Operating model
Model the transaction beyond payment success
The agentic payments lifecycle begins before a rail request exists. A principal expresses an intent, the system normalizes constraints, and an agent discovers or constructs candidate orders. Policy evaluates a frozen order against a mandate. Only then should a credential be issued or a payment instruction signed. After submission, the rail may accept, reject, remain pending, or settle. The merchant may separately accept the order, fulfill it, modify it, cancel it, or issue a refund.
Collapsing these events into `paid=true` creates operational ambiguity. A card authorization is not capture; a submitted onchain transaction is not confirmation; confirmed settlement is not delivery; delivery is not the end of refund or dispute rights. Each subsystem owns a different state machine. The platform should join them through identifiers while preserving their distinctions, rather than forcing every event into one optimistic status label.
| Stage | State transition | Durable evidence |
|---|---|---|
| Intent | Goal captured and constraints normalized | Intent record and authenticated principal |
| Selection | Candidate becomes a frozen order | Order snapshot, seller, terms, hash |
| Authorization | Policy allows, denies, or steps up | Mandate, decision, reasons, expiry |
| Execution | Credential presented and rail request submitted | Idempotency key, request digest, rail reference |
| Settlement | Value movement reaches a rail-defined state | Verified status, amount, asset, destination |
| Assurance | Fulfillment, reconciliation, and recourse resolve | Receipt, delivery, refund, dispute, case history |
Assume every boundary is asynchronous
Merchant APIs, facilitators, processors, banks, and blockchains can accept work before the final result is known. Connections fail after a remote system commits, webhooks arrive late or twice, and status endpoints temporarily disagree. A timeout is therefore an unknown result, not a failed payment. Retrying with a new identifier can create duplicate value movement while the first request completes out of view.
Use a stable idempotency key derived from the intended economic action, not from each network attempt. Persist the request and transition to an explicit submitted or unknown state before calling the external rail. On timeout, query status with the same identifiers and reconcile rather than initiating a fresh payment. Authenticate webhooks, deduplicate delivery identifiers, and make handlers safe to repeat. x402 facilitators and conventional processors differ in mechanics, but the uncertainty pattern is common to distributed payments.
- Persist intent, order, policy decision, and idempotency key before external execution.
- Represent pending and unknown as first-class states; do not convert them to failure for UI convenience.
- Verify callback authenticity and retrieve authoritative status when an event is incomplete or suspicious.
- Apply each external event once while retaining duplicate delivery records for diagnosis.
- Expire abandoned attempts deliberately and document whether they can still settle later.
Carry business identifiers across protocol handoffs
A lifecycle becomes explainable when operators can traverse it in both directions. Starting from a user complaint, they should find the principal, intent, order, mandate, policy decision, credential, payment, merchant fulfillment, and any refund. Starting from a rail transaction or facilitator reference, they should find the same story. This requires a stable internal transaction identifier plus stored mappings to every external identifier; a model trace or blockchain hash alone does not cover the whole chain.
Mappings should be append-only and typed. Record which system issued an identifier, when the mapping was learned, and whether it was verified or merely asserted. Keep external payload digests so a later status can be matched to the original request without retaining unnecessary secrets. Protocol artifacts such as AP2 mandates, x402 payment challenges, checkout sessions, and network tokens should attach to the lifecycle stage they support instead of becoming the top-level transaction record.
A transaction identifier is useful when support, security, finance, and engineering can use it to reach the same evidence without sharing sensitive credentials.
Define terminal states from the principal's perspective
Technical systems often declare success at their own boundary. The principal cares whether the intended outcome occurred on acceptable terms. A commercially complete transaction may require settled value, accepted order, fulfilled resource, correct quantity, valid receipt, and remaining recourse. A technically settled payment with failed fulfillment is an exception requiring recovery, not a completed customer outcome. Conversely, a canceled order with a verified refund may be a successful remediation even though the purchase failed.
Define terminal states and ownership for each unresolved combination: authorized but never submitted, submitted but unknown, settled but unfulfilled, fulfilled but unreconciled, refunded but not credited, disputed, expired, and abandoned. Set review schedules based on rail and merchant behavior rather than one universal timer. The lifecycle should end only when the system can explain the outcome, remaining obligations, and next actor responsible for action.
- Name the authoritative system for payment, order, fulfillment, refund, and dispute state.
- Document which transitions are reversible and which require a compensating action.
- Route unresolved state combinations to an owned queue rather than hiding them in logs.
- Show users the distinction between submitted, settled, delivered, and refunded in plain language.
- Preserve final evidence according to legal, accounting, privacy, and support requirements.
Source discipline
Primary sources
Product status and protocol behavior are checked against maintainer documentation. Company sources establish what their organizations publish; they do not independently prove adoption or performance.
- Announcing Agent Payments Protocol (AP2)Google Cloud ↗
- Agent Payments Protocol repositoryGoogle Agentic Commerce ↗
- How x402 worksCoinbase Developer Platform ↗
- The x402 facilitatorCoinbase Developer Platform ↗
- Agentic commerceStripe Documentation ↗
- Integrate the Agentic Commerce ProtocolStripe Documentation ↗
- Trusted Agent Protocol overviewVisa Developer Center ↗