The long-promised future where an AI assistant books your travel and orders your groceries just took a critical step out of science fiction. In a major move to build the plumbing for automated commerce, web infrastructure giant Cloudflare is partnering with Visa and Mastercard to create a security standard for AI agent payments. The collaboration aims to solve the single biggest problem holding back "agentic commerce": how can a website trust a bot with a credit card?
Until now, to an online merchant, a helpful AI shopping agent has been indistinguishable from a malicious web scraper or a credential-stuffing bot. This identity crisis has been a fundamental roadblock. Blocking all bots means missing out on legitimate AI-driven sales, while allowing them opens the door to fraud and abuse.
According to a joint announcement, the solution hinges on giving legitimate AI agents a verifiable digital passport. Visa has developed the "Trusted Agent Protocol" and Mastercard has created "Agent Pay," two systems designed to help merchants tell the good bots from the bad. Both are built on a foundational proposal from Cloudflare called Web Bot Auth.
A digital passport for bots
Think of Web Bot Auth as a cryptographic ID card for automated agents. Instead of relying on easily spoofed identifiers like a user agent string or IP address, it uses public key cryptography to let an agent digitally "sign" every request it makes to a website.
Here’s how it works in the new system: An AI agent developer, like a startup building a travel-booking assistant, would register their agent with Visa or Mastercard. The payment network then issues a set of cryptographic keys. When the agent goes to shop on a merchant's site, it attaches a unique, time-stamped digital signature to its request.
This is where Cloudflare comes in. Acting as a bouncer for the merchant’s website, Cloudflare’s network intercepts the request. It checks the signature, verifies the agent’s ID against the directory provided by Visa or Mastercard, and ensures the request is fresh and not a copied "replay" attack. If everything checks out, the trusted agent is allowed in to browse or complete a purchase. If not, it's blocked like any other suspicious bot.
This allows a merchant to create specific rules, for instance, allowing a registered Visa agent to access its checkout API while blocking all other automated traffic. According to Cloudflare, this verification happens at the network edge, meaning merchants can benefit without overhauling their existing infrastructure. They simply need to enable a managed rule that says, "Let the trusted shopping agents in."
This collaboration is less about a single product launch and more about laying the foundational rails for a new economy. By getting the world’s largest payment networks and a dominant web security provider on the same page, the industry is creating a standardized way to manage AI agent payments. The announcement notes that American Express is also planning to leverage Web Bot Auth, signaling a broad consensus is forming.
To accelerate adoption, Cloudflare plans to integrate support for the Visa and Mastercard protocols directly into its Agent SDK, making it easier for developers to build these trusted agents. While the technical details are complex, the goal is simple: to create a world where you can confidently tell your AI to "buy me a plane ticket to Tokyo" and have it transact securely and verifiably on your behalf. This is the infrastructure that could finally make that possible.
