The Future of Shopping

An open standard enabling AI agents to autonomously discover, shop, and complete purchases across any merchant, without human intervention at checkout. The March 2026 update added multi-item cart sessions and standardised product catalogue access endpoints, broadening UCP beyond single-item checkout flows.

OpenAI and Stripe's open standard for AI agents to complete purchases directly within AI applications. Defines a checkout session lifecycle and delegate payment API so the agent never touches raw credentials. The v2026-01-30 release expanded Shared Payment Token (SPT) support beyond Stripe to include Mastercard Agent Pay, Visa Intelligent Commerce, Affirm, and Klarna.

An open protocol for connecting AI agents to external systems via tools, resources, and prompts. Widely adopted across Claude, GPT-4o, Gemini, and other AI assistants. Governance transferred to the AAIF (Anthropic AI Interoperability Foundation) under the Linux Foundation in early 2026, with 97 million monthly SDK installs.

A browser-native JavaScript API that lets web pages expose tools directly to AI agents, using the user's existing authenticated session. In Chrome 146 DevTrial (not Standards Track yet); W3C Community Group draft published March 2026. Microsoft and Google are principal editors.

An open standard for AI agent interoperability — any agent can delegate tasks to specialist agents using JSON-RPC over HTTP. An agent announces its capabilities via an agent.json card at /.well-known/agent.json; orchestrating agents discover and invoke it without any bespoke integration. Reached v1.0 stable in March 2026 under Linux Foundation governance, with over 50 partners including Microsoft, SAP, and Salesforce.

Klarna's open protocol for AI-native product discovery. Merchants expose a standardised product catalogue feed or self-hosted REST endpoint; AI agents query it to compare prices, check stock, and surface results in shopping assistants and AI search.

Visa's protocol for cryptographically authenticating AI agents to merchants. Agents sign every request with an Ed25519 private key; merchants verify via Visa's public JWKS endpoint. Replaces CAPTCHA-based bot detection with verifiable agent identity, resolving the merchant challenge of distinguishing legitimate agents from malicious bots.

An open standard launched 5 March 2026 that allows AI agents to attach a cryptographically signed "intent token" to a payment request. The token declares the agent's identity, the scope of the purchase, and the spending mandate granted by the consumer. Merchants and payment networks can verify this intent without any prior relationship with the agent — resolving a key trust gap in autonomous commerce.

Verifiable Intent works alongside existing card rails and is network-neutral: it does not require Mastercard as the payment network, though Mastercard's Agentic Tokens programme uses it as its identity layer. The standard is maintained by Mastercard and open for adoption by any payment network.

Merchant-side agentic payment infrastructure. Merchants embed a hosted iframe from collect.nekuda.ai for PCI-compliant card collection, which the nekuda wallet then stores and makes available to authorised AI agents at checkout.

nekuda implements the ACP checkout gateway pattern: merchants expose a /checkout_sessions endpoint that agents call to initiate a purchase. The checkout.directory registry currently lists over 50 participating merchants, including Allbirds, Gymshark, Glossier, Everlane, Away, and Brooklinen. Presence in that registry is the primary signal an agent can use to confirm a merchant supports agentic checkout via nekuda.

Because the integration requires a merchant-side SDK (@nekuda/wallet for React frontends, @nekuda/nekuda-js or the nekuda Python package on the backend), the integration is detectable by scanning for the iframe origin, public keys, or well-known paths. Aidō Lighthouse checks for these signals as part of its agentic readiness assessment.

Agent-side payment infrastructure that requires no changes on the merchant. PayOS provisions an AI agent with a virtual card (an "agentic token") backed by Mastercard's Agentic Tokens programme and Visa Intelligent Commerce. From the merchant's perspective, the transaction arrives as a normal card payment; there is no SDK to install, no checkout session endpoint to expose, and no registry to join.

PayOS uses Visa's Trusted Agent Protocol (TAP) to sign agent requests with RFC 9421 HTTP Message Signatures, giving merchants a cryptographic way to verify the agent's identity without any pre-integration. VGS (Very Good Security) handles PCI vaulting of the underlying card credentials. Mastercard completed its first live agentic token transaction in September 2025, marking a significant milestone for card-native agentic payments.

The split between nekuda and PayOS represents a broader architectural choice facing the industry: merchant-side readiness (where the merchant opts in and gains richer agent integration) versus agent-side infrastructure (where the agent operates independently of merchant support). In practice, both approaches are likely to coexist, and an agent may prefer nekuda on merchants that support it while falling back to PayOS elsewhere.

Stripe and Tempo's open protocol for AI agents to authorise and settle payments via a structured API message, independent of any particular checkout session. Where ACP defines the full checkout lifecycle (cart, address, review, pay), MPP handles just the payment authorisation step — a single structured request that Stripe routes and settles through its existing network.

MPP is designed to be composable: an agent running ACP on a participating merchant uses ACP end-to-end; on a merchant without ACP support, the agent can use MPP for the payment step alone. The protocol includes agent spending mandates (per-transaction and daily limits), revocation, and an audit log endpoint so consumers can review what an agent spent on their behalf.

Repurposes the HTTP 402 Payment Required status code for machine-to-machine stablecoin micropayments. When an agent requests a resource or API endpoint, the server responds with 402 and a payment URI; the agent pays in USDC (or another stablecoin) on-chain and retries the request with a payment proof header. The server verifies the on-chain transaction and fulfils the request.

Designed for pay-per-call AI APIs and autonomous agent economies where traditional subscription billing is impractical. An agent researching products could pay fractions of a cent for each data request without a pre-existing account. Cloudflare has added native x402 support to its edge network, making it trivially deployable for any site behind Cloudflare.

VGS is the world's largest payment tokenisation provider and the PCI vaulting layer behind PayOS and Visa Intelligent Commerce. Its core role is simple: raw card numbers go in, tokens come out. Merchants and agents only ever handle those tokens, so a data breach exposes nothing sensitive. VGS estimates that agentic AI spending will reach $155 billion by 2030, with $250 billion in payments exposed to disruption from the shift to agent-driven commerce.

For agentic commerce specifically, VGS offers four capabilities that matter. Agentic Autofill lets AI agents securely fill payment fields using a pre-authorised token, with VGS inserting the raw credentials server-side before the transaction reaches the card network. Collect MCP UI embeds a VGS-hosted iframe directly inside an agentic prompt, capturing card details without the agent or merchant ever touching the raw PAN — keeping both firmly out of PCI scope. Network Token Management provisions Visa and Mastercard network tokens on behalf of agents, so each transaction uses a short-lived cryptogram that is useless to replay. API Pass-Through proxies payment API calls transparently, applying data security transforms at the edge so merchants can send and receive payment data without storing it themselves.

Because VGS sits behind several major agentic payment products (including PayOS and Visa's own token infrastructure), a merchant that has never heard of VGS may already be using it indirectly. Aidō Lighthouse scans for VGS signals including the vgs-collect.js SDK, cross-frame card-created events, and references to the VGS agent toolkit.

A pre-credentialing and reputation network for autonomous AI agents, addressing the trust problem that tokenisation alone does not solve: even a valid payment token says nothing about whether the agent presenting it has permission to spend. KYA verifies operator identity, spending authorisation, and transaction history in under 100ms, returning a trust score (accept, review, or decline) that the merchant can act on before any payment is attempted.

An agent registers with KYA before it starts transacting. At checkout, it presents a KYA credential alongside its payment token, analogous to a CVV but for agent identity. The merchant queries KYA's API; if a consumer later contests a charge, the record of the agent's authorisation is already there. IDC and Microsoft project 1.3 billion AI agents in active use by 2028; McKinsey estimates $3–5 trillion in agentic commerce by 2030. A Shopify integration is in development.

KYA and VGS solve complementary problems. VGS handles credential security: the card number never leaves the vault. KYA handles identity trust: the agent presenting the token is who it claims to be. Together they cover both halves of agentic payment security.

Skyfire collapses two problems into one: proving who an agent is (KYA, Know Your Agent) and authorising it to spend (PAY). Before an agent starts shopping, the user pre-authorises a Skyfire spending wallet with configurable limits — per-merchant caps, daily totals, per-transaction maximums. The agent then attaches a single signed x-kyapay JWT to its request headers.

From the merchant's side, verifying the token is a single call to Skyfire's JWKS endpoint, taking milliseconds. There is no redirect to a payment page, no SMS one-time password, no 3DS popup, and no account creation. The token encodes the agent's identity, the spending mandate, and a cryptographic proof that the user granted it — all in one place. Merchants who verify it get a payment they know is authorised; merchants who do not verify it can still receive the payment through normal card rails with the spending wallet acting like a standard virtual card.

This makes Skyfire particularly attractive for high-frequency agent commerce, where traditional authentication flows would make autonomous purchasing impractical. Aidō Lighthouse scans for Skyfire signals including x-kyapay header references in HTML and JavaScript, and the /.well-known/skyfire discovery endpoint.