What is the Agentic Commerce Protocol?

The Agentic Commerce Protocol (ACP) is an open standard co-developed by OpenAI and Stripe that enables AI agents to complete commercial transactions on behalf of users. It consists of three specifications: Product Feed, Agentic Checkout, and Delegated Payment.

Yes, the protocol specification is free and open source (Apache 2.0). Standard payment processing fees apply when using Stripe for payments.

Do merchants keep their customer relationships with ACP?

Yes, merchants remain the merchant of record and keep full control over customer relationships, including customer data, emails, and support.

How are payments secured in ACP?

ACP uses Shared Payment Tokens (SPTs) that are merchant-specific, amount-limited, time-limited, and single-use. The AI agent never sees actual payment credentials.

Which AI assistants support ACP?

ChatGPT supports ACP via its Instant Checkout feature. As an open standard, any AI platform can implement ACP support.

🚀Agentic Commerce Protocol is now live! Instant Checkout is available in ChatGPT. Learn more →

Going Live

Ready to launch? Here’s everything you need to complete before going into production.

Building vs. Instant Checkout

Building with the Agentic Commerce Protocol is open to all. Instant Checkout in ChatGPT is currently available to approved partners. Apply here →

Pre-Launch Checklist

Complete and document each test in your sandbox environment before going live. Keep request/response logs for each item.

Session Creation & Address Handling

Create a checkout session with a shipping address
Create a checkout session without a shipping address
Verify shipping options and tax totals return once a valid address is provided
Confirm API-Version header is present and matches a supported version

Shipping Option Updates

Update the selected shipping option mid-session
Verify order totals recompute correctly when the option changes

Payment Tokenization

Create a delegated payment token
Send POST /agentic_commerce/delegate_payment with:
- Valid payment_method object
- allowance
- billing_address
- risk_signals
- metadata
Include all required headers
Verify canonical JSON serialization
Verify correct detached signature generation

Order Completion

Complete an order with a tokenized payment
Confirm response contains final order object in completed state
Validate all returned fields
Verify HTTP 201 Created status

Webhooks & Order Updates

Verify order_created webhook fires with valid HMAC signature
Verify order_updated webhooks fire on subsequent changes
Test webhook retry behavior

Error Handling

Test and log each error scenario:

Error	Trigger	Expected
`invalid_request`	Omit required field	HTTP 400
`out_of_stock`	Simulate inventory failure	HTTP 400
`payment_declined`	Simulate issuer decline	HTTP 400

Idempotency

Repeat create/complete calls with the same Idempotency-Key
Verify duplicate requests return the same result
Verify parameter mismatches return idempotency_conflict with HTTP 409

Legal & UX Links

Security Requirements

TLS/HTTPS

All traffic must use:

TLS 1.2 or later
Port 443
Valid public certificate

No exceptions.

IP Allowlisting

OpenAI will call your endpoints from specific IP addresses. Allowlist the CIDR blocks listed in chatgpt-connectors.json .

PCI Compliance

Spec	PCI Scope
Product Feed	Not in scope — no cardholder data
Agentic Checkout	Not in scope — no cardholder data
Delegated Payment (via PSP)	May avoid scope changes — depends on PSP implementation
Delegated Payment (direct)	Likely in scope — involves handling cardholder data

If you integrate directly with the Delegated Payment Spec, consult your Qualified Security Assessor (QSA) or PCI compliance advisor. OpenAI may require your Attestation of Compliance (AOC) before enabling production access.

Technical FAQs

Who is the merchant of record?

You are. OpenAI and payment service providers are not the merchant of record.

Your customers will see your business name on their credit card statement, exactly as if they bought directly from your website.

Who handles chargebacks and refunds?

You do. Since you accepted the payment directly as the merchant of record, you’re responsible for:

Processing refunds
Responding to chargebacks
Customer disputes

Use the ORDER_UPDATE webhook to notify ChatGPT when refund or chargeback status changes so order state stays synchronized.

Do I need to support multiple shipments?

Not yet. Today, the protocol models:

One shipping address per session
One selected shipping option per session

If your system supports split shipments, consolidate them into a single buyer-visible selection and return aggregate totals for shipping and tax.

Multi-shipment support may come in a future protocol version.

What about network tokens?

OpenAI intends to migrate entirely to network tokens as they become supported, while ensuring backwards compatibility for ineligible cards.

Ready to Launch?

Once you’ve completed the checklist:

Document your test results — Keep logs of all request/response pairs
Submit for review — OpenAI will verify your integration
Get production credentials — You’ll receive live API keys
Go live — Start receiving orders from ChatGPT users

Questions? Check the API Reference or reach out through the Community.

Changelog Why ACP Was Built

Specification maintained by OpenAI and Stripe

About Privacy Terms RSS

Apache 2.0 · Open Source