§1The bit everyone is looking at is the wrong bit
Two things happened in agentic commerce this past week, and the coverage has the emphasis backwards. Google announced it is donating the Agent Payments Protocol (AP2) to the FIDO Alliance, and it shipped the Universal Commerce Protocol (UCP) as the open commerce layer that rides on top of it. The headlines went to the shopping experience: a Universal Cart that follows you across Search, Gemini, YouTube and Gmail, agents that buy limited-release tickets the moment they drop. That is the spectacle. The substrate is the thing underneath it that nobody screenshots: a cryptographically signed record of who authorised what, for how much, and within what limits.
If you are building consumer shopping, the cart is the story. If you are selling agents into a Local Authority, an FCA-supervised fund or an NHS trust, the cart is irrelevant and the mandate is the only thing your buyer's risk function will ask about. This Note is about that gap.
§2What a mandate actually is
AP2 was announced on 16 September 2025 with more than 60 launch partners, including Mastercard, PayPal, Coinbase, American Express and Salesforce. Its core idea is small and good: every agent purchase is represented as three signed Mandates.
- Intent Mandate — what the user authorised the agent to do, and the boundaries on it ("book a hotel under £200 in Lisbon next month").
- Cart Mandate — what the agent actually assembled to fulfil that intent, before money moves.
- Payment Mandate — what the merchant or network will be charged.
Each is a Verifiable Credential, signed with the issuer's key. The chain is tamper-proof: you cannot later claim the user asked for something they did not, because the Intent Mandate is signed and timestamped before the Cart Mandate exists. The April 2026 release (v0.2.0) added "Human Not Present" payments, where an agent transacts without the user in the loop at the moment of purchase, which is exactly the case where a defensible authorisation record stops being a nicety and becomes the whole game.
Strip away the commerce framing and what AP2 describes is a general pattern for delegated authority with an audit trail. The purchase is the worked example. The structure applies to any action an agent takes on a person's behalf where someone, later, might need to prove what was authorised.
§3Why the FIDO donation is the real news
A protocol owned by one company, however many partners it lists, is a vendor decision. A protocol stewarded by the FIDO Alliance, the body behind WebAuthn and passkeys, is an industry standard with a governance model regulators already recognise. That is the difference the donation makes, and it is the difference that matters to a compliance buyer.
Here is the mechanism. When a council DPO or a fund's model-risk lead is asked to sign off an agent that acts on a citizen's or client's behalf, their first question is not "is the model accurate". It is "when this thing does something, can we show who authorised it, and can we prove the record has not been altered". Under UK GDPR Article 22, a decision with legal or similarly significant effect taken solely by automated means needs a defensible basis and a trail. Under the FCA's SS1/23 model-risk expectations, accountability for an automated action has to be locatable. A signed mandate chain is a clean answer to both: the Intent Mandate is the documented authorisation, the signature is the integrity guarantee, and a recognised standards body behind the format means the buyer is not betting their compliance posture on a single vendor's roadmap.
UCP sits above this as the commerce-specific layer: it standardises how surfaces, businesses and payment providers talk to each other, and it is explicitly built to be compatible with AP2 for the payment leg. That layering is the part to hold onto. The commerce protocol is where the product competition will happen. The mandate protocol is where the accountability lives. Two layers, two different audiences, and the regulated audience only cares about the lower one.
§4Where we sit
Disclosure, because it shapes the view: Workloft has been an AP2 issuer since April 2026. We have a did:web:workloft.ai identity, an Ed25519 keypair, and a mandate generator that mints and signs Intent and Cart Mandates under the eddsa-jcs-2022 cryptosuite. We adopted the format while it was still "Google's V0.1 protocol", before the FIDO move turned it into a standards-track artefact.
We did not do that to sell shopping carts. We did it because every commercial action one of our agents takes, an outbound send that costs money, a billable task, a client-facing transaction, is an action taken on someone's behalf that ought to leave a signed record. The same structure that lets an agent buy concert tickets is the structure that lets a council prove, six months later, that an agent only ever acted inside the authority a human granted it. The payments use case got there first because payments has the clearest dispute model. The audit use case is the larger one, and it is the one regulated buyers will pay for.
So the practical read for anyone building agents for compliance-bound buyers: do not wait for the commerce layer to settle before you adopt the mandate layer. The mandate is the part that does not change when the shopping surface does, and it is the part your buyer's risk function will interrogate. Treat AP2-style signed authorisation as a substrate requirement now, the way you would treat logging or access control, rather than a payments feature you bolt on when you start charging.
§5What this does not solve
Three honest limitations, because the standard is young and the marketing is loud.
First, a mandate proves authorisation, not good judgement. If an agent acts entirely within a valid Intent Mandate and still produces a bad outcome, the signed chain tells you the action was authorised; it tells you nothing about whether the action was sensible. Liability for in-bounds-but-wrong decisions is unresolved, and no signature fixes it.
Second, "Human Not Present" payments sharpen a consent-freshness problem that regulated contexts cannot wave away. An Intent Mandate granted on Monday and exercised on Friday is cryptographically valid, but whether the consent is still meaningful is a governance question the protocol deliberately does not answer. For an Article 22 decision, stale-but-signed may not be good enough, and that is a policy each deployer has to set.
Third, the supporting infrastructure is still maturing. Mandate revocation, DID resolution and the dispute and chargeback flow for agent-initiated transactions are thinner than the signing story. We run single-sided today: we sign, and until our DID document is fully resolvable by external verifiers, third parties cannot independently check our mandates. The standardisation removes the vendor-risk objection; it does not yet remove the plumbing work.
None of that undercuts the core point. The shopping cart is the demo. The signed mandate is the substrate, and the week's real news is that the substrate just moved onto a standards track a regulator will recognise.