Visa TAP vs Mastercard Agent Pay vs Google AP2 (May 2026)
Visa TAP vs Mastercard Agent Pay vs Google AP2 (May 2026)
Three different but stackable protocols for AI agent payments shipped to production in early 2026. Here’s what each one actually does, and how merchants and agent builders should think about them.
Last verified: May 17, 2026
TL;DR
| Visa Trusted Agent Protocol (TAP) | Mastercard Agent Pay | Google AP2 (+ UCP) | |
|---|---|---|---|
| Layer | Agent authentication | Card authorization | User mandate proof |
| Built with | Cloudflare (Web Bot Auth) | Mastercard + ecosystem | Google + 60+ partners |
| Token type | Bot auth signature | Agentic Tokens (short-lived, scoped) | Cryptographically signed user mandate |
| Settlement rail | Existing Visa rails | Existing Mastercard rails | Network-neutral (Visa, Mastercard, ACH, crypto) |
| Live in May 2026 | Yes (via Cloudflare network) | Yes (live transactions reported) | Standard published, integrations rolling out |
| Open standard | Open framework | Mastercard-led | Fully open, multi-network |
| Best for | Merchants that want to admit agents safely | Issuers and acquirers on Mastercard | Builders that want one mandate format everywhere |
What each one actually does
Visa Trusted Agent Protocol (TAP)
TAP is an authentication and admission layer. It answers the merchant’s question: “Is this incoming request from a real, identified AI agent, or a scraper pretending to be one?”
- Built on Web Bot Auth — cryptographic signatures that let a merchant verify the agent’s identity (e.g. “this is ChatGPT Operator”, “this is Claude for Work”, “this is Perplexity”).
- Co-developed with Cloudflare, which means TAP is enforceable at the edge — Cloudflare fronts a huge fraction of e-commerce, so merchants get TAP enforcement without code changes.
- TAP is aligned with OpenAI’s Agentic Commerce Protocol and Coinbase’s x402 — it doesn’t replace them, it admits or rejects the agent before they run.
- Visa explicitly positions TAP as not a payment rail — it’s the bouncer that decides who gets to ring the till.
Mastercard Agent Pay
Agent Pay is a card-authorization layer with a real-world payment instrument.
- Issues Agentic Tokens — short-lived, scoped tokens tied to a specific user mandate, a specific merchant, and a specific spend cap.
- Tokens are dynamically scoped: “this agent can spend up to $600 at this merchant in the next 24 hours and nowhere else”.
- Reuses Mastercard’s existing chargeback, dispute, and fraud-protection rails — so users keep their consumer protections.
- Mastercard has publicly reported live transactions with Agent Pay, putting it ahead of most rivals on actual production volume.
Google Agent Payments Protocol (AP2) + Universal Commerce Protocol (UCP)
AP2 is a user-mandate proof layer. UCP is the broader Google-led checkout protocol it plugs into.
- AP2 produces a cryptographically signed mandate that an agent can show to any merchant: “user X authorized me to spend up to Y at any merchant matching Z criteria”.
- Open standard, endorsed by Visa, Mastercard, PayPal, Coinbase, American Express, Shopify, Stripe, and 60+ others — making it the most network-neutral of the three.
- AP2 is rail-agnostic — the same signed mandate can settle on Visa, Mastercard, ACH, SEPA, or stablecoins via x402.
- UCP wraps offer discovery, mandate exchange, checkout, and receipt issuance.
Where they overlap, where they don’t
| Concern | TAP | Agent Pay | AP2 |
|---|---|---|---|
| Is this a real agent? | ✅ | partial | no |
| Is this user really authorizing this purchase? | no | partial (via mandate) | ✅ |
| Can the merchant get paid? | no | ✅ | depends on rail |
| Are there spend limits enforced? | no | ✅ | ✅ |
| Are there chargebacks? | n/a | ✅ (Mastercard) | depends on rail |
| Cross-network portable? | partial | no (Mastercard only) | ✅ |
The clean way to think about it: TAP + Agent Pay + AP2 are different layers of the same transaction. A robust agent payment in late 2026 will likely include all three:
- Agent presents an AP2 signed user mandate.
- Merchant uses TAP (or equivalent) to verify the agent identity.
- Mastercard rail issues an Agentic Token bound to that mandate.
- Transaction settles on existing card rails.
- User gets a normal receipt and normal chargeback rights.
What changed in May 2026
- Visa expanded TAP integrations through Cloudflare to cover more merchant categories (travel, ticketing, marketplaces).
- Mastercard publicly disclosed first live agentic transactions at scale through Agent Pay with named partner banks and merchants.
- Google AP2 added more network signatories (60+ as of mid-May) and is being baked into Google Pay, Shopify checkout, and Gemini’s commerce agents.
- Visa unveiled a separate consumer-facing agent commerce platform on May 5, 2026 that pulls TAP, mandate-style authorization, and agent-friendly checkout into one offering aimed at consumer and SMB agents.
Comparison table by use case
A consumer ChatGPT/Claude agent buying a flight
- AP2 signs the user mandate (“book under $600”).
- TAP verifies that “ChatGPT Operator” is the calling agent.
- Mastercard Agent Pay issues a one-shot Agentic Token.
- Airline charges that token; user sees a normal Mastercard transaction.
A B2B procurement agent buying SaaS
- AP2 mandate signed by the buying company’s finance system.
- TAP / Cloudflare verifies the agent identity.
- Settlement may go via virtual card (Visa or Mastercard) or ACH.
- Procurement audit log captures the signed mandate as evidence.
An API-calling agent paying per request
- This is mostly x402 / stablecoin territory, not card rails.
- AP2 can still sign the higher-level user mandate (“agent may spend up to $50/day on third-party APIs”).
- TAP / Agent Pay don’t add much at the per-call level — fees would dominate.
Pricing and economics
| TAP | Agent Pay | AP2 | |
|---|---|---|---|
| Pricing | No direct fee (rolled into Visa interchange + Cloudflare) | Standard Mastercard interchange | Free open standard |
| Merchant cost to adopt | Low if already on Cloudflare | Standard Mastercard integration | Library implementation only |
| Issuer cost | Standard | Standard + Agentic Token issuance | n/a |
| User cost | Free | Free | Free |
Strengths and weaknesses
Visa TAP
Strengths: Backed by the biggest network. Edge-enforceable via Cloudflare. Open framework. Weaknesses: Only admits the agent — doesn’t carry mandate semantics or settle payment by itself.
Mastercard Agent Pay
Strengths: Live in production. Carries real consumer protections. Short-lived scoped tokens. Weaknesses: Mastercard-only. Less of an open standard.
Google AP2
Strengths: Most open. Cross-network. Strong cryptographic mandate primitive. Weaknesses: No rail of its own — needs a settlement layer underneath. Live integrations still rolling out.
When to pick which
Build to TAP first if: you’re a merchant on Cloudflare who wants to admit agents safely without rebuilding checkout.
Build to Agent Pay first if: you’re an issuer or merchant already deep in the Mastercard ecosystem and need live, scoped card-level controls today.
Build to AP2 first if: you’re an agent builder who wants one mandate format that works with every network and is most likely to be the long-term standard.
In practice: support all three. They’re complementary, the spec authors agree they’re complementary, and the early production stacks already combine them.
What’s next
- Visa + Cloudflare are expected to release TAP 1.1 with deeper mandate semantics.
- Mastercard Agent Pay is expanding to AmEx- and Discover-class issuers via the broader AP2 working group.
- Google AP2 1.0 is targeted for stable release at Google I/O 2026 (May 19-20).
- Expect Apple Pay to publish its own agent-mandate flow at WWDC 2026 (June).
Related reading
- What is Visa Trusted Agent Protocol (TAP)? (May 2026)
- Best AI Agent Payment Solutions (2026)
- How AI agents make payments (2026)
- What is the Machine Payments Protocol?
Sources: Visa press releases, Mastercard Agent Pay documentation, Google AP2 spec, Cloudflare blog, ATXP Mastercard/Stripe/Visa protocol comparison — May 2026.