Agentic Commerce: Convenience vs Control

It’s not theoretical. At MPE 2025 back in March, we presented the concept of autonomous agents making payments on behalf of the user. In particular we used our API agent, Opey, to demonstrate how an agent can call open banking APIs on a user’s behalf within clearly defined permissions. In an Open Banking context, this can be either consumer-facing – such as initiating API-based payments – or backend-focused, like retrieving bespoke API usage metrics or creating accounts.

We highlighted how these systems can be given fine-grained consent: agents with actionable roles, but with controls — the ability to “pay my bills” within limits, or “shop my wish list,” without handing over control entirely. David Birch cited this same concept in his Forbes article, emphasising agentic identity — the idea that it’s the bot with its own verified credentials (VCs), not the bot posing as you, interacting in financial systems. So the agent is not holding the human’s passport as it were, but rather a Limited Power of Attorney. 

At a system level, once a human consents to Opey acting on their behalf, the API layer sees a token that identifies two parties: the authenticated AI agent carrying a sub set of permissions given by the human account owner (the so called “On Behalf Of User“) who has consented to the agent acting on their behalf. How the backend systems will use, log and audit this new strand of information is for now left to the margin.

Needless to say, this would disrupt the merchant ecosystem. First of all, the way we raise awareness is already evolving. If agents are the ones searching and comparing, how does a product get found? This may eventually be relevant for banking products and even developer-facing API products.

There’s also the bigger question for when agents start deciding for us: if they find a product, how do they choose a product? Marketing has long relied on emotional resonance, tapping into identity, aspiration, or sometimes just a good old-fashioned impulse. But agents aren’t emotional or impulsive (at least not yet, not in a way we understand). 

Research suggests that humans make many purchase decisions (95%) emotionally before rationalising them later. And let’s not forget the dopamine that shopping provides in times of stress. So what happens when we outsource that emotion-based choice to a supposedly emotionless machine? 

These merchant-focused questions will get their own deep dive – for now, let’s look at the infrastructure powering agentic payments.

Since March, we’ve seen some of the largest platforms bring theory to life through several announcements:

Google’s agentic checkout (Official launch November 2025): First previewed in May 2025 and made available for early testing in U.S. Search Labs, Google officially debuted agentic checkout in November 2025 ahead of the holiday shopping season.  Backed by Gemini 2.5 and the Shopping Graph – now enhanced by the Universal Commerce Protocol (UCP), an open standard for agents to handle discovery, checkout, and fulfillment across retailers – users can set price-drop alerts, define product conditions, and let the AI complete the purchase automatically through Google Pay.

Visa Intelligent Commerce (April 2025): Visa Intelligent Commerce brought the same concept to the payments world. Their APIs allow agent onboarding with tokens that are restricted by scope – say, a maximum spend at a certain merchant within a given timeframe. These tokens are issued only after user passkey verification, and they’re revocable on demand.

In October 2025, Visa advanced this further with the Trusted Agent Protocol (TAP) – an open-source framework designed to secure AI-driven commerce at scale. Unlike simple tokenization, TAP uses cryptographically signed HTTP messages to verify both agent identity and user authorization. Early adopters include Nuvei, Adyen, and Stripe, with Visa actively working with Google, OpenAI, and Stripe to ensure ecosystem-wide compatibility.

This infrastructure addresses real demand: Visa measured a 4,700% surge in AI-driven traffic to U.S. retail sites.

Mastercard Agent Pay (April 2025): Mastercard introduced its own Agentic Tokens earlier this year. They’re working with Microsoft and IBM to trial use cases across consumer and enterprise assistants, embedding financial autonomy into digital workflows while building in layers of consent and observability. AgentPay is planned for launch across Latin America and the Caribbean in 2026.

PayPal’s Agentic Toolkit (April 2025): Paypal goes the developer-first route. With built-in support for OpenAI’s agents framework and Model Context Protocol, PayPal’s toolkit lets third-party AIs initiate payments, manage invoices, and handle subscriptions – all on the user’s behalf.

OpenAI Agentic Commerce Protocol (September 2025): At the end of September, OpenAI announced their Instant Checkout feature, powered by the Agentic Commerce Protocol (co-developed with Stripe and open-source).

A major common point across most of these is the 16-digit agent token. These work much like virtual cards, they are tied to user accounts but unique to the agent, bound by specific instructions, and easily revoked. You retain oversight without constant involvement.

Agentic Commerce in Super Apps

In Asia, agentic commerce capabilities are being woven into super-app ecosystems, which seem like the perfect breeding ground for consumer-facing agents.

Visa is collaborating with names such as Ant International and Tencent, embedding agentic capabilities directly into platforms where shopping, payments, messaging, and banking already coexist: super apps. That means agents can operate in fluid environments, managing tasks end-to-end. 

Ant International has become particularly active: in September 2025, they partnered with Google as a launch partner for the Agent Payments Protocol (AP2), an open framework defining how AI agents transact with user authorization. Their Alipay+ Voyager travel assistant operates on a multi-agent framework, with sub-agents that can arrange rides and process payments autonomously.

Asia’s evolving landscape shows how consumer-facing agents might first take root, i.e. deeply integrated into platforms people already use daily, with secure rails supporting full shopping autonomy.

Meanwhile, some players are preparing their APIs for agent-facing payments and commerce, making it easier for agents to understand what APIs they need to interact with. 

For any of this to work, agents need to understand the tools they’re using. 

That’s where protocols like MCP – the Model Context Protocol – come in. MCP provides a standardised way for AI models to discover, interpret, and interact with APIs and external tools. It gives agents a shared grammar including tool use schemas and resources.

Alongside MCP, the Agent2Agent (A2A) protocol focuses on how agents talk to each other rather than just to tools, providing a common language for discovery, authentication, messaging, and collaboration across different agent frameworks.

Together, these emerging standards are becoming a useful layer for platforms aiming to integrate widely across the agent ecosystem. As the agent landscape expands, shared protocols like MCP and A2A may help lower the barrier to entry and encourage safer and more predictable behaviour at scale.

Since many tools do and will integrate with MCP, straight forward standards will float to the top. 

The Open Bank Project MCP server is here: https://github.com/OpenBankProject/OBP-MCP

This brings us to the bigger question: what does all of this change?

Not just how we pay, but how we decide. If the agent becomes the one parsing reviews and initiating the checkout, who exactly is being marketed to? Loyalty and values might still appeal to us, but will the agent care?

Then there’s the matter of where these agents live. Are they embedded in a browser? Nested inside a banking app? Or will it be your own personal intermediary, specialised and portable, interacting across ecosystems on your behalf?

There’s also the not-so-small question of trust. The more we delegate, the more we risk. These aren’t passive tools – they’re actors with permissions. While credential tokenisation helps put boundaries in place, it doesn’t remove the need for serious oversight. What if the agent misreads your intent (which, by the way, humans aren’t great at either)? Or worse, what happens when your agent gets phished? Research demonstrates this is already possible: Anthropic’s Computer Use and MultiOn agents have been manipulated via fake Reddit posts to leak credit cards on fake product pages and download viruses from untrusted sources. 

We’ll need more granular permissions, kill switches that are fast and final, and interfaces that show you what happened and why. 

So no – maybe you won’t let your agent manage your retirement fund just yet. But you might let it chase deals on those noise-cancelling headphones you’ve been wishing for. And bit by bit, the centre of gravity will shift.

The real challenge isn’t whether agents can act on our behalf. It’s making sure they do so transparently, accountably, with limited, timeboxed power and in ways we can influence. Because once they’re negotiating on our behalf, choosing what we see and buy, the line between assistance and authority gets thinner than most of us realise.

For banks and financial service providers, this isn’t just a trend to observe, it’s a shift to be part of. If agents are going to be the new front door to commerce and finance, then infrastructure, APIs, identity systems, and permissions need to adapt quickly. There’s a genuine opportunity (and need) to shape how agentic commerce and finance works – not just react to it.