Agentic Protocol Fragility
What survives the transaction, and what does not
On 3 April, Tom Noyes published Part 2 of his analysis of Target’s updated consumer terms. The title was blunt: “Owning Your Bot’s Actions.” His assessment of the protocol landscape was blunter. Current protocols, he wrote, are “high on technology and standards, but dangerously low on commercial terms that actually make markets function.”
He called out AP2 specifically.
Two weeks earlier, Target had updated its consumer terms. AI agent-initiated purchases are now “considered transactions authorized by you.” Target “does not guarantee that third-party AI tools will act exactly as you intend.” This language went live on 22 March, ahead of Google’s “Buy For Me” launch. Target has 25 million cardholders and a proprietary payment portfolio. They looked at the agentic commerce protocol landscape, saw a gap in commercial terms, and filled it themselves.
Noyes is right about the gap. I think AP2 is the best place to examine why it exists.
———
What AP2 Gets Right
Google’s AP2, the Agent Payments Protocol, is the most technically sophisticated payment authorisation framework in the agentic commerce landscape. Over 60 organisations collaborated on it. The specification is open, published on GitHub, MIT-licenced.
The design starts from the correct premise. Traditional payment infrastructure assumes a human clicks a button. When a software agent initiates a transaction on behalf of a human principal, you need to answer three questions: did the human authorise this purchase, does the agent’s request reflect the human’s actual intent, and who is accountable if something goes wrong.
AP2 answers all three with a cryptographic mandate architecture. A Cart Mandate captures human-present transactions. The merchant signs a cart confirming fulfilment intent. The user reviews the final cart on a trusted device surface, then signs with a hardware-backed key. The signed mandate binds the user’s identity to specific items, price, destination, and refund conditions. The signature is non-repudiable.
An Intent Mandate captures human-not-present transactions. The user tells the agent what they want. The agent translates that into structured constraints and records a “Prompt Playback,” which is the agent’s natural language understanding of the user’s request, recorded alongside the structured interpretation. The user signs. The agent operates autonomously within those bounds, with a time-to-live expiration.
A Payment Mandate travels separately to the payment network, carrying AI agent presence signals so the issuer knows the transaction was agent-initiated. Existing risk systems can factor in the agentic context without overhauling their authorisation infrastructure.
The Prompt Playback means AP2 records the original human words alongside the machine interpretation. If a dispute arises, the adjudicator can see where the translation broke. The human’s intent survives through machine execution because the protocol carries the evidence.
As an atomic payments process, AP2 is sound. Within the boundaries of a single transaction, a single agent, a single device, a single session, the cryptographic evidence chain works. I have no criticism of this part of the design.
———
The Problem Is What Happens After
Commerce is not atomic. A transaction is a moment in a relationship. The relationship continues after the moment ends. Returns, warranty claims, chargebacks, re-orders, customer service inquiries. These are normal commercial activities. They happen after the session closes, often weeks or months later, often from a different device, sometimes through a different service provider.
AP2’s mandates do not survive beyond the transaction and agent that created them. The specification is explicit about this in places, and silent in others. Both are concerning.
The Cart Mandate is signed by the user “typically using a hardware-backed key on their device with in-session authentication.” The Intent Mandate carries a time-to-live expiration. The specification defines no mandate storage responsibility, no retention timelines, no archive access mechanisms, no cross-device key portability. It says mandates can be used “at time of disputes” but provides no long-term retention model. Public key distribution, the infrastructure needed to verify mandate signatures after the fact, is flagged as “future work” under “A Call for Ecosystem Collaboration.”
The mandates are evidence of a moment. The protocol provides no mechanism for that evidence to persist, transfer, or be referenced once the session, the agent, or the device that created it ceases to exist.
Consider three use cases.
———
Use Case 1: The Return
A consumer buys a pair of shoes through a shopping agent on their phone. The agent runs inside a Google ecosystem. The Cart Mandate is signed by the phone’s hardware-backed key, stored in the device’s secure enclave. The transaction completes. The mandate exists.
Two weeks later, the shoes don’t fit. The consumer wants to initiate a return. They’re at their laptop.
The Cart Mandate was signed by the phone’s secure enclave key. Hardware-backed keys are, by design, non-exportable. That is the security feature. The private key cannot be extracted from the device it was generated on. The laptop has its own key. AP2 defines no cross-device key federation. No multi-device identity mechanism. The specification does not mention device recovery, key portability, or cross-device synchronisation. The word “recovery” does not appear in the spec.
The consumer cannot cryptographically prove from their laptop that they are the person who signed the Cart Mandate on their phone. The protocol’s identity verification is bound to a physical object, not to the person.
This is a step backwards for omni-channel commerce. Today, a consumer can buy online and return in-store with a receipt and a photo ID. The commercial identity is the person. AP2’s cryptographic rigour binds the commercial identity to a device. The rigour that makes the transaction secure makes the post-transaction experience fragile.
So, can the consumer themselves initiate the return, without an agent? No. AP2 has no human-only path. The specification defines every interaction through a Shopping Agent or User Agent. The user “delegates a task to an AI Agent.” There is no flow for a user to directly reference a prior mandate, contact a merchant endpoint, or initiate a dispute through the protocol without agent mediation.
I’m sure merchants will eventually create exception handling processes for this scenario, but it should serve as a bit of a warning that omni-channel processes don’t account for a non-human entity in the loop.
So, as it stands now, the consumer needs an agent to initiate the return. The agent needs to reference the original Cart Mandate. The Cart Mandate was signed by a different device. The specification provides no mechanism for the return agent to access, verify, or reference the original mandate from a new device context.
The consumer is locked out of their own transaction if you look at the protocol from an operational perspective. It doesn’t consider this use case as an operational scenario. So…merchants will need to accommodate it somehow.
———
Use Case 2: The Platform Switch
This extends the first use case across ecosystems. The consumer bought through Shopping Agent A, which is trusted by Credential Provider X. Six months later, the consumer has switched to Shopping Agent B, trusted by Credential Provider Y.
AP2’s v0.1 trust model uses manually curated allowlists. Shopping agents maintain lists of trusted credential providers. Credential providers maintain lists of trusted shopping agents. Merchants define which agents they support. These registries are bilateral and ecosystem-scoped.
Shopping Agent B has no access to Shopping Agent A’s transaction history. The mandates from the original purchase are not portable across trust registries. The consumer’s purchase history, the delegation context, the Prompt Playback that captured their original words, all of it lives within the original ecosystem’s boundaries. There’s no exportability of this history and context.
The specification acknowledges this is temporary. The long-term vision mentions mTLS and verifiable credentials for real-time trust establishment. But no timeline exists. No portability mechanism is defined. No standard for mandate transfer between ecosystems appears anywhere in the spec.
The consumer’s commercial identity is fragmented across whichever platforms they’ve transacted through. Each ecosystem holds a piece. No ecosystem holds the whole picture. The consumer, the actual human whose money was spent, has no protocol-level mechanism to consolidate their own transaction history.
This is ecosystem lock-in at the transaction evidence layer. The consumer can leave a platform. Their commercial history cannot.
Again, merchants will need to accommodate this use case using evidence and processes that exist outside of the agent interaction…and there’s no mechanism to do that from the protocol or methods widely adopted by merchants either.
———
Use Case 3: The Chargeback
A consumer made a purchase through a shopping agent a couple of months ago. The agent’s developer has since been acquired. The agent no longer exists. The service was deprecated in the acquisition.
The consumer discovers the product was misrepresented. They initiate a chargeback through their card issuer. The dispute enters the normal adjudication process.
AP2’s dispute resolution framework says the adjudicator receives “the cart, hash, and cart/intent mandate along with the evidence.” Signatures are verified against public keys. The framework identifies three evidence sources: merchant-provided cart and hash, the Cart or Intent Mandate with cryptographic signatures, and standard evidence already collected by payment networks.
The agent that created the Intent Mandate, that generated the Prompt Playback, that held the context of the negotiation, no longer exists. The specification defines no mandate custody transfer for agent deprecation. No backup authority. No evidence-chain preservation mechanism.
The merchant presumably holds a copy of the Cart Mandate. But the Prompt Playback, the record of what the consumer actually asked for, lived with the agent. The agent’s signing key, the key used to verify the agent’s role in the transaction, belonged to the agent’s developer. That developer’s infrastructure is gone.
The specification says adjudicators verify signatures against public keys. The specification also flags public key distribution as unresolved future work. Keys “could be issued by issuers, payment networks, governments, merchants or third-party networks.” That word, “could,” is doing the work of an entire infrastructure that does not yet exist. If the agent’s developer shut down, and the public key infrastructure was never built, the adjudicator cannot verify the agent’s signature. A piece of the evidence chain is missing.
The dispute resolution framework provides a “helpful guide, not a binding contract.” The specification defers liability contracts to individual payment networks. The evidence that was supposed to make disputes resolvable depends on infrastructure the protocol has not built and actors that may no longer exist.
———
Why Target Wrote Those Terms
Let’s bring this back to Target. Target looked at this landscape and made a rational decision. The protocol layer provides cryptographic proof of authorisation for the moment of the transaction. It provides no enforceable commercial framework for what happens after. The card networks are still forming their rules for agent-initiated transactions. No payment network has published binding liability rules that account for the use cases above. The existing chargeback frameworks were designed for human-initiated purchases where the human is always available to assert their own claim.
Target filled the vacuum. Your bot, your responsibility. The terms are blunt because there is no protocol-level alternative. If the protocol defined enforceable commercial terms for agent-mediated transactions, if mandates persisted beyond the session, if identity survived device and platform boundaries, if the consumer could assert a claim directly, Target would not need to write its own rules.
Merchants will always fill a commercial vacuum with terms that favour the merchant. That is what merchants do. The card networks will eventually publish rules, but those rules will reflect the protocol capabilities that exist at the time they are written. If the protocols still treat transactions as atomic events when the networks write their rules, the rules will encode that limitation. The post-transaction use cases will remain unaddressed at the structural level.
———
What a Real Solution Looks Like
If the entities change, or the consumer shifts behaviour the protocol layer needs to carry the full lifecycle of a transaction, not just the moment of payment.
First, transaction state needs to be tied to an entity, not to an agent. The consumer is the principal. The agent is a delegate. Delegates change. Delegates get deprecated. Delegates switch ecosystems. The principal persists. A protocol that binds transaction evidence to the agent binds it to the wrong thing. The evidence needs to follow the entity whose money was spent, across devices, across agents, across platforms, across time.
Second, mandates and their associated evidence need to persist beyond the atomic interaction. The Prompt Playback, the Cart Mandate, the Intent Mandate, the fulfilment record. These are the commercial memory of the transaction. They need to live somewhere that survives agent deprecation, platform changes, and device replacement. A neutral layer, not controlled by any single platform operator, that holds the transaction record and makes it available to any authorised party: the consumer, a new agent acting on their behalf, a dispute adjudicator, the merchant.
Third, the consumer needs a path to assert a claim directly. Agent mediation is fine for the initial transaction. It should not be a requirement for post-purchase actions. A human who bought something needs to be able to return it, dispute it, reference it, and prove they bought it, without depending on the continued existence of the software that helped them buy it. Nor do we want to create a UX nightmare putting the onus of proof and agent contextual portability onto the consumer.
AP2’s mandate architecture is a strong foundation. The Prompt Playback, the cryptographic evidence chain, the separation between Cart and Intent Mandates for different transaction modalities. The gap is not in the payment authorisation layer. The gap is in persistence, portability, and the assumption that the agent and device present at the moment of purchase will still be present when the consumer needs to reference that purchase later.
Commerce extends past settlement. The protocols should too.
Marc Massar is the founder of AURA Labs, building durable agentic commerce infrastructure. https://aura-labs.ai for more.