AILANG · sketch
§1 · AI-readiness
The radar shows AILANG-readiness across three commercial concerns. High means ap2-protocol.org is already strong there; low means AILANG could meaningfully help.
§2 · what an AI sees on ap2-protocol.org
AP2 is an open protocol designed for secure, reliable, and interoperable agent commerce. It addresses authorization, authenticity, and accountability for agent-initiated payments, ensuring user control and privacy. Built on Verifiable Digital Credentials, AP2 aims to establish a trusted framework for the emerging Agent Economy among developers, merchants, and the payments industry.
Structural extraction — the same content an AI agent would consume from this page.
8 sections — page skeleton
7 headings
2 images
8 list items
# AP2 - Agent Payments Protocol Documentation
**Author:** Google
[Skip to content](#what-is-ap2)
*Header:*
[Image: logo]
[(link)](.)
AP2 - Agent Payments Protocol Documentation
Home
Initializing search
[AP2](https://github.com/google-agentic-commerce/AP2)
AP2 - Agent Payments Protocol Documentation
[AP2](https://github.com/google-agentic-commerce/AP2)
- Home
[
Home
](.)
Table of contents
What is AP2?
Why an Agent Payments Protocol is Needed
Core Principles and Goals
Key Concept: Verifiable Digital Credentials (VDCs)
See it in action
Get Started and Build with Us
- What is AP2?
- Why an Agent Payments Protocol is Needed
- Core Principles and Goals
- Key Concept: Verifiable Digital Credentials (VDCs)
- See it in action
- Get Started and Build with Us
- [
Executive Summary
](overview/)
- Specification
Specification
[
Agent Payments Protocol
](ap2/specification/)
[
Agent Authorization Framework
](ap2/agent_authorization/)
[
Flows
](ap2/flows/)
[
Checkout Mandate
](ap2/checkout_mandate/)
[
Payment Mandate
](ap2/payment_mandate/)
[
Security and Privacy Considerations
](ap2/security_and_privacy_considerations/)
[
Implementation Considerations
](ap2/implementation_considerations/)
- [
Agent Payments Protocol
](ap2/specification/)
- [
Agent Authorization Framework
](ap2/agent_authorization/)
- [
Flows
](ap2/flows/)
- [
Checkout Mandate
](ap2/checkout_mandate/)
- [
Payment Mandate
](ap2/payment_mandate/)
- [
Security and Privacy Considerations
](ap2/security_and_privacy_considerations/)
- [
Implementation Considerations
](ap2/implementation_considerations/)
- [
Glossary
](glossary/)
- [
FAQ
](faq/)
- Samples
Samples
[
Human Present Cards
](https://github.com/google-agentic-commerce/AP2/tree/main/code/samples/python/scenarios/a2a/human-present/cards/)
[
Human Present x402
](https://github.com/google-agentic-commerce/AP2/tree/main/code/samples/python/scenarios/a2a/human-present/x402/)
[
Human Not Present Cards
](https://github.com/google-agentic-commerce/AP2/tree/main/code/samples/python/scenarios/a2a/human-not-present/cards/)
[
Human Not Present x402
](https://github.com/google-agentic-commerce/AP2/tree/main/code/samples/python/scenarios/a2a/human-not-present/x402/)
[
Digital Payment Credentials Android
](https://github.com/google-agentic-commerce/AP2/tree/main/code/samples/android/scenarios/digital-payment-credentials/run.sh)
- [
Human Present Cards
](https://github.com/google-agentic-commerce/AP2/tree/main/code/samples/python/scenarios/a2a/human-present/cards/)
- [
Human Present x402
](https://github.com/google-agentic-commerce/AP2/tree/main/code/samples/python/scenarios/a2a/human-present/x402/)
- [
Human Not Present Cards
](https://github.com/google-agentic-commerce/AP2/tree/main/code/samples/python/scenarios/a2a/human-not-present/cards/)
- [
Human Not Present x402
](https://github.com/google-agentic-commerce/AP2/tree/main/code/samples/python/scenarios/a2a/human-not-present/x402/)
- [
Digital Payment Credentials Android
](https://github.com/google-agentic-commerce/AP2/tree/main/code/samples/android/scenarios/digital-payment-credentials/run.sh)
Table of contents
- What is AP2?
- Why an Agent Payments Protocol is Needed
- Core Principles and Goals
- Key Concept: Verifiable Digital Credentials (VDCs)
- See it in action
- Get Started and Build with Us
[Image: Agent Payments Protocol Logo]
# Agent Payments Protocol (AP2)
## What is AP2?¶
**Agent Payments Protocol (AP2) is an open protocol for the emerging Agent
Economy.** It's designed to enable secure, reliable, and interoperable agent
commerce for developers, merchants, and the payments industry. The protocol is
available as an extension for the open-source
[Agent2Agent (A2A) protocol](https://a2a-protocol.org/) and
[Universal Commerce Protocol](https://ucp.dev/documentation/ucp-and-ap2/) with more integrations
in progress.
Build agents with
**[ ADK](https://google.github.io/adk-docs/)***(or any framework)*, equip with
**[ MCP](https://modelcontextprotocol.io)***(or any tool)*, collaborate via
**[ A2A](https://a2a-protocol.org)**, and use
** AP2** to secure payments with gen AI agents.
- **Video** Intro in <7 min
- **Read the docs**
[ AP2 v0.2 Release and FIDO Alliance Donation](https://blog.google/products-and-platforms/platforms/google-pay/agent-payments-protocol-fido-alliance/)
[ FIDO Alliance to Develop Standards for Trusted AI Agent Interactions](https://fidoalliance.org/fido-alliance-to-develop-standards-for-trusted-ai-agent-interactions/)
[ Agent Payments Protocol Announcement (9/16/2025)](https://cloud.google.com/blog/products/ai-machine-learning/announcing-agents-to-payments-ap2-protocol)
**Explore the detailed technical definition of the AP2 protocol**
[ Agent Payments Protocol Specification](ap2/specification/)
[ AP2 and UCP integration guide](https://ucp.dev/documentation/ucp-and-ap2/)
---
## Why an Agent Payments Protocol is Needed¶
Today’s payment systems assume a human is directly clicking "buy" on a trusted
website. When an autonomous agent initiates a payment, this core assumption is
broken, leading to critical questions that current systems cannot answer:
- **Authorization:** How can we verify that a user gave an agent specific
authority for a particular purchase?
- **Authenticity:** How can a merchant be sure an agent's request accurately
reflects the user's true intent, without errors or AI "hallucinations"?
- **Accountability:** If a fraudulent or incorrect transaction occurs, who is
accountable—the user, the agent's developer, the merchant, the issuer, the
PSP, or the orchestration layer?
This ambiguity creates a crisis of trust that could significantly limit
adoption. Without a common protocol, we risk a fragmented ecosystem of
proprietary payment solutions, which would be confusing for users, expensive for
merchants, and difficult for financial institutions to manage. AP2 aims to
create a common language for any compliant agent to transact securely with any
compliant merchant globally.
---
## Core Principles and Goals¶
The Agent Payments Protocol is built on fundamental principles designed to
create a secure and fair ecosystem:
- **Openness and Interoperability:** As a non-proprietary, open extension for
A2A and MCP, AP2 fosters a competitive environment for innovation, broad
merchant reach, and user choice.
- **User Control and Privacy:** The user must always be in control. The
protocol is designed with privacy at its core, using a role-based
architecture to protect sensitive payment details and personal information.
- **Verifiable Intent, Not Inferred Action:** Trust in payments is anchored to
deterministic, non-repudiable proof of intent from the user, directly
addressing the risk of agent error or hallucination.
- **Clear Transaction Accountability:** AP2 provides a non-repudiable,
cryptographic audit trail for every transaction, aiding in dispute
resolution and building confidence for all participants.
- **Global and Future-Proof:** Designed as a global foundation, the initial
version supports common "pull" payment methods like credit and debit cards.
The roadmap includes e-wallets, "push" payments such as real-time bank
transfers (e.g., UPI and PIX), and digital currencies, recognizing that
many countries do not have real-time banking systems.
---
## Key Concept: Verifiable Digital Credentials (VDCs)¶
The Agent Payments Protocol engineers trust into the system using **verifiable
digital credentials (VDCs)**. VDCs are tamper-evident, cryptographically signed
digital objects that serve as the building blocks of a transaction. There are
two primary types of mandates, each existing in two stages:
- **Checkout Mandate**: Captures the reference to the specific items and
purchase details negotiated between the agent and the merchant, and is
**shared with the merchant**.
**Open**: Captures the user's constraints and goals for the transaction
before a specific cart is finalized for autonomous execution.
**Closed**: Captures the user's (or agent's) authorization for a specific,
finalized checkout.
- **Open**: Captures the user's constraints and goals for the transaction
before a specific cart is finalized for autonomous execution.
- **Closed**: Captures the user's (or agent's) authorization for a specific,
finalized checkout.
- **Payment Mandate**: Authorizes a payment against a specific payment
instrument, and is **shared with the Credential Provider, Networks and the
Merchant Payment Processor**.
**Open**: Captures the user's constraints on payment (e.g., budget,
allowed instruments) for autonomous execution.
**Closed**: Captures the authorization for a specific transaction amount
bound to a finalized checkout.
- **Open**: Captures the user's constraints on payment (e.g., budget,
allowed instruments) for autonomous execution.
- **Closed**: Captures the authorization for a specific transaction amount
bound to a finalized checkout.
These VDCs operate within a defined role-based architecture and are chained
together to provide a complete, verifiable audit trail for both human-present
and human-not-present transactions.
See more in the sample [Flows](ap2/flows/).
## See it in action¶
- **Human Not Present Cards**
A sample demonstrating an autonomous transaction where the agent acts without human presence, using traditional card payments.
[ Go to sample](https://github.com/google-agentic-commerce/AP2/tree/main/code/samples/python/scenarios/a2a/human-not-present/cards/)
- **Human Not Present x402**
A sample demonstrating an autonomous transaction where the agent acts without human presence, using the x402 protocol for payments.
[ Go to sample](https://github.com/google-agentic-commerce/AP2/tree/main/code/samples/python/scenarios/a2a/human-not-present/x402/)
- **Digital Payment Credentials Android**
A sample demonstrating the use of digital payment credentials on an Android device.
[ Go to sample](https://github.com/google-agentic-commerce/AP2/tree/main/code/samples/android/scenarios/digital-payment-credentials/)
- **Human Present Cards**
A sample demonstrating a human-present transaction using traditional card payments.
[ Go to sample](https://github.com/google-agentic-commerce/AP2/tree/main/code/samples/python/scenarios/a2a/human-present/cards/)
---
## Get Started and Build with Us¶
The Agent Payments Protocol provides a mechanism for secure payments, and it's
part of a larger picture to unlock the full potential of agent-enabled commerce.
We actively seek your feedback and contributions to help build the future of
commerce.
Our public GitHub repo hosts the lastest version of AP2 specification, documentation and SDK. Standardization of the specification will continue within the Agentic Authentication Technical and Payments Technical Working Groups in FIDO.
You can get started today by:
- Downloading and running our **code samples**.
- **Experimenting with the protocol** and its different agent roles.
- Contributing your feedback and **code** to the public repository.
[Visit the GitHub Repository](https://github.com/google-agentic-commerce/AP2)
Back to top
*Footer:*
[Next
Executive Summary](overview/)
Copyright 2025 Google. Licensed under the Apache License, Version 2.0.
Made with
[Material for MkDocs](https://squidfunk.github.io/mkdocs-material/)
Couldn't render a preview for this site. Open the URL in a new tab ↗
Screenshot via thum.io
§3 · AILANG × your business
ap2-protocol.org scored 0/10 on agent-ready. AILANG opportunity is therefore 10/10. Here's where it would land first.
ailang serve-api takes your typed AILANG functions and exposes them as REST endpoints, MCP tools, A2A skills, and OpenAPI 3.1 docs simultaneously. One module, four agent surfaces.
ailang serve-api --port 8092 --mcp-http \ pricing.ail catalogue.ail -- POST /api/pricing/quote, MCP at /mcp/, -- A2A at /.well-known/agent.json, OpenAPI at /api/_meta/redoc.→ AILANG docs
Every tool an agent can call has a contract. Bounds, refusal paths, type signatures — proven before the agent ever sees it. The agent cannot exceed the tool's declared authority.
func placeOrder(item: SKU, qty: int) -> Receipt requires { qty > 0, qty <= 10 } ensures { result.total > 0.0 } -- the MCP server exposes this with its contract intact.→ AILANG docs
Generate an MCP server from your typed AILANG functions; the docs MCP exposes a submit_feedback tool so agents can flag issues back to the maintainer. The language and its consumers stay on the same wire.
-- The AILANG docs MCP server lets Claude / Cursor / any -- MCP client query the language directly: -- stdlib_search "URL encoding" -- submit_feedback "..."→ AILANG docs
func sketchSite(url: string<pii>, topic: Topic) -> Sketch
! {Net @limit=1, AI @limit=5, FS @limit=4, Process, Declassify}
| Signal | Topic | Result | Points | AILANG primitive |
|---|---|---|---|---|
| agent.json referenced | agent-ready | ✗ | 0/1 | ailang serve-api generates A2A agent cards automatically — bonus if you're an early adopter |
| openapi.json referenced | agent-ready | ✗ | 0/2 | ailang serve-api generates OpenAPI 3.1 from Hindley-Milner type signatures |
| MCP endpoint referenced | agent-ready | ✗ | 0/2 | ailang serve-api --mcp-http exposes typed functions as MCP tools |
| Public API docs linked | agent-ready | ✗ | 0/2 | ailang serve-api hosts Swagger + ReDoc at /api/_meta/ by default |
| Webhooks documented | agent-ready | ✗ | 0/2 | ailang serve-api handles webhooks as typed handler functions with effect-tracked side effects |
| Rate limits documented | agent-ready | ✗ | 0/2 | Capability budgets — Net @limit=N is the symmetric server-side primitive for what agents see as rate limits |
| Streaming / SSE endpoint | agent-ready | ✗ | 0/2 | std/stream — ssePost and Stream effect handle event-source endpoints with typed event types |
| Sandbox / test environment offered | agent-ready | ✗ | 0/2 | ailang --ai-stub plus mock effect handlers — deterministic, capability-scoped fakes for any effect, including Net and AI |
| Authentication documented | agent-ready | ✗ | 0/2 | std/jwt for verification, IFC labels (string |
| Idempotency keys documented | agent-ready | ✗ | 0/2 | Pure functions are idempotent by construction; requires/ensures contracts express idempotence as a static guarantee |
| AG-UI streaming protocol | agent-ready | ✗ | 0/1 | std/stream — the AG-UI event lifecycle (RUN_STARTED → TEXT_MESSAGE_CONTENT → TOOL_CALL_RESULT → RUN_FINISHED) is a textbook sum type. ADTs + exhaustive pattern matching make every event-type branch a compile error to skip. |
| HTTP 402 agent payments (x402 / pay-per-crawl) | agent-ready | ✓ | 1/1 | Net @endpoint-scoped capability budgets bound payment destinations; requires { amount <= budget } gates the payload; IFC labels keep the signed payment key out of public sinks. Same primitives cover x402 payload signing and Cloudflare's crawler-price negotiation. |
| AP2 Agent Payments Protocol | agent-ready | ✓ | 1/1 | Mandates ARE contracts. requires { intent.price <= mandate.maxPrice } + ensures { cart.total <= intent.price } is a one-to-one translation of an Intent/Cart Mandate into AILANG. Z3 can verify the bounds at compile time. |
| UTCP tool-calling protocol | agent-ready | ✗ | 0/1 | Typed function signatures are the manifest. ailang serve-api emits the same metadata as a UTCPManual (name, input/output schema, native endpoint) — direct-call discovery without a proxy server. |
| End-to-end encryption documented | privacy | ✗ | 0/2 | IFC labels (string |
| Compliance certifications cited | privacy | ✗ | 0/2 | requires/ensures contracts express machine-verifiable claims; capability budgets bound audit-trail effects; effect rows leave nothing un-declared |
| Data minimisation language | privacy | ✗ | 0/2 | Capability scoping — each Net call declares its endpoint in the effect row, so "doesn't sell" becomes a type-system-enforceable claim, not a marketing one |
| Third-party domains restrained | privacy | ✗ | 0/2 | Capability scoping — each Net call declares its endpoint in the effect row |
| Data residency / on-prem language | privacy | ✗ | 0/2 | Three-runtime deploy — same module runs in WASM (browser), Cloud Run, and native CLI |
| Single-vendor LLM language | portable | ○ | 2/2 | std/ai multi-provider — switch from Anthropic to Gemini to OpenAI without rewriting |
| Multiple AI providers cited | portable | ✗ | 0/2 | std/ai — one Step API across Anthropic, OpenAI, Gemini, OpenRouter, Ollama, and custom-package providers |
| Cross-runtime / deployment portability | portable | ✗ | 0/2 | Effect handlers as runtime adapters — same .ail runs as WASM in the browser, a Cloud Run container, and a native CLI; only the handlers change |
| BYO key / model-agnostic | portable | ✗ | 0/2 | AILANG WASM — the full interpreter ships as a browser bundle, so caller-held keys (BYOK), offline apps, and embedded demos all work client-side |
The rubric that scored this page is open-source AILANG code — every signal extractor is contract-verified. View rubric →