A weekly read of everything that moved in agentic commerce — protocols, payment rails, retailer pilots, regulation. Summarised, sourced, and stitched to what came before.
Identity & Trust
3 events tracked
Cryptographic agent credentialing, delegation chains, and verified-merchant signals are advancing across foundations and the FIDO/OpenID stack. Tracked weekly here: every credential-spec release, working-group charter, and live deployment of agent-identity infrastructure.
Google launched Pay direct checkout and EU digital IDs in Wallet, with SPA reducing authentication time by 50%.
Google Pay direct checkout embeds payment options from Google Wallet onto retailer checkout pages, available at launch for Airwallex merchants with Adyen planned. Updated Secure Payment Authentication (SPA, the European strong-authentication flow for online payments) reduced authentication time by 50% and increased conversion by 3% in internal testing; Visa, Checkout.com, Autopay, and Adyen will roll it out in the United Kingdom and Poland. The direct checkout path connects to Universal Cart (2026-w21), giving consumer agents a settlement layer at participating merchants. Digital IDs in Google Wallet expand to select EU member states, adding to existing coverage in Brazil, India, Taiwan, and the United Kingdom. Sparkasse Bank became the first EU national credential partner for age assurance, allowing age verification without disclosing name, address, or date of birth.
Self-certification launches for OpenID4VP, OpenID4VCI, and HAIP 1.0, enabling wallets and issuers in 38 jurisdictions to validate compliance with the VC credential specs.
Self-certification is the operational step that turns OpenID4VP, OpenID4VCI, and HAIP 1.0 from drafts into testable production specs. The 38-jurisdiction scope is the broadest geographic baseline for any AI agent identity infrastructure in this archive, extending the OpenID Foundation's earlier AI agent identity whitepaper (2025-w41-identity-openid-foundation-ai-whitepaper). Verifiable Credentials provide the wallet-level credential primitive that Mastercard Agentic Tokens (2025-w18-payments-mastercard-agent-pay) and Google's AP2 Mandates (2025-w38-standards-google-ap2-protocol) compose with at the payment layer. The programme precedes the FIDO Alliance's Agentic Auth working group (2026-w18-standards-fido-agentic-working-groups) by two months, with FIDO citing both Google AP2 and Mastercard Verifiable Intent as backing implementations. The Identity lane's two-entry footprint underlines how thinly populated the non-payments identity layer remains.
AI Identity Management Community Group paper covers authentication, authorisation, and governance frameworks for autonomous AI agents using existing OAuth 2.0 infrastructure.
The paper places AI agent identity inside the OAuth 2.0 framework instead of inventing a parallel stack, complementing the credential-binding direction of Mastercard's Agentic Tokens (2025-w18-payments-mastercard-agent-pay) and Google's signed Mandates (2025-w38-standards-google-ap2-protocol). The Identity lane on this site has only one other entry to date, the OpenID4VP self-certification programme (2026-w09-identity-openid-vc-self-certification), reflecting how thinly populated the non-payments identity layer is. The whitepaper covers delegation, scope, audit logging, and revocation — the structural primitives that later show up in FIDO's Agentic Auth working group (2026-w18-standards-fido-agentic-working-groups) and Visa's Trusted Agent Protocol (2025-w42-payments-visa-trusted-agent-protocol), which both reuse existing authentication infrastructure rather than building from zero. The paper precedes MCP's OAuth-aligned anniversary spec (2025-w48-standards-mcp-spec-update) by six weeks.
Agentic identity is the cryptographic and procedural layer that lets a system answer three questions: which agent is acting, what authority did its principal grant it, and which merchant is on the other side of the transaction. The active building blocks are Verifiable Credentials (OpenID4VP, OpenID4VCI), high-assurance authentication profiles (HAIP 1.0), Mastercard's Verifiable Intent for selective-disclosure consent records, and the FIDO Alliance's Agentic Authentication Technical Working Group on agent-to-service authentication. Each component answers a slice of the trust chain; no single specification covers it end-to-end yet.
Cryptographic agent credentialing, delegation chains, and verified-merchant signals are advancing across foundations and the FIDO/OpenID stack. The OpenID Foundation published a whitepaper on AI-agent identity management in October 2025 covering authentication, authorisation, and revocation for autonomous agents. The Foundation opened self-certification for Verifiable Credential specifications in February 2026, including OpenID4VP, OpenID4VCI, and HAIP 1.0 — the first formal conformance path for VC implementations. The FIDO Alliance formed an Agentic Authentication Technical Working Group in April 2026, chaired by CVS Health, Google, and OpenAI, to define how AI agents authenticate and act on behalf of users. Mastercard's Verifiable Intent framework uses selective-disclosure cryptography to create a tamper-resistant record of consumer authorisation for an agent's transaction; both AP2 v0.2 and Verifiable Intent were open-sourced at the April 2026 FIDO Alliance announcement. Cross-network interoperability between Visa, Mastercard, and the FIDO/OpenID layer remains unresolved. This hub tracks every credential-spec release, working-group charter, and live deployment of agent-identity infrastructure.
How does OAuth and OpenID Connect apply to AI agents in commerce?
OAuth 2.0 and OpenID Connect were designed to delegate access from one human user to a software client over HTTP. In an agentic-commerce flow the "client" is an AI agent acting on a user's behalf, and the merchant on the other side needs to verify three distinct facts: which human authorised the action, which agent is presenting the credential, and how far that authorisation extends. The OpenID Foundation's October 2025 whitepaper on AI-agent identity management set out the first framework for stretching the existing OAuth 2.0 surface to cover those questions, proposing agent-specific scope types and delegation tokens. The Foundation followed in February 2026 by opening self-certification for the OpenID4VP, OpenID4VCI, and HAIP 1.0 verifiable-credential specifications — the first formal conformance path for wallet and issuer implementations across 38 jurisdictions. The FIDO Alliance's Agentic Authentication Technical Working Group, formed in April 2026 with 60-plus member organisations, is mapping how an agent authenticates inside an OAuth 2.0 flow alongside Mastercard's Verifiable Intent and Google's AP2.
AI agent identity is the cryptographic and procedural layer that answers three questions in a commercial transaction: which agent is acting, what authority did its principal grant it, and which merchant or service is on the other side of the exchange. Without a reliable answer to all three, neither the merchant nor the consumer can establish who is responsible if the transaction goes wrong.
The active building blocks are Verifiable Credentials under the OpenID4VP and OpenID4VCI specifications, the HAIP 1.0 high-assurance authentication profile, and Mastercard's Verifiable Intent framework for selective-disclosure consent records. The OpenID Foundation opened self-certification for these specifications in February 2026, providing the first formal conformance path for wallet and issuer implementations across 38 jurisdictions. The FIDO Alliance's Agentic Authentication Technical Working Group, formed in April 2026, is mapping how an agent authenticates inside an OAuth 2.0 flow.