The shape of the domain: four layers, one transaction

Agent commerce in mid-2026 is a four-layer composition, not a single protocol. A single paid request from a senior engineer’s agent touches all four layers, even when the implementation lets you ignore most of them. The layers compose vertically, and the protocols within each layer are designed to be swappable.

Diagram 1 — the four-layer agent commerce stack. No single protocol covers the full transaction; production agent integrations touch every layer.

Authorization is the layer that proves the agent is acting on a user’s instructions rather than hallucinating. AP2 occupies this slot: tamper-evident Intent, Cart, and Payment mandates signed by verifiable credentials, backed by Google with sixty-plus partners. Agent identity attestation proof of which agent is acting, not just which user authorized it - sits adjacent and is currently handled by third-party protocols like Skyfire’s Know Your Agent. The two together form the audit-grade authorization chain that regulators are starting to ask for.

Discovery is where the agent finds out what to buy and what it costs. MCP servers expose tool catalogs, ACP defines the four RESTful endpoints that model the checkout lifecycle for shopping agents, and ad networks like ZeroClick attach paid context to agent responses in the opposite economic direction (services earning from agent traffic, not agents paying for services). All three live at the discovery layer and compete or compose depending on the use case.

Settlement is the HTTP handshake that exchanges value. MPP and x402 both revive the HTTP 402 status code, both are backwards-compatible at the charge level, and they differ mainly in opinionation. MPP bakes idempotency, expiration, request-body binding via SHA-256 digest, HMAC-bound replay protection, structured RFC 9457 errors, and first-class receipts into the protocol spec itself, so every implementation inherits them. x402 leaves these to facilitators, which is why production teams keep rediscovering the same edge cases in their own implementations.

Rails is where money actually moves. Tempo settles MPP sessions with 0.5-second finality; USDC on Base settles x402 charges; Stripe Shared Payment Tokens settle fiat through the same PaymentIntents API; Lightning settles Bitcoin via Lightspark. The settlement layer is method-agnostic by design, and the layer above it should be too - your code should not know which rail the caller used.

Audit and policy span all four layers. Senior engineers underweight this layer because no protocol owns it. AWS’s AgentCore exposes vended logs and vended spans for every data-plane payments API call - the right pattern. Most production deployments don’t have an equivalent yet, which means audit trails are reconstructed from log scrape after the fact. That’s forensics, not compliance.

The architecturally important fact is that no single protocol covers the full transaction. A production agent that shops for users needs ACP’s checkout flow, AP2-style authorization, and either x402 or MPP for settlement - four protocol integrations, multiple wallet infrastructures, and multiple compliance surfaces. The clean separation is a feature of the protocol design and an operational burden for anyone shipping against it.

What’s actually live in production

The MPP services directory now lists over fifty integrated services, and Coinbase’s x402 Bazaar exposes over ten thousand x402 endpoints through MCP. The launch roster matters because it’s the first time large API providers have priced themselves directly for agent consumption.

Stripe’s own launch post names Browserbase (per-session headless browsers), PostalForm (physical mail printing), and Prospect Butcher Co. (NYC sandwich delivery) - vendor-published case studies, not independent ones. fal.ai prices image generation per request. Alchemy runs an agentic gateway where an agent authenticates with its on-chain wallet, pays USDC on Base, and accesses RPC across a hundred-plus chains without an API key.

The most architecturally instructive production deployment is Parallel Web Systems’ parallelmpp.dev — and unlike the Stripe roster, Parallel’s writeup is an independent engineering blog with code. The gateway exposes three paid endpoints (POST /api/search at $0.01, POST /api/extract at $0.01 per URL, POST /api/task at $0.30 ultra or $0.10 pro) plus free routes for discovery, task polling, and wallet balance lookups. Two payment rails — Tempo via the mppx CLI, x402 on Base via Stripe’s purl — route through a single middleware instance. The route handler doesn’t know or care which rail the caller used; it sees a 200, a Payment-Receipt header, and a parsed body, and proceeds as if it were any other authenticated request. That separation is the most important design choice in the writeup, and it’s the one most teams won’t get right on the first try.

Parallel’s other load-bearing decision is stateless 402 challenges. The challenge has an ID field that is an HMAC-SHA256 of the challenge parameters - realm, method, intent, request body, and expiry. When the client retries with a credential referencing that ID, the gateway recomputes the HMAC against the parameters in the credential and checks the IDs match. The issued challenge is never written anywhere. The gateway can horizontally scale behind any load balancer, restart cleanly, and survive a database outage without dropping in-flight requests. There’s no challenge replay window to manage and no TTL to tune — the expiry travels inside the signed parameters, and if a client tries to redeem a credential past it, the math fails and the request 402s again. The whole challenge layer is a pure function. That’s the kind of design choice that makes a system survive contact with production scale.

On the enterprise side, Amazon Bedrock AgentCore Payments entered preview May 7, 2026 with Coinbase CDP and Stripe Privy as the connected wallet providers. Three things matter about it. First, the wallet doesn’t hold private keys the agent can see — keys live in the wallet provider and the agent only gets signing through a managed interface. Second, spending limits are enforced deterministically at the infrastructure layer rather than as a soft instruction the agent’s prompt can override. Third, the same observability surface AgentCore uses for logs, metrics, and traces now covers payments — end-to-end observability through CloudWatch with vended logs and X-Ray traces for every data-plane API call. The “agent that spends money” went from custom-build to managed-service line item in seven weeks.

What an MPP integration actually looks like

The Substack version of the production reality lives in fifteen lines of Node. The mppx server SDK wraps the entire 402 challenge/credential flow into framework middleware:

import { Mppx, tempo } from 'mppx/server'

const mppx = Mppx.create({
  methods: [
    tempo({
      currency: '0x20c0000000000000000000000000000000000000', // pathUSD
      recipient: '0x742d35Cc6634c0532925a3b844bC9e7595F8fE00',
    }),
  ],
})

export async function handler(request: Request) {
  const response = await mppx.charge({ amount: '1' })(request)
  if (response.status === 402) return response.challenge
  return response.withReceipt(Response.json({ data: '...' }))
}

The middleware handles the 402 issuance and credential verification; the route handler reduces to “return the data.” On the client side, mppx.fetch is a drop-in for fetch — when the server returns 402, the client reads the payment requirements, signs a credential with the configured wallet, and retries the request automatically.

That brevity is the whole point. It’s also the trap. The fifteen lines work because every protocol-level concern — idempotency, replay protection, request-body binding, receipts — is hidden inside the SDK. When a production failure mode surfaces inside that SDK (and one already has), you don’t see it until your monetization bypass shows up in logs.

Operational lifecycle: where each documented failure mode hits

The mental model above is the architecture. The diagram below is what runs on every paid request and where the three documented failure modes attach. This diagram is the war-room reference; the prose underneath maps it to the actual incidents.

Diagram 2 - the payment lifecycle and the three documented production failure modes. Steps 4 and 5 are the soft underbelly; the authorization gap is cross-cutting.

Failure mode 1 — Signature verification can fail at the SDK layer even when the protocol is sound

GHSA-qr2g-p6q7-w82m, disclosed March 7, 2026, was a critical signature-verification bypass in the Coinbase x402 SDK affecting Solana payments. The protocol uses Ed25519 signatures for Solana settlements rather than ECDSA, and the facilitator component — which intercepts payment claims, verifies on-chain settlement, and issues cryptographic proofs to the resource server - was incorrectly accepting malformed or replayed signatures as valid. An attacker could craft a follow-up request with a spoofed PAYMENT-SIGNATURE header, the facilitator would validate it, the SDK would generate an x402 token, and the resource server would deliver the premium response without funds ever moving on-chain.

The fix shipped in npm 2.6.0, Python 2.3.0, and Go 2.5.0. The lesson is structural: a cryptographically sound protocol design can harbor implementation-level vulnerabilities in its SDK, and x402 is still rapidly evolving — production deployments must maintain rigorous SDK version management and security advisory monitoring. The same analysis notes the V2 release in December 2025 introduced new attack surfaces — dynamic payTo means recipient manipulation, sessions mean session hijacking, plugins mean supply chain attacks. The fix isn’t to avoid V2; it’s to match V2’s flexibility with equally granular security policies.

Failure mode 2 — Settlement timing creates a paid-but-not-delivered failure mode

The second failure mode is documented as Issue #1062 in the x402 repository and affects every agent running on Base through the Coinbase-hosted facilitator. The root cause is a timing mismatch in the settlement layer — the facilitator assumes blockchain settlement completes faster than it actually does under load, the off-chain verification step succeeds, but the on-chain transaction times out before the resource server returns. The wallet is debited, the service is not delivered, and the protocol does not specify a recovery path.

The same independent analysis flags a deeper structural issue. The gap between off-chain verification and on-chain settlement enables scenarios where payment processes but service is not delivered, and this remains unresolved in x402 v2 released December 11, 2025. An academic paper from March 2026 - A402: Atomic Payments for the x402 Protocol - proposes a TEE-plus-adaptor-signature solution to close the atomicity gap, but it isn’t in either protocol yet. MPP partially avoids this specific failure mode by baking idempotency, expiration, and request-body binding into the protocol spec itself, which is the strongest engineering argument for MPP regardless of which settlement rail you ultimately use.

Failure mode 3 — MPP solves payment execution; it does not solve authorization

The third failure mode isn’t a bug - it’s an architectural gap protocol specs explicitly punt to a layer above them. MPP gives agents a clean payment lifecycle. It does not give the merchant cryptographic proof of who authorized the payment, under what policy, with what constraints. At one agent making one payment, this is manageable. At a hundred agents each making fifty payments an hour, you have five thousand payment decisions per hour that each need an audit trail tying back to a user mandate. Without a structured authorization layer, you reconstruct decision chains from logs scattered across systems after the fact.

AP2 was designed for this slot. The protocol chains three cryptographically signed mandates - Intent (user delegates authority), Cart (user approves a specific cart at a specific price), and Payment (the network sees a derived credential) - and the chain provides the non-repudiable audit trail. But AP2 has its own gaps production teams should know about. AP2 binds a mandate to a user’s identity through their signing key, not to an agent’s identity. A compromised agent can still produce a mandate-signing prompt that fools the user, and the user’s signature on the resulting cart is valid even though the agent acted maliciously. Agent identity attestation has to come from a separate protocol. Skyfire’s KYA is one approach, before the mandate chain holds up. And cryptographic mandates are non-repudiable by design, which is the security feature, but there is no in-protocol mechanism for the user to revoke an Intent Mandate before its TTL expires; revocation depends on the credential provider or wallet enforcing it outside AP2.

Protocol selection: a decision matrix

The “which protocol” question has a layer-by-layer answer, not a single-bet answer. The table below maps the common workload shapes a senior engineer will encounter to the protocol stack that actually fits.

Workload Authorization Discovery Settlement Rails Pay-per-call API monetization (simple) None required MCP server discovery x402 charge USDC on Base Pay-per-call API monetization (enterprise) AP2 Intent mandate MCP server discovery MPP charge Tempo or SPT (fiat) Streaming / per-token billing AP2 Intent mandate MCP server MPP session Tempo Multi-hour agent task with mixed services AP2 Intent mandate MCP + ACP MPP session + x402 charge Tempo + Base Agent-led e-commerce checkout AP2 Intent + Cart mandate ACP SPT via MPP Stripe rails (fiat) Free tier funded by attention monetization None Ad network (e.g., ZeroClick) None Advertiser CPC

A few things to read off this table. First, the authorization column is mostly “AP2 Intent mandate” - that’s where production deployments are converging. Second, the settlement column splits cleanly between charge and session intents based on whether the unit of work is discrete or streaming. Third, the rails column rarely needs to be a single bet; MPP is method-agnostic at the protocol level, so the same endpoint can accept Tempo, SPT, or Lightning without forking the route handler. Fourth, the bottom row (ad-supported monetization) is a different economic flow entirely — not “agent pays service” but “service earns from agent traffic via advertisers” — and senior engineers building free-tier consumer-facing agent products will need to design for it explicitly.

ZeroClick is the relevant example on the bottom row. The platform launched in August 2025 with $55 million from the investor group that backed Honey’s $4 billion PayPal exit and runs a CPC ad marketplace where matched advertiser context is surfaced into AI responses. It does not run on MPP or x402, and confusing the ad layer with the payment layer is a common architectural mistake. They are different layers of the same emerging stack — both serve agent commerce, both sit above settlement, both are unstandardized in ways the payment protocols no longer are. Mature AI products will run both: ad-supported free tier funded by the discovery-layer ad network, paid premium tier settled through MPP or x402.

The architectural idea: session intents

If a senior engineer building agent infrastructure remembers one architectural decision from this domain, it’s the session intent. Charge intents are one-shot — one request, one payment, one response, equivalent to x402’s exact flow and backwards-compatible with existing 402 implementations. They work for “fetch this report” or “send this email” — anywhere the unit of work matches the unit of payment.

Session intents are different. The agent deposits funds into an escrow contract once, then makes thousands of subsequent micropayment requests using signed vouchers, without hitting the blockchain on every call. The server validates each voucher locally against the escrow without going back on-chain. The economics flip from per-call chain fees to per-session amortized cost, and the protocol enables payments as small as $0.0001 per request with sub-100ms latency. When the session closes, all micro-interactions batch-settle into a single on-chain transaction with unused funds refunded.

This matters because LLM agent workloads have a usage shape no prior payment rail addressed. A multi-hour agent run consumes API calls across half a dozen services, each priced per-token. Settling each call as a separate charge multiplies signature overhead. Settling at task completion forces the service to extend credit. Streaming MPP runs a continuous debit against a prepaid balance with finality checkpoints so neither side carries open exposure for long. At Sessions 2026, Stripe added streaming payments as a first-class MPP primitive — the wire-level mechanism for per-token billing, settled on Tempo with sub-second finality.

For any service whose pricing model is “per token consumed,” “per second of compute,” or “per row of data returned,” the session primitive is the only economically sane settlement layer in production today. For any service whose unit of work is discrete and atomic, charge intents are fine and x402 is probably the more permissionless choice.

Production readiness checklist

A senior engineer about to ship an agent that spends money should be able to check off each of the following before deploying. None of these are theoretical; each maps to a documented production failure mode or an architectural lesson from a deployed system.

1. Spending controls enforced below the agent, not inside it. AgentCore’s pattern of session-level spending limits enforced deterministically at the infrastructure layer is the correct architecture. Whether you build this yourself or adopt AgentCore, the agent must not see private keys, must not be able to lift its own limits, and the limits must expire on a clock.

2. Chain allowlist and per-endpoint amount caps in the agent’s payment middleware. Standardized identifiers are great until an attacker exploits the standardization — a malicious 402 response can redirect your agent from Base to Ethereum mainnet at 100x the gas cost. Whitelist the chains your agent is configured to operate on, validate per-endpoint, flag any chain identifier the agent hasn’t seen in that context.

3. Session scoping. An agent doing data lookups should not also be able to book hotels. Per-session, per-domain, per-task scoping limits the blast radius of any single compromised session.

4. Stateless 402 challenges where possible. Parallel’s HMAC-of-parameters challenge ID is the production pattern. The gateway can horizontally scale, restart cleanly, and survive a database outage without dropping in-flight requests. If you’re issuing stateful challenges, you’re carrying operational complexity that doesn’t have to exist.

5. Two rails, one route handler. Parallel’s gateway runs Tempo and x402 through the same middleware; the route handler doesn’t know which rail the caller used. The abstraction boundary is at the middleware, not the route. You can add or retire a rail without touching the routes. Most teams build this in the wrong place on the first try.

6. Full payment-lifecycle observability tied back to authorization. Logs of “agent X paid $0.12 to service Y at time T” are receipts. What you need is an audit trail tying that payment back to the user mandate that authorized it, the policy that bounded it, and the alternatives the agent evaluated. Receipt and audit trail are different artifacts.

7. SDK version pinning tied to security advisory review. The GHSA bypass will not be the last. Treat the x402 GitHub Security Advisories feed and the MPP IETF draft updates as inputs to your dependency review process, not as side channels. Pin SDK versions; tie upgrades to a formal advisory review.

8. Discovery endpoint that documents itself. Parallel’s GET /api endpoint returns a JSON document with every endpoint, its price, the request body schema, and ready-to-paste mppx commands. Pricing constants live in a single config module that feeds the middleware, the route handlers, and the discovery JSON. There is no version of the truth that disagrees with another version of the truth. This is how an agent-native API documents itself.

The architectural decisions are now, and the protocols won’t wait

The protocols are stabilizing faster than most teams expect. MPP went from launch to AWS-managed primitive in seven weeks. The x402 Bazaar lists ten thousand endpoints. AP2 has sixty-plus partners. The four-layer stack — authorization, discovery, settlement, rails — has settled into something stable enough to design against, even though specific protocol choices within each layer will keep shifting through 2026.

What hasn’t stabilized is the operational discipline. Most teams shipping agent-payment integrations today are doing it the way teams shipped database access in 2008 — get it working, then add controls later. That worked for databases because the failure mode was a slow query. The failure mode for an under-controlled agent payment system is your agent draining its session limit to an attacker who manipulated the recipient address, or paying for a resource that never delivered, or making a payment your compliance team can’t trace back to an authorization. These failure modes are documented in production. They have CVE numbers and GitHub issues.

The architects who win this transition are the ones treating the agent-payment surface the way mature finance teams treat payments: as a regulated domain with deterministic controls, audited authorization chains, and incident response built in from day one. The protocols are open and the SDKs are free. The discipline is the bottleneck.

Two of the most expensive mistakes a senior engineer can make in the next six months are betting on a single protocol and treating payments as plumbing rather than policy. The four-layer stack composes; pick the layer-appropriate primitive, build the abstraction boundary so you can swap settlements, and ship the controls before you ship the integration.