AP2 was announced by Google Cloud and Coinbase in September 2025. It defines three cryptographically signed mandates — IntentMandate, CartMandate, and PaymentMandate — that bind every transaction back to a verified human principal. The merchant gets proof the agent had authority. The user gets a tamper-evident audit trail. The regulator gets accountability.
- ✓ECDSA keypair provisioned per agent at signup
- ✓Public key endpoint for verifier resolution
- ✓MCP signing tools: agent_sign_intent_mandate, agent_sign_cart_mandate, agent_get_payment_mandate
- ✓Inbound payment endpoint with full mandate-chain verification
- ✓Beneficiary resolver, audit trail, key revocation, idempotency hardening
- ✓AP2 v0.1 spec — fully delivered