Agentic Commerce Needs Three Layers, Not One
Almost every conversation about agentic commerce right now is a conversation about discovery: which protocol will agents use to find products and complete a purchase — MCP, ACP, or UCP? It is an important question. It is also not the whole picture. An agent that can only discover and buy, without being able to verify who it is buying from, understand the bounds of its own autonomy, or correctly interpret the product data, is shipping unmanaged risk dressed up as convenience.
A safe agentic transaction needs three distinct layers. They do not compete; they stack. Skip any one and the whole thing is brittle.
Layer 1 — Discovery: can the agent find and transact?
This is the layer everyone is fighting over, and rightly so — without it nothing else matters. MCP exposes a store's tools and data to an agent. ACP (Stripe/OpenAI) and UCP (Google/Shopify) handle the checkout and payment handshake. These are real, shipping standards, and in mid-2026 they coexist: a merchant who bets on a single winner will be unreachable through the others. Discovery answers one question — can the agent get to the goods and complete a purchase? — and it answers it well. But it is silent on whether the agent should trust what it found.
Layer 2 — Trust and mandate: should the agent act, and how far?
Discovery tells an agent it can buy. Trust and mandate tell it whether it may, on whose authority, and within what limits. Two pieces matter here.
First, merchant identity: before an agent transacts, it should be able to verify the merchant is who it claims to be, and understand the bounds within which it can act autonomously before it must hand back to a human. This is the problem space emerging standards like SAM Protocol aim at — a signed, discoverable trust descriptor that an agent can check.
Second, the payment mandate. AP2 introduces signed Intent and Cart Mandates — cryptographic evidence that a buyer authorised a specific purchase, with a Time-to-Live. The Cart Mandate is the merchant's non-repudiable proof of authorisation, the thing that makes a disputed agent transaction defensible. But a mandate is only as good as the rules around its lifecycle, and those rules are still being written.
A concrete example we ran into while building a UCP merchant server, and raised as UCP issue #512: what happens if a mandate's TTL expires after checkout completion has been accepted but before payment finishes — a routine situation with asynchronous EU rails (SEPA, iDEAL, Bancontact) and interrupted 3DS challenges? The converged answer is that TTL is evaluated once, at acceptance, and then frozen for the rest of processing; an already-lapsed mandate yields a signed EXPIRED receipt as a terminal state, verifiable through the same path as the positive authorisation record (JCS canonicalisation plus Ed25519). The details are technical, but the point is simple: the trust layer is only safe when these edge cases are pinned down, not left to diverge across implementations. We've written up the full lifecycle model — the evaluate-once-then-freeze rule and the single verification path behind both outcomes — on our UCP mandate-evaluation reference page.
Layer 3 — Content quality: can the agent actually use what it found?
Suppose the agent can reach the store (Layer 1) and trust it (Layer 2). It still has to understand the catalog. If product data is ambiguous, incomplete, or unstructured — missing identifiers, vague descriptions, no clear availability or pricing signals — the agent cannot reliably match intent to product, compare offers, or recommend with confidence. This is not a protocol problem and no standard fixes it; it is ground-level work on the data itself.
And the data is, frankly, not ready. Independent audits of agent-readiness across e-commerce catalogs have found average scores around 48 out of 100, with only a small fraction of stores scoring above 80. Discovery and trust standards can mature perfectly and still leave most merchants invisible to agents, simply because their catalogs are not legible.
This is the layer MerchantStamp works on: auditing and structuring catalog and storefront data so an agent can actually parse it, across MCP, ACP and UCP at once. It is the unglamorous third leg of the stool — but a discovery protocol and a trust mandate pointed at an illegible catalog still produce a bad recommendation.
Why all three, together
The flow of a genuinely safe agent transaction runs through all three: the agent verifies the merchant's identity and mandate bounds (trust), discovers and negotiates the purchase (discovery), executes within the mandate, and escalates to a human if the bounds are exceeded — all against a catalog clear enough to act on (quality). Drop the trust layer and you have fast, confident fraud. Drop the quality layer and you have a verified, well-protocolled path to the wrong product.
The protocol wars will keep getting the headlines. But the merchants who win in agentic commerce will be the ones who treated it as three problems, not one.