A privacy-first comparison of AP2, x402, and MPP for AI-agent payments: authorization, HTTP 402 challenges, settlement rails, logs, wallets, and metadata exposure.
AP2 vs x402 vs MPP: What AI Agent Payment Protocols Reveal
AP2, x402, and MPP solve different parts of the agent-payment problem. None of them removes the privacy problem. They mainly decide how authority, payment instructions, settlement, and receipts move between agents, merchants, wallets, and payment processors.
Privacy frame: agent payments are authority systems. The useful question is not whether a protocol is modern. The useful question is who can spend, who approves, who settles, who stores logs, and how quickly the user can revoke it.
Primary sources
- Google AP2 announcement
- AP2 protocol docs
- Coinbase x402 docs
- Stripe Machine Payments Protocol
- Cloudflare MPP compatibility note
What each layer does
AP2 is mainly an authorization and accountability layer. Its useful privacy question is whether mandates prove user intent without leaking more identity, shopping, or account context than necessary.
x402 turns HTTP 402 into a payment challenge and retry flow. That is clean for APIs and crawlers, but it can expose endpoint, amount, recipient, timing, wallet, facilitator, and retry metadataData about data, such as who contacted whom, when, from what device, and from which location. Metadata often remains exposed even when content is encrypted.Glossary →.
MPP is a machine-payment specification for agents and services to coordinate payments. It can sit close to x402 flows, which means the privacy issues look similar unless the wallet and logs are controlled.
The privacy split
AP2 asks: did the user authorize this transaction, and can participants prove it later? x402 and MPP ask: can a machine pay for this resource programmatically? Those are not the same question.
A signed mandate can be useful evidence. It can also become a durable intent log. A 402 payment challenge can be useful access control. It can also create a list of every resource an agent tried to buy.
- Mandate logs can reveal shopping intent.
- HTTP payment challenges can reveal content/API access patterns.
- Stablecoin settlement can reveal wallet clustering if addresses are reused.
- Facilitators and processors can see more than the merchant sees.
Cunicula default
For low-risk API access, x402 or MPP can be reasonable if the wallet is low-balance, single-purpose, and not linked to a main identity.
For purchases where mistake, fraud, or identity linkage matters, use AP2-style explicit authorization plus a constrained payment rail. The agent should request, not own, the payment.
Before letting an agent pay
- Name the authority model: mandate, API key, wallet grant, policy engine, or human approval.
- Name the settlement rail: card, bank, stablecoin, crypto, gift card, internal ledger, or deferred payment.
- Check where receipts and failed attempts are logged.
- Use a fresh wallet or card per workflow where privacy matters.
- Keep broad keys and high balances outside the agent runtime.
Use the Agent Money matrix and the agent-money directory filter to compare live Cunicula provider records.
Frequently Asked Questions
Is AP2 more private than x402 or MPP?
Not by default. AP2 focuses on authorization and accountability. x402 and MPP focus on machine-readable payment over HTTP. Privacy depends on logs, settlement rails, wallet reuse, account identity, and facilitator records.
Which protocol should a privacy-focused agent use?
Use the narrowest rail that proves intent without giving the agent broad money authority. For sensitive spend, keep human approval or a policy wallet in the path.