Introduction to Agentic Commerce Protocol (ACP)
The Agentic Commerce Protocol (ACP), launched on September 29, 2025, is production-ready and live in ChatGPT, enabling 700+ million weekly users to purchase products directly in conversation. Co-developed by Stripe and OpenAI, this open-source protocol (Apache 2.0) represents the first standardized approach to AI-driven commerce.
Critical insight for TypeScript developers: ACP is a REST API specification, not an SDK. You implement ACP by building compliant endpoints, not by installing a package.
What ACP Solves and Why It Matters Now
Traditional e-commerce assumes humans browse websites, add items to carts, and manually check out. ACP enables AI agents to facilitate purchases on behalf of users while maintaining merchant control, payment security, and customer relationships. The protocol addresses three fundamental challenges:
Trust
AI agents can now initiate transactions, requiring new fraud detection mechanisms, secure credential handling, and methods to distinguish legitimate automated purchases from malicious bots. ACP'sShared Payment Token ensures credentials never expose raw payment details while providing merchants with fraud signals.
Fragmentation
Without standards, merchants would need custom integrations for ChatGPT, Claude, Copilot, and every emerging AI platform. ACP provides a universal interface—build once, distribute everywhere. Stripe already has early partnerships with Microsoft Copilot, Anthropic, Perplexity, and developer platforms like Vercel, Replit, and Bolt.
Flexibility
The protocol supports diverse commerce models beyond traditional one-time purchases, including subscriptions, usage-based billing, asynchronous "buy for me" capabilities, and planned support for multi-merchant carts.
Architecture: Three Specifications Working Together
ACP comprises three interconnected specs that form a complete commerce flow:
1. Agentic Checkout Spec
Defines REST endpoints merchants implement for checkout session management. Four required endpoints handle creation, updates, completion, and cancellation of checkout sessions. Each response returns rich checkout state including line items, taxes, shipping options, and totals.
2. Delegated Payment Spec
Enables secure payment credential transmission without exposing raw card numbers. Stripe's implementation,Shared Payment Token (SPT), creates programmable, scoped payment grants limited by:
- Specific merchant (your Stripe account ID)
- Specific amount (cannot exceed authorized total)
- Time expiration (typically 1 hour)
3. Product Feed Spec
Structures how businesses share product catalogs with AI agents. Merchants expose product data as structured JSON updated every 15 minutes, including details, variants, availability, and pricing.
ACP and MCP: Understanding the Distinction
ACP (Agentic Commerce Protocol) andMCP (Model Context Protocol) serve different purposes and can be used independently or together.
ACP focuses exclusively on commerce transactions—the checkout flow from product discovery through payment to fulfillment. MCP provides a standardized way for LLMs to connect to tools and data sources of any kind, including but not limited to commerce.
Integration Patterns
- Pattern 1 - ACP-only: Build REST endpoints following OpenAPI specs (most common merchant implementation)
- Pattern 2 - Exposing ACP through MCP: Package your ACP-compliant checkout as MCP tools
- Pattern 3 - MCP for discovery, ACP for checkout: Use MCP servers to expose product catalogs, then hand off to ACP REST endpoints for transactions
- Pattern 4 - Payment provider MCP servers: Stripe, PayPal, and Square offer MCP servers for payment operations
TypeScript Implementation: Building to Spec
There is no dedicated ACP TypeScript SDK. You must build REST endpoints that conform to OpenAPI specifications.
// Generate types using openapi-typescript
npx openapi-typescript \
https://raw.githubusercontent.com/agentic-commerce-protocol/\
agentic-commerce-protocol/main/spec/openapi/openapi.agentic_checkout.yaml \
-o ./types/acp-checkout.tsFour Required REST Endpoints
import express, { Request, Response } from 'express';
import Stripe from 'stripe';
const app = express();
app.use(express.json());
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!, {
apiVersion: '2023-10-16',
});
// 1. Create checkout session
app.post('/checkout_sessions', async (req: Request, res: Response) => {
const { items, fulfillment_address } = req.body;
// Verify authorization
const authHeader = req.headers.authorization;
if (!authHeader?.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Unauthorized' });
}
const lineItems = await calculateLineItems(items, fulfillment_address);
const totals = calculateTotals(lineItems);
const session = {
id: generateSessionId(),
status: fulfillment_address ? 'ready_for_payment' : 'pending_address',
currency: 'usd',
payment_provider: {
provider: 'stripe',
supported_payment_methods: ['card', 'apple_pay', 'google_pay'],
},
line_items: lineItems,
fulfillment_address: fulfillment_address,
totals: totals,
};
await saveCheckoutSession(session);
return res.status(201).json(session);
});
// 2. Update checkout session
app.post('/checkout_sessions/:id', async (req: Request, res: Response) => {
const { id } = req.params;
const updates = req.body;
const session = await getCheckoutSession(id);
if (!session) {
return res.status(404).json({ error: 'Session not found' });
}
const updatedSession = await updateCheckoutSession(id, updates);
return res.status(200).json(updatedSession);
});
// 3. Complete checkout with Shared Payment Token
app.post('/checkout_sessions/:id/complete', async (req: Request, res: Response) => {
const { id } = req.params;
const { payment_token } = req.body;
const session = await getCheckoutSession(id);
if (!session) {
return res.status(404).json({ error: 'Session not found' });
}
// Process payment using SPT from agent
const paymentIntent = await stripe.paymentIntents.create({
amount: session.totals.find(t => t.type === 'total')?.amount || 0,
currency: session.currency,
payment_method: payment_token, // Shared Payment Token
confirm: true,
metadata: { checkout_session_id: id },
});
if (paymentIntent.status === 'succeeded') {
await markSessionCompleted(id, paymentIntent.id);
await notifyAgentOrderCreated(id);
return res.status(200).json({
...session,
status: 'completed',
order_id: generateOrderId(),
payment_intent_id: paymentIntent.id,
});
}
return res.status(402).json({
...session,
status: 'payment_failed',
error: 'Payment failed',
});
});
// 4. Cancel checkout session
app.post('/checkout_sessions/:id/cancel', async (req: Request, res: Response) => {
const { id } = req.params;
await cancelCheckoutSession(id);
return res.status(200).json({ status: 'canceled' });
});Security Requirements (Non-Negotiable)
- HTTPS with TLS 1.2+ on port 443 (no HTTP allowed)
- Bearer token authentication on every request
- HMAC signatures for webhook events sent to AI agents
- API versioning via API-Version header (currently 2025-09-29)
Shared Payment Tokens: The Payment Security Mechanism
Stripe's Shared Payment Token (SPT) is ACP's answer to secure, delegated payments. The SPT references a buyer's saved payment method without exposing card numbers:
const paymentIntent = await stripe.paymentIntents.create({
amount: 5000, // $50.00
currency: 'usd',
payment_method: shared_payment_token, // From agent request
confirm: true,
});Human-in-the-Loop: Preventing Unauthorized Purchases
A critical question for any agentic commerce system is:how does it prevent AI agents from making unauthorized purchases?
ACP addresses this through a carefully designed authorization model. When an AI agent facilitates a purchase in ChatGPT, it presents complete checkout details to the user including:
- Item description
- Pricing breakdown
- Shipping costs
- Taxes and total amount
The user must explicitly approve this transaction by clicking a confirmation button before any payment occurs. Only after this human approval does the agent provision a Shared Payment Token.
This isfacilitated commerce, not autonomous commerce. ACP's current design assumes the AI agent helps humans make purchasing decisions rather than making autonomous purchases without oversight.
Getting Started: From Zero to Production
Step 1 - Verify Eligibility
Review requirements at chatgpt.com/merchants. You need an existing commerce backend, product catalog, and either Stripe integration or willingness to implement Delegated Payment Spec. Application approval takes 1-2 weeks.
Step 2 - Study the Specification
Clone the GitHub repository:github.com/agentic-commerce-protocol/agentic-commerce-protocol. Review OpenAPI specs in spec/openapi/ and example payloads in examples/.
Step 3 - Build Product Feed
Create a JSON endpoint following the Product Feed Spec. Include all product details, variants, availability, and pricing. Plan for 15-minute update frequency.
Step 4 - Implement Checkout Endpoints
Build the four REST endpoints (create, update, complete, cancel). Start with basic functionality, then add rich checkout state, shipping calculations, and tax computation.
Step 5 - Integrate Payment Processing
If using Stripe, enabling Shared Payment Tokens is straightforward. For other payment processors, implement token provisioning and verification per the Delegated Payment Spec.
Step 6 - Security and Webhooks
Configure HTTPS, implement Bearer token authentication, and set up webhook signing. Exchange authorization keys with OpenAI during onboarding.
Step 7 - Testing and Certification
Use OpenAI's sandbox environment to test complete flows. Pass conformance checks that verify your implementation meets specification requirements.
Developer Resources
- Official GitHub repository:github.com/agentic-commerce-protocol/agentic-commerce-protocol
- Locus Technologies demo:github.com/locus-technologies/agentic-commerce-protocol-demo (first working reference implementation)
- ACP official site: agenticcommerce.dev
- OpenAI developer docs:developers.openai.com/commerce/
- Stripe documentation:docs.stripe.com/agentic-commerce
Current Limitations
- Geographic restrictions: ChatGPT Instant Checkout is US-only currently
- Single-item purchases only: Multi-item cart support is on the roadmap
- Approval required: Application review is manual (1-2 weeks)
- Payment provider limitations: Stripe is currently the only PSP with production SPT support
- Draft specification status: Expect changes, though backward compatibility is maintained where possible
Looking Ahead: Upcoming Capabilities
Stripe's Product Lead (Jeff Weinstein) confirmed upcoming releases include:
- TypeScript SDKs for easier implementation
- MCP (Model Context Protocol) native support in Agent Toolkit
- Sample applications demonstrating integration patterns
- Test suite for validation and conformance checking
- Comprehensive quickstart guides for common platforms
Planned protocol enhancements:
- Multi-item carts
- Geographic expansion beyond US
- Advanced checkout capabilities (in-store pickup, dynamic pricing)
- Multi-merchant carts
- Asynchronous purchases ("buy for me" background capabilities)
Conclusion: The Shift to Agentic Commerce Is Happening Now
The Agentic Commerce Protocol represents more than a technical specification—it's the infrastructure layer for how commerce will work in an AI-first world. For TypeScript developers, the protocol is accessible, well-documented, and production-ready today.
Key Takeaways
- ACP is a REST API specification, not an SDK—you build endpoints, not call libraries
- Stripe Agent Toolkit is for AI agents, not merchant implementations
- ACP and MCP are complementary protocols that can work together but aren't dependent
- Live implementation in ChatGPT with 700M+ weekly users provides immediate market access
- Open source (Apache 2.0) ensures protocol evolves with community input
- Focus on security from day one—HTTPS, Bearer tokens, webhook signatures are required
The agentic commerce era isn't coming—it's here. With production implementations live and growing platform adoption, TypeScript developers who master ACP now position themselves at the forefront of this fundamental shift in how people discover and purchase products.