What is the Agentic Commerce Protocol?

The Agentic Commerce Protocol (ACP) is an open standard co-developed by OpenAI and Stripe that enables AI agents to complete commercial transactions on behalf of users. It consists of three specifications: Product Feed, Agentic Checkout, and Delegated Payment.

Yes, the protocol specification is free and open source (Apache 2.0). Standard payment processing fees apply when using Stripe for payments.

Do merchants keep their customer relationships with ACP?

Yes, merchants remain the merchant of record and keep full control over customer relationships, including customer data, emails, and support.

How are payments secured in ACP?

ACP uses Shared Payment Tokens (SPTs) that are merchant-specific, amount-limited, time-limited, and single-use. The AI agent never sees actual payment credentials.

Which AI assistants support ACP?

ChatGPT supports ACP via its Instant Checkout feature. As an open standard, any AI platform can implement ACP support.

Agentic Checkout Specification

The Agentic Checkout Specification (ACS) defines a standardized REST API that merchants implement to support checkout through AI agents.

The merchant remains the system of record for all orders, payments, taxes, and compliance.

Required Endpoints

Method	Endpoint	Description
`POST`	`/checkout_sessions`	Create a new checkout session
`POST`	`/checkout_sessions/{id}`	Update an existing session
`POST`	`/checkout_sessions/{id}/complete`	Complete the checkout
`POST`	`/checkout_sessions/{id}/cancel`	Cancel the session
`GET`	`/checkout_sessions/{id}`	Get session state

Request Headers

Header	Required	Description
`Authorization`	Yes	API key authentication
`Signature`	Yes	HMAC Base64-encoded signature
`Timestamp`	Yes	RFC 3339 timestamp
`Idempotency-Key`	Yes	Unique request identifier

Create Session


POST /checkout_sessions

Request Body


interface CreateSessionRequest {
  cart_items: Array<{
    product_id: string;
    variant_id?: string;
    quantity: number;
  }>;
  buyer_context?: {
    shipping_address?: Address;
    email?: string;
  };
  currency: string;
}

Response (201 Created)


interface CreateSessionResponse {
  checkout_session_id: string;
  state: 'not_ready_for_payment' | 'ready_for_payment';
  cart: { items: LineItem[] };
  totals: Totals;
  fulfillment_options: FulfillmentOption[];
  expires_at: string;
}

Complete Checkout


POST /checkout_sessions/{id}/complete

Request Body


interface CompleteCheckoutRequest {
  payment_data: {
    token: string;      // Shared Payment Token
    provider: 'stripe';
    billing_address?: Address;
  };
}

Response (200 OK)


interface CompleteCheckoutResponse {
  checkout_session_id: string;
  state: 'completed';
  order: {
    order_id: string;
    order_number: string;
    permalink_url: string;
    status: 'confirmed';
  };
}

Data Types

Totals

All amounts in minor currency units (cents for USD).


interface Totals {
  items_base_amount: number;
  items_discount: number;
  subtotal: number;
  discount: number;
  fulfillment: number;
  tax: number;
  fee: number;
  total: number;
}

Address


interface Address {
  line1: string;
  line2?: string;
  city: string;
  state?: string;
  postal_code: string;
  country: string;
}

Signature Verification


import crypto from 'crypto';
 
function verifySignature(
  payload: string,
  signature: string,
  timestamp: string,
  secret: string
): boolean {
  const message = `${timestamp}.${payload}`;
  const expected = crypto
    .createHmac('sha256', secret)
    .update(message)
    .digest('base64');
 
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

Error Handling

Code	Meaning
`400`	Invalid request
`401`	Authentication failed
`404`	Session not found
`405`	Invalid state transition
`429`	Rate limited

See Error Codes for details.