01

Control objective

No single system contains the complete truth

Agentic payments create records in several systems. The agent platform records intent, mandate, policy decision, and execution attempt. The merchant records the order and fulfillment. A facilitator or processor records verification and submission. The payment rail records authorization, settlement, or reversal. Finance records journal entries, fees, and treasury movement. Support may record refunds and disputes. Each can be internally correct while the end-to-end transaction remains inconsistent.

Reconciliation compares these records using stable business and external identifiers. Its purpose is not merely to total daily volume. It should detect an allowed decision with no payment attempt, a payment with no merchant order, duplicate settlement for one intent, a fulfilled order with unknown payment, a refund accepted but not credited, or fees and asset amounts that do not match accounting. The result is an exception with an owner and recovery path, not an unexplained spreadsheet difference.

A rail confirmation answers what the rail recorded. Reconciliation answers whether the complete commercial and accounting story agrees.
02

Match by identifiers, amounts, state, and time

The strongest match begins with identifiers intentionally propagated through the lifecycle: internal transaction, order, mandate, policy decision, idempotency key, merchant payment, processor or facilitator reference, and rail transaction. Amount, currency or asset, destination, and time are supporting controls, not substitutes for identifiers. Fuzzy matching by amount and timestamp can associate unrelated machine payments when agents transact frequently or use repeated prices.

Normalize values without erasing the originals. Record requested, authorized, submitted, settled, refunded, and fee amounts separately. Preserve asset precision, network, exchange-rate source, and rounding method. Time-based windows should account for batch settlement, finality, webhook delay, and merchant processing behavior. A transaction can be pending within its expected window without being an exception; the same state becomes actionable when the owning system's deadline passes.

Core reconciliation comparisons
ComparisonExpected relationshipExample exception
Decision to executionOne allowed action produces at most one economic attemptAllowed but never submitted, or duplicated attempts
Order to paymentSeller, amount, asset, and status correspondSettled payment without accepted order
Processor to railSubmitted reference reaches an explainable rail stateProcessor success with missing settlement
Payment to fulfillmentCommercial delivery follows the paid orderSettled but unfulfilled purchase
Refund to creditApproved remediation reaches the principalMerchant says refunded, rail has no credit
Operations to booksGross, fees, net, and asset balances agreeUnbooked fee or valuation difference
03

Turn mismatches into controlled recovery workflows

Every exception class needs severity, owner, deadline, safe automated action, and escalation path. An unknown payment after timeout should trigger status retrieval with the original identifier, not a new charge. A duplicate submission may require holding fulfillment while both statuses are verified. A settled but unfulfilled order belongs with merchant operations and may require refund initiation. An unmatched inbound refund belongs with finance and support until it is mapped to the principal.

Automation should repair only when evidence is unambiguous and the action is idempotent. Retrieving status, replaying a missed internal event, or attaching a verified external reference can be safe. Issuing a second payment, resubmitting a refund, or changing a ledger entry may create a new economic effect and should require stronger controls. Record the evidence, policy, and actor behind every repair so reconciliation does not become an unaudited route around the original authorization boundary.

  • Retry reads and idempotent state synchronization before retrying any money-moving command.
  • Quarantine conflicting records instead of choosing the most convenient source as truth.
  • Link compensating payments and refunds to the original transaction rather than overwriting it.
  • Require approval for manual adjustments that change customer, merchant, or treasury balances.
  • Close an exception only when the resulting commercial and accounting states are explainable.
04

Reconcile continuously and close the period deliberately

Event-driven checks catch many problems near real time: a webhook can verify expected amount and identifiers, and a fulfillment event can require a settled or authorized payment state. Scheduled reconciliation still matters because events can be permanently lost and external systems may revise status. Run cadence by risk and rail behavior—frequent checks for unresolved high-impact states, daily operational matching, and formal accounting close where required—without assuming one timing policy fits every network.

The control itself needs monitoring. Track source completeness, delayed files or APIs, unmatched records, aging exceptions, repeated manual adjustments, and reconciliation jobs that succeed without processing expected volume. Do not publish arbitrary universal thresholds; establish baselines and limits from the actual use case, settlement schedule, and loss tolerance. When a source is unavailable, mark the period incomplete rather than reporting a clean match from partial data.

  • Name the authoritative source for each state while preserving conflicting observations.
  • Version matching logic and replay prior periods before deploying material rule changes.
  • Separate operational reconciliation from accounting attestation while connecting their identifiers.
  • Sample matched transactions as well as exceptions so a systematically wrong rule is detectable.
  • Preserve reports, source snapshots, repairs, approvals, and unresolved items for audit and incident review.

Source discipline

Primary sources

Product status and protocol behavior are checked against maintainer documentation. Company sources establish what their organizations publish; they do not independently prove adoption or performance.

  1. How x402 worksCoinbase Developer Platform
  2. The x402 facilitatorCoinbase Developer Platform
  3. x402 frequently asked questionsCoinbase Developer Platform
  4. Agentic commerceStripe Documentation
  5. Shared payment tokensStripe Documentation
  6. Payment Card Industry Data Security StandardPCI Security Standards Council
  7. Virtual assetsFinancial Action Task Force