The Agentic Commerce Protocol War, Explained
AI agents are about to start spending your money autonomously. Six protocol camps are fighting over who's liable when something goes wrong. Here's the map.
Written by AI. Rachel "Rach" Kovacs

Photo: AI. Tomoko Hayashi
There's a mundane but consequential question buried inside all the noise about AI agents: when a piece of software buys something on your behalf and it goes wrong, who exactly is holding the bag?
That question is currently being fought over by six different protocol camps, each with their own answer, their own financial incentives, and their own vision of what internet commerce looks like once humans stop being the ones clicking "buy." Nate B. Jones, who covers AI strategy daily, laid out the battlefield in detail this week—and it's worth mapping carefully, because the outcome shapes not just how AI develops, but how online commerce itself is restructured.
The stakes are not abstract. ChatGPT has 900 million weekly users. The OpenAI-Stripe instant checkout integration, built on something called the Agent Commerce Protocol (ACP), already lets users buy from supported merchants without leaving the conversation. That's a small number of merchants right now. The direction of travel is not.
What Actually Breaks When Agents Buy Things
Before getting into the protocol war, it helps to understand what makes agentic commerce structurally different from the checkout flow we've used since the late 1990s.
Human checkout is clumsy, but it has one important property: shared evidence. A person landed on a page. The page showed a price, a product, taxes, shipping. The person clicked. A credential was used. Every party in the transaction—merchant, processor, payment network—has a piece of that record, and they all agree on the basic shape of what happened.
Agents dissolve that shared structure. As Jones puts it: "The question stops being whether the customer can pay. The question becomes how everyone knows that the agent that took that action was allowed to do what it just did."
That reframe reaches past checkout. It touches identity, authorization, fraud detection, settlement, refunds, liability, and the merchant's entire relationship with the customer. The old "purchase bundle"—all those responsibilities compressed into one human click—gets taken apart. And now six different camps are trying to reassemble it, each prioritizing different pieces.
The Six Camps
ACP (OpenAI + Stripe) handles the agent-to-merchant checkout flow. The merchant stays merchant of record—responsible for fulfillment, returns, support—but the assistant controls discovery, ranking, and the final presentation of choices. Jones's concern here is pointed: if the assistant becomes where customers express intent, the merchant's website stops being the default starting point. "This is more than branding at the end of the day. It's actually a merchant viability problem." ACP is clean and efficient. It also concentrates significant power at the assistant layer.
UCP (Shopify + Google) is the counter-argument. Where ACP focuses tightly on the checkout moment, UCP tries to keep the full shopping path—inventory, loyalty, return policies, promotions, bundles, fraud rules—on the merchant's side of the fence. Jones reads UCP not as a technical protocol but as a political position: "UCP should be read as a merchant control argument, not just one more acronym in the soup." The underlying tension is real. A checkout protocol that completes a transaction but ignores the commercial context around it might process the order fine and still destroy the merchant's business long-term.
Neither ACP nor UCP, however, answers a question one layer deeper: was the agent actually allowed to pay in the first place?
AP2 (Google) and Stripe's approved payment links both attack this authorization problem, from different angles. Stripe's approach is simple—an authorized token that an agent can pick up from a URL—though Jones notes it doesn't yet cover complex, multi-component purchases where authorization needs to persist over time. Google's AP2 goes further, generating what amounts to a mandate: the scope of the task, the constraints, and cryptographic proof that the user approved the action before the merchant was even known.
This matters because authorization in agentic commerce can't work the way it does for humans. A human authorizes at the moment of the click. An agent may need authorization issued before the shopping even begins, valid across multiple systems, and durable enough to hold up in a dispute. "The old checkout page generated evidence through a human session and a click," Jones explains. "An agent's evidence must begin much earlier, last a lot longer, and travel across many more systems to work."
Visa, Mastercard, and PayPal are angling for the trusted credential layer—agent registration, tokenized credentials, dispute infrastructure. They're not trying to own the recommendation or the checkout surface. They want to be the layer that makes everyone else's transactions trustworthy.
Stablecoins and x402 address a different problem entirely: machine-to-machine payments that are too small, too frequent, and too software-native for card rails to handle efficiently. Coinbase's x402 protocol revives HTTP 402—a long-dormant "payment required" status code built into the web from the beginning but never actually implemented—and makes payment part of the web request itself. A coding agent that needs to pay a few cents for a model call, or a research agent buying a single data lookup, doesn't need Visa's dispute infrastructure. It needs a payment method that works at the speed and granularity of software. Stripe's machine-payments protocol (MPP) is heading the same direction.
Jones is careful here not to overstate the stablecoin case: cards and wallets remain better suited for consumer purchases with their existing fraud monitoring and consumer protections. The stablecoin rail is compelling specifically where both buyer and seller are software.
AWS Bedrock Agent Core rounds out the six by trying to own the floor beneath all of it. AWS doesn't need to win any particular payment protocol battle. It wants to be the runtime—the environment where enterprise agents execute tasks, receive tools, apply budgets, and get monitored. "The agent runtime knows the task, the tools called, the policy active, the budget applied, what did the agent do before this and what will it do after," Jones notes. "A payment provider just sees the payment." That asymmetry gives AWS substantial long-term leverage without requiring it to pick winners in the protocol war below.
The Liability Question Nobody Has Fully Answered
Here's the scenario Jones uses to illustrate why this isn't purely theoretical: you tell an agent to book the best hotel near a conference for under $300 a night. The agent finds a non-refundable room that technically fits the budget. You miss the flight. Nobody asked the agent to check cancellation policy. The money is gone.
Who is responsible? The agent builder who didn't build in the constraint? The platform that ran the agent? The payment provider that processed without a full mandate? The user who didn't specify their needs precisely enough?
The answer is currently "unclear," and that ambiguity is the entire reason this protocol war exists. The old purchase flow "hid a lot of the responsibilities of the purchase inside a single human action," as Jones puts it. Agentic commerce forces everything that was hidden to become explicit—identity, permission, payment, settlement, refunds, liability—layer by layer.
What's notable about Jones's framework is what it asks of consumers, not just builders. Each camp is optimizing for its own position in the system. ACP optimizes for the assistant surface. UCP optimizes for merchant control. The payment networks optimize for trust infrastructure. AWS optimizes for enterprise governance. None of them are primarily optimizing for the end user who told an agent to book a hotel room and ended up out $280.
That's not an indictment of any particular player—it's the normal shape of a platform war. But it's worth knowing which game is being played, because the rules being written right now will determine whose interests are protected when something inevitably goes wrong at scale.
The protocols are being set. The liability is still up for grabs.
Rachel "Rach" Kovacs is Buzzrag's cybersecurity and privacy correspondent.
AI Moves Fast. We Keep You Current.
Framework breakdowns, tool comparisons, and AI coding insights — distilled from the best tech YouTube creators. Free, weekly.
More Like This
AI Agents Are Building Their Own Economy on the Web
Major tech companies are simultaneously building payment, search, and execution infrastructure for AI agents—creating an economic layer where software transacts autonomously.
Why Most Companies Are Invisible to AI Shopping Agents
McKinsey projects $1 trillion in AI agent sales by 2030. But most businesses lack the data infrastructure agents need to find and buy from them.
Anthropic's Leaked Conway Agent Reveals New Lock-In Layer
The Conway leak shows Anthropic building an always-on AI agent that locks users in through learned behavior, not data—a platform strategy with no exit.
Nvidia's NemoClaw Bets on Engineering Basics, Not AI Hype
While OpenAI and Anthropic partner with consultants to deploy AI agents, Nvidia's NemoClaw assumes developers can handle it—if we remember basic engineering.
Claude Opus 4.7's Hidden Cost: When AI Gets Smarter and Pricier
Anthropic's Opus 4.7 fixes major bugs but ships with a tokenizer that costs 35% more. AI researcher Nate Jones tests whether the upgrade justifies the price.
AI's Rapid Advances: XAI, Apple, and Kilo Code
Explore AI's latest moves: XAI's funding, Apple's Google partnership, and Kilo Code's market entry. What does this mean for the future?
Why Your AI Agent Sits Idle After Installation
Installing an AI agent takes 10 minutes. Making it actually useful takes 40 hours. Here's why the industry keeps solving the wrong problem.
This 128GB Mini PC Has a Performance Dial You Can Actually Use
The Acemagic M1A Pro+ packs 128GB of RAM and AMD's Strix Halo chip into a box with an RGB dial that changes performance modes on the fly—no reboot needed.
RAG·vector embedding
2026-05-13This article is indexed as a 1536-dimensional vector for semantic retrieval. Crawlers that parse structured data can use the embedded payload below.