By Eco research. Updated May 2026.
Mastercard Agent Pay is a payments framework, announced on April 29, 2025, that lets verified AI agents transact on a consumer's behalf using Agentic Tokens, an extension of the Mastercard Digital Enablement Service (MDES). Agentic Tokens bind a tokenized card credential to a specific agent, a specific merchant scope, and a specific consent policy, so a model like ChatGPT or Microsoft Copilot can complete a checkout without ever holding the raw card number. Mastercard introduced the program with Microsoft, IBM, and Braintree as launch partners. See the Mastercard April 29, 2025 press release.
How Does Mastercard Agent Pay Work?
Agent Pay issues an Agentic Token from MDES that represents the cardholder's card credential, scoped to a specific AI agent and a specific commerce policy. When the agent transacts, the merchant receives the Agentic Token, the acquirer routes it through Mastercard's network, and MDES de-tokenizes it back to the underlying card. The card number itself never reaches the agent or the merchant.
The flow has four moving parts. First, the consumer enrolls a card and grants an agent a policy (spend ceiling, merchant categories, expiration). Second, MDES mints an Agentic Token cryptographically bound to that policy. Third, the agent presents the token at checkout, often through a partner like Braintree or another Mastercard-certified processor. Fourth, Mastercard's authorization stack validates the policy signals before releasing approval. Mastercard's developer documentation describes the token lifecycle in the MDES Digital Enablement product reference.
The framework also integrates Mastercard's existing fraud controls. Decision Intelligence scores the transaction with new agentic-specific signals, including agent identity, session provenance, and consent freshness. This is the layer that makes Agent Pay materially different from "let an agent type your card number into a form."
What Are Agentic Tokens, and How Do They Differ From Regular Tokenized Cards?
An Agentic Token is a Mastercard network token (the same MDES primitive that powers Apple Pay and Google Pay) carrying additional fields that bind it to one named AI agent, one consent policy, and one set of merchant scopes. Regular tokenized cards bind only to a device or wallet. The Agentic Token's policy fields are validated network-side at every authorization.
The practical differences matter. A device token in Apple Pay assumes a human is present at point of sale, biometrically authenticated. An Agentic Token assumes the human pre-authorized the agent and is not present at checkout. To compensate, Mastercard layers in three additional checks: agent attestation (who is this agent, signed by its operator), policy match (does the purchase fall within the consumer's stated rules), and behavioral signal (does the transaction pattern match the agent's prior behavior).
Mastercard has said Agentic Tokens are "the same underlying tokenization that secures over one billion devices today," with the agentic policy layer added on top. The token is revocable: a consumer can pull an agent's authorization in real time from their issuer's app, and the next transaction attempt fails authorization within the network.
What Is the Consent Model in Agent Pay?
The consent model is policy-based, not per-transaction. A consumer enrolls a card, names an agent (for example, an Operator-class ChatGPT shopping agent), and configures a policy: maximum per-transaction amount, monthly cap, allowed merchant categories, expiration window, and optional step-up rules. The agent transacts freely within the policy; transactions outside the policy fail at the network level.
Step-up rules let the consumer require a passkey or push confirmation for higher-value purchases. Mastercard's framing positions this as "programmable consent". the consumer codifies their delegation once, and the network enforces it. This is closer to OAuth scopes than to a per-transaction CVV prompt. Consent metadata is stored in MDES and travels with the token through authorization.
Revocation is immediate. Pulling an agent's authorization in the issuer's app invalidates the Agentic Token at the network. Mastercard has not yet published the full revocation latency SLA, but the architecture is real-time by design because authorization itself is real-time.
What Do Merchants Need to Integrate Agent Pay?
For most merchants, integration is minimal. If a merchant already accepts Mastercard network tokens through a certified processor (Braintree, Stripe, Adyen, Checkout.com, Worldpay, and others), Agentic Tokens flow through the same rails. The merchant sees a token, processes it the same way, and receives the same authorization response codes.
Where merchants do need to adapt is in agent-aware commerce surfaces. Recommended additions include: structured product feeds an agent can read (schema.org Product, GS1 GTINs), agent-friendly checkout endpoints (programmatic add-to-cart, programmatic shipping selection), and acceptance of agent attestation headers from the processor. Mastercard's launch partners include Shopify-adjacent stacks and Microsoft's commerce APIs, suggesting catalog standardization is part of the rollout. Merchants who want priority listing in agent flows will likely need to participate.
Liability follows the same rules as standard Mastercard tokenized transactions: the issuer carries fraud liability when the token is validly issued and the policy is honored at authorization. Chargeback rights for the consumer remain intact.
How Does Agent Pay Compare to Visa Trusted Agent, Google AP2, and Stripe AI Commerce?
Four agentic-commerce frameworks shipped between April and October 2025, each from a different layer of the stack. Mastercard and Visa work at the card-network layer, Google at the open-protocol layer, and Stripe at the processor and developer-tooling layer. They are not mutually exclusive; most production agent-commerce flows in 2026 will touch two or more.
The table below summarizes the four. Each row reflects publicly documented behavior as of Q1 2026.
Framework | Operator | Layer | Identity primitive | Settlement rail | Open? |
Mastercard Agent Pay | Mastercard | Card network | Agentic Token (MDES) | Mastercard rails | Closed network, open partner program |
Visa Trusted Agent Protocol | Visa | Card network | Verified Agent ID (cryptographic attestation) | Visa rails | Closed network, open spec for agents |
Google AP2 (Agent Payments Protocol) | Google + 60+ partners | Open protocol | Agent DID + signed Intent Mandate | Card, A2A, stablecoin (pluggable) | Open source (Apache 2.0) |
Stripe AI Commerce / Agent Toolkit | Stripe | Processor + SDK | Stripe API key scoped to agent + Issuing virtual card | Card, ACH, SEPA | SDK open, infra proprietary |
Mastercard Agent Pay and Visa Trusted Agent are network-layer solutions. They give an agent a credential their own network can recognize and authorize. Visa's Trusted Agent Protocol, announced in September 2025, introduces a Verified Agent ID issued by Visa and a separate consent record signed by the consumer's issuer. See the Visa Trusted Agent Protocol announcement. The two networks are converging on similar mechanics, with branding and partnership differences.
Google's AP2, released September 2025 with 60+ launch partners including Mastercard, American Express, PayPal, Coinbase, and Salesforce, is an open protocol rather than a network. AP2 defines an Intent Mandate (what the user wants) and a Cart Mandate (what the agent proposes to buy), both signed as verifiable credentials. AP2 is settlement-agnostic: a payment can clear over a card network, a bank account, or a stablecoin rail. The full spec is on GitHub at google-agentic-commerce/AP2.
Stripe's approach is different in kind. Stripe ships an Agent Toolkit that wraps Stripe's existing APIs for LLM use, plus Issuing virtual cards with per-agent spend limits, plus integration with OpenAI's Agents SDK. Stripe isn't defining a new credential type; it's making its existing primitives safe to hand to a model. For merchants already on Stripe, this is the lowest-friction option, but it does not solve the network-level agent identity problem.
Why Do Stablecoin Rails Matter for Agentic Commerce?
Stablecoin rails are an alternative settlement substrate for agentic payments, particularly for cross-border, machine-to-machine, and micropayment flows where card-network economics break down. They sit alongside Agent Pay rather than replacing it. AP2 explicitly supports stablecoin settlement, and Coinbase's x402 protocol, released in May 2025, defines a stablecoin-native HTTP payment standard agents can call.
Card rails carry interchange of roughly 1.5 to 3.5 percent plus per-transaction fees that the Kansas City Fed estimates can run $0.50 to $0.80 on credit transactions. For a $0.05 agent-to-agent API call, that is uneconomical. Stablecoin rails clear in seconds with sub-cent fees on chains like Base, Arbitrum, and Solana, settle 24/7, and require no merchant acquirer. Stablecoin supply crossed $230 billion in Q1 2026 per DeFiLlama.
For high-value retail purchases the card networks still win on consumer protections (chargebacks, fraud reversal, dispute mediation). The realistic 2026 picture is a split stack: card rails for retail consumer commerce, stablecoin rails for machine-to-machine commerce and cross-border B2B. Eco Routes operates on the stablecoin side, providing onchain settlement infrastructure across 15 chains for agents and merchants that need programmable, low-cost, cross-chain stablecoin payments.
Where Does Agent Pay Fit in the Broader Agentic Commerce Stack?
Agent Pay is the credential-and-authorization layer for card-funded agent transactions. Above it sits the agent runtime (OpenAI's Operator, Google's Project Mariner, Anthropic's Computer Use, Microsoft Copilot). Below it sits the existing Mastercard network. Adjacent to it sit competing or complementary primitives: Visa Trusted Agent on the same layer, AP2 as a protocol envelope above it, and stablecoin rails as an alternative settlement layer beside it.
The interoperability story is still being written. Mastercard joined AP2 as a launch partner in September 2025, which means an AP2-compliant agent can pay via Mastercard rails with the AP2 mandate envelope wrapping a Mastercard Agentic Token. This is the most likely production pattern: open protocols handle agent identity and intent verification; network tokens handle the actual money movement.
For builders, the practical takeaway is that Agent Pay is not a standalone product to integrate. It is a capability the card networks are adding to existing tokenization rails. Most merchants get it for free through their processor; most agents get it through their LLM-platform partnership.
FAQ
When did Mastercard Agent Pay launch?
Mastercard announced Agent Pay on April 29, 2025, with Microsoft, IBM, and Braintree as launch partners. The framework entered phased rollout through 2025 and is broadly available through Mastercard-certified processors in 2026. See the Mastercard press release.
Is Agent Pay the same as Mastercard's existing tokenization?
It uses the same underlying MDES tokenization that powers Apple Pay and Google Pay, but extends it with agent identity, consent policy, and step-up rules bound to the token. Regular tokenized cards assume a present human; Agentic Tokens assume a pre-authorized agent.
Does Agent Pay work with stablecoins?
Agent Pay itself settles over Mastercard's card rails, not stablecoins. However, Mastercard joined Google's AP2 protocol in September 2025, and AP2 supports stablecoin settlement as one of multiple pluggable rails. Stablecoin payments to an agent typically route through AP2 or a direct onchain integration, not Agent Pay.
Can a consumer revoke an agent's authorization?
Yes. Authorization is revocable in real time through the consumer's issuer app. Pulling an agent's authorization invalidates the Agentic Token at the network, so the next attempted transaction fails at authorization. Spend caps, merchant restrictions, and expiration windows are configurable when authorization is first granted.
Related Reading
Sources and methodology. Mastercard Agent Pay specifics drawn from the April 29, 2025 press release and the MDES developer reference. Visa Trusted Agent details from Visa's September 2025 announcement. AP2 from the google-agentic-commerce/AP2 GitHub repo. Stripe agent capabilities from Stripe Agent Toolkit docs. Stablecoin supply from DeFiLlama, pulled Q1 2026. Interchange figures cite the Federal Reserve Bank of Kansas City; Reg II ceilings are debit-only and do not apply.