What is the Agentic Commerce Protocol?

The Agentic Commerce Protocol (ACP) is an open standard co-developed by OpenAI and Stripe that enables AI agents to complete commercial transactions on behalf of users. It consists of three specifications: Product Feed, Agentic Checkout, and Delegated Payment.

Yes, the protocol specification is free and open source (Apache 2.0). Standard payment processing fees apply when using Stripe for payments.

Do merchants keep their customer relationships with ACP?

Yes, merchants remain the merchant of record and keep full control over customer relationships, including customer data, emails, and support.

How are payments secured in ACP?

ACP uses Shared Payment Tokens (SPTs) that are merchant-specific, amount-limited, time-limited, and single-use. The AI agent never sees actual payment credentials.

Which AI assistants support ACP?

ChatGPT supports ACP via its Instant Checkout feature. As an open standard, any AI platform can implement ACP support.

Security & Privacy

Security is a top priority for the Agentic Commerce Protocol. This page explains how payments are protected, what data is shared, and best practices for implementation.

The Core Security Model

The key insight: AI agents never see your card number.

Instead of sharing payment credentials directly, the system uses Shared Payment Tokens (SPTs) — secure, scoped grants that let a specific merchant charge a specific amount, one time only.

How Shared Payment Tokens Work

Property	What It Means
Seller-bound	Token only works for the intended merchant
Amount-limited	Cannot charge more than the authorized amount
Time-limited	Expires after ~30 minutes
Single-use	Cannot be used twice
Credential-free	Never contains real card numbers or PANs

Even if a token is intercepted, it’s useless to attackers — it’s already locked to one merchant, one amount, and will expire shortly.

Transaction Flow


Customer → AI Agent → Merchant → Payment Processor

1. Customer's card stays with Stripe (never shared)
2. AI agent requests a scoped token for the specific purchase
3. Token is delivered to merchant
4. Merchant charges the token
5. Token is consumed and cannot be reused

What Data Gets Shared

Data Type	Who Sees It
Card numbers	Only Stripe — never the AI, never the merchant directly
Limited card info	Merchant sees brand, last 4 digits (for display)
Shipping address	Merchant (for fulfillment)
Email	Merchant (for order confirmation)
Product searches	Only the AI during the conversation

Key point: Merchants receive order and fulfillment info, but the actual payment credentials stay with Stripe.

PCI Compliance

The protocol is designed to minimize your PCI scope:

Spec	PCI Scope
Product Feed	Not in scope — no cardholder data
Agentic Checkout	Not in scope — no cardholder data
Delegated Payment (via PSP)	May avoid scope changes — depends on implementation
Delegated Payment (direct)	Likely in scope — involves handling cardholder data

Using Stripe’s implementation: You never handle raw card numbers, potentially qualifying for SAQ A (the simplest compliance level).

Direct integration: Consult your Qualified Security Assessor (QSA). OpenAI may require your Attestation of Compliance (AOC) before production access.

Fraud Protection

Agentic commerce creates new fraud challenges:

Traditional fraud signals are tuned for human behavior
AI agents lack human variability and can be misflagged
Bad actors can potentially manipulate agents

How Stripe Radar Helps

When using SPTs through Stripe, you get access to risk signals:

Likelihood of fraudulent dispute
Card testing detection
Stolen card signals
Issuer decline probability
Differentiation between high-intent agents and low-trust bots

Merchants can use these signals to accept or decline transactions.

Implementation Security

TLS Requirements

All traffic must use:

TLS 1.2 or later
Port 443
Valid public certificate

No exceptions. HTTP is not allowed.

IP Allowlisting

OpenAI calls your endpoints from specific IP ranges. Allowlist the CIDR blocks in chatgpt-connectors.json .

Signature Verification

Always verify signatures. Never skip this step.

All webhook events must be signed with HMAC. Verify every request:


function verifySignature(
  payload: string,
  signature: string,
  timestamp: string,
  secret: string
): boolean {
  // Check timestamp (5 minute window)
  const requestTime = new Date(timestamp).getTime();
  if (Math.abs(Date.now() - requestTime) > 300000) {
    return false;
  }
 
  // Verify HMAC
  const expected = crypto
    .createHmac('sha256', secret)
    .update(`${timestamp}.${payload}`)
    .digest('base64');
 
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

Token Handling Best Practices

Never store Shared Payment Tokens
Charge immediately and discard
Don’t log full token values
Use HTTPS only for all communications

Input Validation

Validate all incoming data:


import { z } from 'zod';
 
const CartItemSchema = z.object({
  product_id: z.string().max(100),
  quantity: z.number().int().min(1).max(100),
});

Rate Limiting

Protect your endpoints:


const limiter = rateLimit({
  windowMs: 60000,
  max: 100,
});
 
app.use('/checkout_sessions', limiter);

User Control

Buyers maintain control throughout:

Explicit confirmation — Every purchase requires user approval
No auto-purchasing — AI cannot spend money without consent
Review before payment — Users see full order details before confirming
Cancel anytime — Users can back out at any step

Security Checklist

Before going live, verify:

TLS 1.2+ on all endpoints
Signature verification on all webhooks
Timestamp validation (reject old requests)
Idempotency key handling
Input validation on all data
Rate limiting configured
Secure logging (no sensitive data)
IP allowlisting for OpenAI requests
Monitoring and alerting set up

Learn More

Stripe Integration Guide — Technical implementation details
Going Live Checklist — Production requirements
Stripe Trust Center — Stripe’s security documentation