Sunday, June 14, 2026

— A weekly publication —

The Agentic Commerce Report

A weekly read of everything that moved in agentic commerce — protocols, payment rails, retailer pilots, regulation. Summarised, sourced, and stitched to what came before.

OpenID Foundation Publishes AI Agent Identity Framework Whitepaper

Issue 4October 6–12, 2025Synthesised from 4 sources

Edited by Reviewed against primary sources

The OpenID Foundation published a whitepaper this week 1 outlining a proposed framework for AI agent identity and delegation — the mechanisms by which a human principal authorises an agent to act on their behalf in commercial transactions. The document proposes extending existing OpenID Connect and OAuth 2.0 flows with agent-specific scope types and delegation tokens.

The whitepaper does not define a formal specification; it presents design considerations and invites public comment. Key questions addressed include how an agent presents credentials to a merchant without exposing the underlying human principal’s identity, and how delegation scope is constrained to specific transaction types, merchants, or spending limits.

Agent identity has been a gap in the agentic commerce infrastructure published to date. Mastercard’s Agent Pay 2 and Stripe’s ACP Instant Checkout 3 each define payment-side flows but defer to downstream systems for agent authorisation. The OpenID proposal addresses the upstream identity layer that those payment systems require but do not specify.

Three bodies — Anthropic (MCP 4), Google (A2A and AP2), and now the OpenID Foundation — published identity-adjacent documents in 2025. No formal interoperability mapping between these frameworks existed as of this week; the whitepaper notes that gap explicitly.

Events this issue

1 event
Identity
research

OpenID Foundation publishes whitepaper on AI agent identity management

AI Identity Management Community Group paper covers authentication, authorisation, and governance frameworks for autonomous AI agents using existing OAuth 2.0 infrastructure.

The paper places AI agent identity inside the OAuth 2.0 framework instead of inventing a parallel stack, complementing the credential-binding direction of Mastercard's Agentic Tokens (2025-w18-payments-mastercard-agent-pay) and Google's signed Mandates (2025-w38-standards-google-ap2-protocol). The Identity lane on this site has only one other entry to date, the OpenID4VP self-certification programme (2026-w09-identity-openid-vc-self-certification), reflecting how thinly populated the non-payments identity layer is. The whitepaper covers delegation, scope, audit logging, and revocation — the structural primitives that later show up in FIDO's Agentic Auth working group (2026-w18-standards-fido-agentic-working-groups) and Visa's Trusted Agent Protocol (2025-w42-payments-visa-trusted-agent-protocol), which both reuse existing authentication infrastructure rather than building from zero. The paper precedes MCP's OAuth-aligned anniversary spec (2025-w48-standards-mcp-spec-update) by six weeks.

  1. OpenID Foundation