Run this test on any agent-payment rail you like. An AI agent buys something. Afterward, somebody outside the issuing network, a merchant, an auditor, a rival processor, asks the obvious question: what exactly did the human allow?
A merchant holding a Mastercard agentic token cannot answer it. The token clears or it declines; what the user permitted lives inside Mastercard authorization. A Stripe shared payment token is an opaque string; the spending limits behind it sit in Stripe's database. A Visa Trusted Agent Protocol signature proves an agent is real to anyone who checks, but the permission behind it resolves only inside Visa. We spent this week reading the primary specifications behind eight of these rails, and the test fails on seven of them.
The agentic web has quietly agreed on who. The fight now is over may.
The rails multiplied. The permissions did not travel.
When Simon Taylor published his Agentic Payments Map in February, the striking thing was how fast the territory had filled in: networks, processors, wallets, and protocols all claiming a lane. The map answers what exists. We wanted to answer a narrower question that we think decides the whole contest: when each rail authorizes an agent to spend, does that authorization mean anything outside the rail that issued it?
We made the test concrete. For each rail, from the spec: what is the authorization artifact, who issues it, and can a party with no contract with the issuer verify it? Three possible verdicts. Portable, anyone can check it. Federated, the mechanics are open but trust resolves inside the issuing network. Walled, the artifact only means something to its issuer.
The count, as of this week: two Portable, four Federated, two Walled. And one of the two Portables only covers half the question.
This is the authorization layer of the MM Trust Layer Model, and it is where we said the real contest would be when we wrote that the fight is over permission, not payments. The market is not converging on one protocol. It is layering: signatures for "is this agent real," scoped tokens for "can it pay here once," signed mandates for "what did the human allow," and machine-native settlement underneath.
"Who" converged without a press conference
Here is the part that surprised us. The identity layer, the question of whether an agent is what it claims to be, has already standardized across rivals, and almost nobody has said so out loud.
Visa's Trusted Agent Protocol signs every agent request with HTTP Message Signatures under RFC 9421, engineered with Cloudflare. Mastercard's agent-recognition layer, Web Bot Auth, is built on the same RFC 9421 standard, with the same partner. Two networks that compete on everything else are running technically interoperable agent identity today.
It goes further. Google's AP2 protocol anchors user trust, in its own worked example, in an EMVCo digital payment credential. EMVCo is the standards body owned by the card networks. The networks' own credential standard is the trust anchor inside the protocol most likely to compete with them.
Agent identity is already a solved, shared problem. Spending permission is not. That asymmetry is the story.
"May" is a database row
Every Federated rail breaks at the same joint, and once you see it you cannot unsee it: the binding between user consent and payment is recorded server-side by the issuer instead of being carried in the artifact.
The cleanest example is the OpenAI and Stripe Agentic Commerce Protocol, which powers Instant Checkout in ChatGPT. When a buyer confirms a purchase, the payment service provider issues a token scoped by an allowance: maximum amount, currency, one named merchant, an expiry, single use. Read the spec and you realize the allowance is exactly a mandate. It has everything a mandate needs except the ability to leave home. It is enforced as a row in the issuing processor's database, so nobody else can present it, audit it, or verify it. The spec is openly licensed and any processor can implement it, which is genuine interoperability of the standard. The artifacts it mints stay walled.
To Stripe's credit, its version has the best revocation story we found anywhere: tokens can be killed at any time and sellers find out by webhook rather than by a declined transaction. But only because the issuer runs the rails end to end.
Mastercard comes closest to admitting the gap. Its Agent Pay framework describes contributing to the FIDO Payments Working Group on verifiable credentials it says will be "portable, privacy-preserving and aligned with global standards." Portable is future tense. Today's agentic tokens are not that, and Mastercard's own roadmap says so.
PayPal, meanwhile, has picked a different game entirely: verify everyone, export nothing. Its Agent Ready stack accepts ACP tokens and Google Pay tokens through one Braintree integration, which is why a single merchant hookup reaches ChatGPT, Gemini, and Perplexity at once. It is the aggregator position, and as we saw with the sell side arming up, it may be the commercially smart one. But nothing PayPal issues can be verified outside PayPal.
The exception, and its catch
Google's AP2 is the one shipped design where the mandate is itself a cryptographic object. A Checkout Mandate and a Payment Mandate, each a verifiable credential in SD-JWT format, each hash-bound to the merchant-signed cart, so a verifier can prove the agent bought what the user approved. The user signs on a trusted surface that the spec requires to be non-agentic. Read that requirement again: the protocol's authors do not trust the agent with the act of consent, which is the most honest line in any of these specs.
The open-mandate variant goes where no other rail does: merchant allow-lists, amount ranges, cumulative budgets, recurrence schedules, time windows, all selectively disclosable, all bound to the agent's own key so a stolen mandate is useless. Verification is standard cryptography against a trust list. The merchant checks it. The processor checks it. The network checks it. No Google service sits in the path.
So why has Google not simply won? Acceptance. No card network accepts an AP2 mandate in live authorization today, and a mandate is only as portable as the most important verifier willing to check it. Sixty launch partners signed the announcement, including Mastercard, American Express, and PayPal. Partners on paper are not verifiers in production. The design is portable now; the deployment is a bet.
x402 is the inverse case, and worth naming precisely because everyone keeps confusing the two properties. Its payment payload is verifiable by literally anyone on the internet, no relationship required, which makes it the most portable artifact on this list. But it answers "did this key authorize this transfer," not "did a human authorize this agent." Delegation is explicitly out of scope. As the adoption data in our x402 tracker keeps showing, settlement is racing ahead. The mandate question rides one layer up.
What we are watching
The bridges, mostly. Below the mandate layer, the rails are already connecting: TAP and Web Bot Auth share a signature base, AP2 wraps Google's checkout protocol by spec and ships an x402 extension, ACP tokens flow through PayPal. Bridge formation is the leading indicator that the mandate layer will consolidate, and whoever's mandate format the bridges standardize on will own the trust layer of agentic commerce.
We are also watching for the first dispute. Somewhere ahead of us, an agent will make a purchase its owner says they never approved, and the evidence will be a database row at the company on the other side of the dispute. That case will do more for portable mandates than any spec.
From today we are keeping score in public. The State of Agent Mandates tracker holds every rail's verdict, artifact, issuer, and revocation story, each cell tied to a primary source, updated as the rails move. Live and announced strictly separated, same discipline as the x402 tracker.
Protocols are specifications. Verification is where they become real.
Sources
- Fintech Brain Food: The Agentic Payments Map
- Visa: Trusted Agent Protocol specification and reference implementation
- Visa: Visa Partners with OpenAI
- Mastercard: The agentic token framework
- OpenAI: Delegated Payment Spec
- Stripe: Shared Payment Tokens
- PayPal: Agent Ready overview
- Google: AP2 specification v0.2
- Google: Universal Commerce Protocol
- x402 Foundation: x402 specification v2
- Model Context Protocol: Authorization specification
- Major Labs: State of Agent Mandates tracker
When the first dispute lands over a purchase an agent made, and the only record of what the user allowed is a database row owned by one side of the argument, whose evidence wins?
Charlie Major is a Product Development Manager at Mastercard. The views and opinions expressed in Major Matters are his own and do not represent those of Mastercard.