. An AI agent cannot complete a purchase from a retailer whose product catalog is locked inside HTML pages designed for human eyes, regardless of which payment protocol the agent supports. The merchants who have invested in structured product APIs, machine-readable catalogs, and agent-native checkout flows are already capturing orders from AI agents acting on behalf of enterprise procurement teams, personal finance automation, and supply chain management systems. They are capturing this revenue invisibly, without press releases or market announcements.
This creates a compounding infrastructure advantage that most market observers are not pricing in. The $3 trillion to $5 trillion McKinsey projection assumes broad agent-ready merchant coverage across retail, travel, software, and services. Companies building machine-readable catalog layers, structured product APIs, and agent-native checkout flows occupy the same position relative to agentic commerce that Stripe occupied relative to human-payment infrastructure in 2011. Stripe's peak valuation reached $95 billion by capturing a transaction infrastructure layer at high volume. The agentic commerce equivalent operates at fundamentally higher transaction frequency: agents can query price, availability, and substitution options thousands of times per second before settling on a purchase. The infrastructure serving that query volume is worth more than the infrastructure serving human browsing behavior.
The stablecoin data gives this a concrete financial floor. Stablecoin transaction volume reached $33 trillion in 2025, up 72% year over year, with supply surpassing $300 billion and analyst projections of $420 billion by end of 2026. Machine-to-machine agentic payments are cited as a primary driver of that growth curve. The financial rails for autonomous agent commerce already exist and are already scaling faster than most enterprise payment teams realize. What AP2 and Verifiable Intent add is the accountability and authorization layer that lets those rails serve regulated industries, cross-border enterprise procurement, and compliance-sensitive financial services where a stablecoin settlement record alone is insufficient for audit requirements.
What to Watch Next
The FIDO Alliance's technical working group will formalize AP2 as an official standard over the next 12 to 18 months. AP2 v.1.0 publication is the signal that the protocol is stable enough for enterprise procurement decisions. Before that, the near-term indicator is how quickly the 120 founding partners ship AP2-compatible developer toolkits. If PayPal ships a live AP2 checkout option before Q3 2026, that translates into real-world agent purchases on one of the world's three largest payment networks within the year. Watch whether Shopify, WooCommerce, or Magento, which together power roughly 40% of global e-commerce storefronts, announces a native AP2 or x402 integration before the end of 2026. That single announcement would make the agent-ready merchant base jump by tens of millions of storefronts overnight.
The regulatory timeline is the 18-month forcing function. The EU AI Act's provisions on autonomous agent accountability and traceability become enforceable in December 2027. Verifiable Intent's tamper-proof authorization log maps directly onto that compliance requirement, creating a path where AP2 adoption is effectively mandatory for any enterprise handling EU consumer transactions through AI agents. Watch whether the European Commission explicitly references AP2 or Verifiable Intent in AI Act implementation guidance: that endorsement converts voluntary adoption into competitive necessity. Also track whether Coinbase ships an AP2-compatible integration layer on top of x402 before the end of 2026. If it does, the two competing standards converge into a single interoperable system, eliminating the protocol war and dramatically accelerating adoption across both crypto-native and traditional finance contexts.
AI agents are already shopping. The only question is whether your checkout can see them, and whether your competitor's checkout already can.
Key Takeaways
- Google donated AP2 to FIDO Alliance on April 28, 2026 — with 120 partners including PayPal, Mastercard, Coinbase, and Salesforce establishing the first open standard for autonomous agent payments.
- "Human Not Present" payments are now a formally defined protocol category — agents execute purchases on pre-authorized instructions, with the co-developed Verifiable Intent standard logging every authorized action in a tamper-proof cryptographic record.
- 95% of merchants see AI agent traffic; only 20% have machine-readable catalogs — that 75-point readiness gap is where McKinsey's $3 trillion to $5 trillion agentic commerce projection for 2030 is concentrated.
- Stablecoin transaction volume reached $33 trillion in 2025, up 72% year over year — supply exceeded $300 billion with projections of $420 billion in 2026, driven in part by agentic machine-to-machine payments.
- AP2 via FIDO competes with x402 via Linux Foundation — Google's choice of FIDO signals an identity-first, compliance-ready architecture versus x402's crypto-native speed-first settlement model, with convergence between the two possible before end of 2026.
Questions Worth Asking
- If AP2 via FIDO and x402 via the Linux Foundation converge rather than compete, which governance model ends up as the default for how AI agents transact globally: the identity-first accountability approach or the settlement-first crypto-native approach?
- The Verifiable Intent standard creates a tamper-proof log of every agent-authorized action. In an enterprise setting, who owns that log, and could it become the most valuable compliance and audit dataset in corporate governance history?
- If 80% of merchants are not yet machine-readable and you run a business with an online storefront, are you already losing revenue from AI agents shopping on behalf of your potential customers and routing those orders to machine-ready competitors?