Every explainer about agentic commerce opens with the same framing: the hard problem is how an agent pays. It is not. A payment is the easy part — it has been a solved problem for sixty years, and giving an agent a signed token that says "this user authorized up to $300 at this merchant" is not a breakthrough, it is a credential format. The protocols racing to define that format — Google's AP2, announced in September 2025 with sixty-odd partners; Mastercard's Agent Pay and its "Verifiable Intent" record; Coinbase's x402 settlement rail — are competing to win a layer that was never the bottleneck.
The actual hard problem in agentic commerce is the one nobody puts on the slide: who eats the loss when the agent is wrong. And once you look at the protocols through that lens, you notice that they are not really fraud-prevention systems at all. They are liability-routing systems wearing a security costume.
What a mandate actually does
AP2's design is three signed objects — an Intent Mandate, a Cart Mandate, a Payment Mandate — carried as W3C Verifiable Credentials. The pitch is that these create an unforgeable audit trail: a merchant hit with a dispute can produce the signed mandate and prove the user authorized the purchase. Mastercard's Verifiable Intent makes the same move in different words — a tamper-resistant record of what the human consented to.
Read that again, but ask the adversarial question. What does the signature actually prevent? Not the bad purchase. If your agent misreads "find me a flight under $300" and books a $290 fare to the wrong city, the mandate signs that transaction cleanly — it was in scope, it was authorized, the cryptography is flawless. The signature does not stop the mistake. It only establishes, beyond dispute, that the mistake was yours.
A mandate does not verify that the purchase was correct. It verifies whose fault it is. That is a different product than the one being advertised.
This is the sleight of hand. "Verifiable intent" sounds like it protects the buyer. What it verifies is blame — and a cryptographic proof of consent is, from the consumer's side of the table, a confession you signed in advance.
Ambiguity was the feature
Here is the part the industry has talked itself out of remembering. The credit-card dispute system does not work despite being vague about intent. It works because it is.
Under the Fair Credit Billing Act — 1974, older than nearly everyone building these protocols — you get sixty days to dispute a charge in writing, your liability for an unauthorized one is capped at $50, and the chargeback simply reverses the transfer. The mechanism's whole genius is that it does not require you to prove much. The system defaults to protecting the human and makes the merchant argue otherwise. That asymmetry is not a flaw in the design; it is the design. It is the reason a person was ever willing to type a card number into a web form belonging to a stranger.
Reversibility, in other words, is load-bearing. The chargeback is the structural beam that holds up consumer trust in remote commerce. Everything else — the SSL padlock, the trust badges, the reviews — is decoration nailed to that beam.
Now watch what the mandate does to it. A cleanly signed, in-scope, agent-authorized purchase is precisely the transaction that is hardest to charge back, because you have pre-certified your consent to its scope. The protocols are not adding a safety layer on top of the dispute system. They are engineered, whether or not anyone says it out loud, to make the disputed transaction un-disputable.
Where the loss is sitting right now
The transition is visible in who is currently absorbing the damage. As one fintech teardown put it bluntly, under every major protocol the merchant remains the merchant of record — so for now the merchant eats it. Agents strip out the behavioral fraud signals that detection was built on; there is no typing cadence, no mouse jitter, no hesitation before "buy." What rushes into that vacuum is a new category the industry has already named: the hallucination dispute, friendly fraud committed by a model instead of a customer.
Merchants will not tolerate carrying that indefinitely, and they have the leverage to not have to. The entire purpose of building a richer mandate — more signatures, more scope, more "verifiable intent" — is to accumulate enough cryptographic proof of consent to flip the loss off the merchant's books. And there is exactly one counterparty downstream of the merchant: the human who clicked "authorize agent" once, in a settings panel, three weeks before the purchase.
That is the trajectory. We are mid-migration, and the loss is in the merchant's lap because the proof infrastructure is not yet trusted enough to move it. Every protocol announcement is a step toward the day it is.
So the desk's read is this. Do not evaluate AP2 or Agent Pay or x402 on how elegantly they let an agent pay — they all do that fine, and it was never the question. Evaluate them on what happens after the agent gets it wrong, because it will, and the mandate you signed is the document that decides who is holding the bill. The right question to ask any agentic-commerce vendor is not "how does my agent pay?" It is "when my agent buys the wrong thing inside the scope I authorized, can I still get my money back?"
If the answer is some version of "but you signed for it" — and the cryptography is built so that the answer is always some version of "but you signed for it" — then they have not made commerce safer for you. They have quietly repealed the one law that was protecting you, and handed you the pen to do it with.
