Agentic Payments in Travel: How the AP2 Protocol Changes Booking, Checkout and Fraud

Imagine asking an assistant: “Book me a round-trip flight and a hotel in Palm Springs for the first weekend of November, with a total budget of $700.” This is the sentence Google chose to introduce its Agent Payments Protocol (AP2) on 16 September 2025. Travel is not just another use case: it is the canonical example the protocol itself selected to explain how it works.

Agentic payments are financial transactions initiated and executed by autonomous AI agents on behalf of a user, based on cryptographically signed instructions — mandates — that establish what the agent is authorised to purchase, at what price, and under what conditions.

The momentum is substantial. AP2 launched with more than 60 partners, including Mastercard, American Express, PayPal, Adyen, Revolut, Worldpay, JCB and Coinbase. The travel ecosystem already counts names like Amadeus, Booking.com and Trip.com. And the timing is sharp: IATA estimates more than $1bn in annual airline fraud losses, while DataDome puts payment fraud at roughly 1.2% of annual airline revenue — with 72% of air tickets sold online.

For airlines, cruise lines, OTAs and booking platforms, AP2 opens two conversations at once. On one side, it is the first standardised way to turn the journey into a contextual commerce channel. On the other, it introduces a new challenge: AP2 solves agent authorisation, but it does not solve user identity authentication. That gap is where the identity, biometrics and passenger verification layer becomes critical.

What are agentic payments, and what is their potential in the travel industry?

Agentic payments are automated transactions between digital agents — one acting on behalf of the passenger, another on behalf of the operator — that integrate identity, consent, eligibility and payment in a single process. They happen in the background, with no friction and no human intervention, and they trigger contextually at the optimal moment of the journey.

Three axes separate them from traditional payments: who initiates the transaction (an agent, not a human), what authorises the operation (a cryptographic mandate signed with Verifiable Credentials, not a click in a checkout) and when authorisation happens (in advance, under pre-signed conditions, not at the moment of purchase).

Worth clarifying: an agent is not a chatbot or a conversational assistant. An autonomous agent negotiates with other agents, accesses services, executes transactions and is accountable through its own cryptographic identity.

What is their potential in the travel industry? 

The impact is structural, not anecdotal. Agentic payments: 

• Turn the journey into a contextual commerce channel. Every moment of the trip — pre-flight, airside, in-flight, post-arrival — becomes a window for personalised offers. 

• Increase ancillary revenue at the moments of highest passenger engagement. With global airline ancillary revenue of $148bn in 2024 ($32bn above 2023) and a projection of $157bn for 2025, ancillary already accounts for 15.7% of total airline revenue — up from 9.1% in 2016. 

• Remove friction in the purchase of upgrades, lounge access and premium services. 

• Reduce operational costs by automating today’s manual processes. Carriers running biometric-enabled airport operations report 23% reductions in gate-to-takeoff times and, in Delta’s case, $2.3M in annual fuel savings from reduced taxi delays alone. 

• Improve EBITDA without increasing capacity or base fares. 

• Better monetise the passenger’s airside time — aviation’s “golden hour”, until now largely untapped. 

For an industry running on net margins of around 3.9%, where fuel accounts for 25–27% of operating costs, this is not an IT investment. It is a margin lever. 

How Google’s AP2 protocol works: the three mandates 

AP2 builds trust through mandates: cryptographically signed digital contracts that act as verifiable proof of the user’s intent. Each mandate is a Verifiable Credential (W3C) and forms part of an end-to-end auditable chain from intent to payment.

Mandate	What it captures	When it is signed	Who signs it	Travel example
Intent Mandate	The user’s intent and limits	At the start of the flow	User (delegating to the agent)	“Book a flight to Palm Springs, max $500, first weekend of November”
Cart Mandate	Final cart with products, prices and conditions	Once the agent has composed the option	User (real-time approval)	Confirming the specific UA flight + hotel combination
Payment Mandate	Authorisation for the processor to execute	At checkout	User / agent under pre-signed conditions	Charge $687 to the Visa, paid to the airline of record

Beyond the table, three ideas are worth retaining:

Two scenarios: Human Present (HP) and Human Not Present (HNP). When the user is present, they approve the Cart Mandate in real time. When they are not — concert tickets dropping, fare drops, automatic rebookings — the agent only executes if the conditions pre-signed in the Intent Mandate are met.

The non-repudiable cryptographic chain. Intent → Cart → Payment produces an end-to-end auditable trail, designed to resolve disputes among the protocol’s five actors: user (intent), agent (executor), credential provider (payment method and authentication), merchant endpoint (reception and settlement) and issuer/network (authorisation).

Payment-method agnostic. Cards, stablecoins and real-time bank transfers all flow through the same mandate structure. That means an airline or OTA can accept agentic payments without rewriting its current payments stack.

AP2 vs A2A vs MCP: what each protocol does

The three protocols are easily confused. Each covers a different layer of the agentic stack:

Protocol	Released	Function	Developed by
MCP (Model Context Protocol)	November 2024	Connects agents with tools and data	Anthropic
A2A (Agent2Agent)	April 2025	Communication between agents	Google + partners
AP2 (Agent Payments Protocol)	September 2025	Adds cryptographically authorised payments on top of A2A/MCP	Google + 60+ partners

They are complementary, not exclusive. MCP gives the agent access to the operator’s APIs and data. A2A lets it talk to other agents (for example, the passenger’s agent talking to the airline’s agent). AP2 adds the cryptographically authorised payment layer on top. Designing the stack for AP2 means also designing it for A2A and MCP.

How agentic booking reshapes reservations and checkout across travel verticals

Airlines (FSC and LCC). The passenger’s agent negotiates multi-leg itineraries, ancillaries (seat, baggage, lounge, fast-track) and complementary services via NDC integrations. The Intent Mandate defines budget, date window and preferences; the agent compares and executes. The space where the fraud surface widens — and where the most value is unlocked — is precisely the in-journey ancillary: lounges, upgrades, airside retail, in-flight catering.

Cruise lines. A single Intent Mandate can cover cabin + dining + excursions + onboard credit, removing both package friction and manual up-sell. Passenger verification obligations — KYC, sanctions lists, age verification for alcohol-inclusive packages — remain in place, but must now be applied upstream of the mandate, not downstream of the charge.

OTAs (Booking, Expedia, Trip.com). The package-builder becomes an agent-to-agent negotiation rather than a human search. Margin pressure rises — agents arbitrage across OTAs in milliseconds — but a new opportunity opens too: competing on the quality of the agentic integration rather than on price alone.

A concrete example: VIP lounge access. A passenger, already identified through an agentic wallet carrying passport and boarding pass as Verifiable Credentials, sets the Intent: “Access VIP lounges whenever available, paying with the most convenient method among Priority Pass, Revolut or my loyalty programme.” On arrival, the wallet evaluates geolocation and eligibility, contacts the lounge operator’s agent, negotiates entry, receives confirmation, and unlocks access through a biometric walk-through or a selfie. Four steps collapsed into one. Zero friction.

Why agentic payments are an opportunity that demands Know Your Agent (KYA)

Agentic commerce is, first and foremost, an opportunity. It reduces friction, lifts ancillary yield and professionalises the traceability of every transaction. But that same autonomy introduces a new point of failure: a system that accepts a mandate without verifying the agent presenting it is trusting an actor that operates without a human behind it.

Hence the guiding principle: Know Your Agent (KYA). Before allowing an autonomous agent to negotiate services, access information or execute payments, the system must verify its identity, its integrity (that the software has not been tampered with) and the delegated authority the user has granted through the Intent Mandate. This is, in effect, agent authentication.

Three reasons make KYA an imperative rather than a recommendation: 

• A single wallet may run more than one agent, each with a different scope. An agent authorised to buy lounge access should not be able to book a new flight. KYA verifies the scope of the mandate before each execution.

• Agents must be interchangeable and easily replaceable. Without KYA, swapping one agent for another opens a vector for impersonation. 

• Without KYA, current fraud stacks — 3DS, behavioural biometrics, device fingerprinting — lose efficacy. They all assume a human is at the keyboard. With AP2, by design, often nobody is. 

Emerging standards such as NIST Identity and Authority of Software Agents and ERC 8004 Trustless Agents are beginning to define how to deliver KYA in an interoperable way. Airlines, cruise lines and OTAs would do well to track both.

The identity layer that secures AP2

AP2 proves cryptographically that an agent is authorised to act. It does not prove that the human who signed the Intent Mandate is actually who they claim to be. That proof — user identity authentication — lives outside the protocol, and it is what makes the whole system trustworthy.

The identity layer that AP2 rests on has four pieces:

Verifiable Credentials (W3C). Mandates are Verifiable Credentials. Every action the agent executes is therefore bound to a signed credential that is legally and cryptographically binding. This is the connective tissue that turns a digital contract into non-repudiable evidence.

Biometrics. Biometrics connect the digital negotiation to the physical world. They are the final seal that ties the mandate signature to a verified human identity — fluidly, without breaking the agentic flow. In travel, this runs in two modes: 1:1 (verification against the passenger’s document) and 1:N (biometrics on the move, with no need to touch a device). In both, the outcome is the same: the passenger does not stop the journey.

The “Know Your X” framework. KYA does not operate alone. It coexists with KYC (Know Your Customer — passenger identity verification for binding, accountability and non-repudiation in HP and HNP), KYW (Know Your Wallet — based on trust registries and whitelisting) and KYB (Know Your Business — UBO identification of the merchant or operator). It is the bundle, not any single piece, that secures the ecosystem.

Out-of-band authentication. In high-value transactions, Verifiable Credential possession is complemented by biometrics and out-of-band SCA. The protocol does not mandate a specific implementation — but operators that build one in materially reduce their exposure.

The operational takeaway: any airline, OTA or cruise line preparing for AP2 without first consolidating its identity layer will be signing mandates against an empty root of trust.

FAQs