Control objective
No single system contains the complete truth
Agentic payments create records in several systems. The agent platform records intent, mandate, policy decision, and execution attempt. The merchant records the order and fulfillment. A facilitator or processor records verification and submission. The payment rail records authorization, settlement, or reversal. Finance records journal entries, fees, and treasury movement. Support may record refunds and disputes. Each can be internally correct while the end-to-end transaction remains inconsistent.
Reconciliation compares these records using stable business and external identifiers. Its purpose is not merely to total daily volume. It should detect an allowed decision with no payment attempt, a payment with no merchant order, duplicate settlement for one intent, a fulfilled order with unknown payment, a refund accepted but not credited, or fees and asset amounts that do not match accounting. The result is an exception with an owner and recovery path, not an unexplained spreadsheet difference.
A rail confirmation answers what the rail recorded. Reconciliation answers whether the complete commercial and accounting story agrees.
Match by identifiers, amounts, state, and time
The strongest match begins with identifiers intentionally propagated through the lifecycle: internal transaction, order, mandate, policy decision, idempotency key, merchant payment, processor or facilitator reference, and rail transaction. Amount, currency or asset, destination, and time are supporting controls, not substitutes for identifiers. Fuzzy matching by amount and timestamp can associate unrelated machine payments when agents transact frequently or use repeated prices.
Normalize values without erasing the originals. Record requested, authorized, submitted, settled, refunded, and fee amounts separately. Preserve asset precision, network, exchange-rate source, and rounding method. Time-based windows should account for batch settlement, finality, webhook delay, and merchant processing behavior. A transaction can be pending within its expected window without being an exception; the same state becomes actionable when the owning system's deadline passes.
| Comparison | Expected relationship | Example exception |
|---|---|---|
| Decision to execution | One allowed action produces at most one economic attempt | Allowed but never submitted, or duplicated attempts |
| Order to payment | Seller, amount, asset, and status correspond | Settled payment without accepted order |
| Processor to rail | Submitted reference reaches an explainable rail state | Processor success with missing settlement |
| Payment to fulfillment | Commercial delivery follows the paid order | Settled but unfulfilled purchase |
| Refund to credit | Approved remediation reaches the principal | Merchant says refunded, rail has no credit |
| Operations to books | Gross, fees, net, and asset balances agree | Unbooked fee or valuation difference |
Turn mismatches into controlled recovery workflows
Every exception class needs severity, owner, deadline, safe automated action, and escalation path. An unknown payment after timeout should trigger status retrieval with the original identifier, not a new charge. A duplicate submission may require holding fulfillment while both statuses are verified. A settled but unfulfilled order belongs with merchant operations and may require refund initiation. An unmatched inbound refund belongs with finance and support until it is mapped to the principal.
Automation should repair only when evidence is unambiguous and the action is idempotent. Retrieving status, replaying a missed internal event, or attaching a verified external reference can be safe. Issuing a second payment, resubmitting a refund, or changing a ledger entry may create a new economic effect and should require stronger controls. Record the evidence, policy, and actor behind every repair so reconciliation does not become an unaudited route around the original authorization boundary.
- Retry reads and idempotent state synchronization before retrying any money-moving command.
- Quarantine conflicting records instead of choosing the most convenient source as truth.
- Link compensating payments and refunds to the original transaction rather than overwriting it.
- Require approval for manual adjustments that change customer, merchant, or treasury balances.
- Close an exception only when the resulting commercial and accounting states are explainable.
Reconcile continuously and close the period deliberately
Event-driven checks catch many problems near real time: a webhook can verify expected amount and identifiers, and a fulfillment event can require a settled or authorized payment state. Scheduled reconciliation still matters because events can be permanently lost and external systems may revise status. Run cadence by risk and rail behavior—frequent checks for unresolved high-impact states, daily operational matching, and formal accounting close where required—without assuming one timing policy fits every network.
The control itself needs monitoring. Track source completeness, delayed files or APIs, unmatched records, aging exceptions, repeated manual adjustments, and reconciliation jobs that succeed without processing expected volume. Do not publish arbitrary universal thresholds; establish baselines and limits from the actual use case, settlement schedule, and loss tolerance. When a source is unavailable, mark the period incomplete rather than reporting a clean match from partial data.
- Name the authoritative source for each state while preserving conflicting observations.
- Version matching logic and replay prior periods before deploying material rule changes.
- Separate operational reconciliation from accounting attestation while connecting their identifiers.
- Sample matched transactions as well as exceptions so a systematically wrong rule is detectable.
- Preserve reports, source snapshots, repairs, approvals, and unresolved items for audit and incident review.
Source discipline
Primary sources
Product status and protocol behavior are checked against maintainer documentation. Company sources establish what their organizations publish; they do not independently prove adoption or performance.
- How x402 worksCoinbase Developer Platform ↗
- The x402 facilitatorCoinbase Developer Platform ↗
- x402 frequently asked questionsCoinbase Developer Platform ↗
- Agentic commerceStripe Documentation ↗
- Shared payment tokensStripe Documentation ↗
- Payment Card Industry Data Security StandardPCI Security Standards Council ↗
- Virtual assetsFinancial Action Task Force ↗