{ "dataset": "protocols", "record": { "id": "visa-tap", "name": "Visa TAP", "full_name": "Visa Trusted Agent Protocol", "layer": "payments", "creator": "Visa (with Cloudflare)", "status": "live (launched Oct 2025)", "year": 2025, "one_liner": "An open specification that signs an AI agent's identity into HTTP request headers so any merchant can cryptographically verify the agent is legitimate before agent-driven checkout.", "spec_url": "https://developer.visa.com/capabilities/trusted-agent-protocol", "snippet": "RFC 9421 HTTP message signatures over Web Bot Auth → merchant verifies agent against Visa's key directory.", "abbreviation": "Visa TAP", "also_known_as": [ "Trusted Agent Protocol", "Visa TAP", "TAP" ], "canonical_spec_url": "https://developer.visa.com/capabilities/trusted-agent-protocol/trusted-agent-protocol-specifications", "entity_uri": "https://github.com/visa/trusted-agent-protocol", "taxonomy_layer": "identity", "sub_layer": "agent-identity-for-commerce", "protocol_type": "verification", "central_problem": "Lets a merchant cryptographically answer one question at agent-driven checkout — is this AI agent legitimate — by verifying a signed agent identity carried in HTTP headers, distinguishing real agents from malicious bots.", "maintainer": "Visa (visa/trusted-agent-protocol), announced with Cloudflare", "governance_body": "vendor (Visa); open specification", "license": { "value": null, "verify_status": "verify-against-primary-at-build", "source_hint": "https://github.com/visa/trusted-agent-protocol", "note": "Repo shows a license link but the exact license was not captured; confirm against the visa/trusted-agent-protocol repo at build." }, "maturity_tag": "emerging", "current_spec_version": { "value": null, "verify_status": "verify-against-primary-at-build", "source_hint": "https://developer.visa.com/capabilities/trusted-agent-protocol/trusted-agent-protocol-specifications", "note": "No tagged release on the repo at observation; confirm the current spec version against Visa Developer at build." }, "spec_date": { "value": null, "verify_status": "verify-against-primary-at-build", "source_hint": "https://developer.visa.com/capabilities/trusted-agent-protocol/trusted-agent-protocol-specifications", "note": "Confirm current spec revision date at build." }, "launch_date": { "value": "2025-10-14", "verify_status": "verify-against-primary-at-build", "source_hint": "https://investor.visa.com/news/news-details/2025/Visa-Introduces-Trusted-Agent-Protocol-An-Ecosystem-Led-Framework-for-AI-Commerce/default.aspx", "note": "Announced with Cloudflare on 2025-10-14 (secondary sources); confirm against the Visa primary press release at build." }, "last_verified": "2026-06-15", "transport": "HTTP Message Signatures (RFC 9421) over the Web Bot Auth pattern; Ed25519; Visa-operated key directory", "core_mechanism": "Visa TAP signs an approved agent's identity into HTTP request headers using RFC 9421 HTTP Message Signatures built on the emerging Web Bot Auth standard; merchants verify the Ed25519 signature against a Visa-operated directory of agent public keys. Agents are vetted through Visa's Intelligent Commerce program and issued a unique key. TAP sits as an identity wrapper in front of whatever payment rail the merchant runs, layering on top of agent-commerce protocols like ACP and UCP.", "discovery_endpoint": "Signed HTTP request headers verified against Visa's agent public-key directory", "settlement_type": null, "adoption_metric": { "value": "Announced with launch partners including Adyen, Ant International, Checkout.com, Coinbase, Cybersource, Elavon, Fiserv, Microsoft, Nuvei, Shopify, Stripe, and Worldpay", "source": "https://investor.visa.com/news/news-details/2025/Visa-Introduces-Trusted-Agent-Protocol-An-Ecosystem-Led-Framework-for-AI-Commerce/default.aspx", "last_verified": "2026-06-15", "note": "Partner list per secondary reporting of the Visa announcement; confirm against the Visa primary at build." }, "notable_adopters": [ { "value": "Visa (creator)", "source": "https://github.com/visa/trusted-agent-protocol" }, { "value": "Cloudflare (co-announcer)", "source": "https://investor.visa.com/news/news-details/2025/Visa-Introduces-Trusted-Agent-Protocol-An-Ecosystem-Led-Framework-for-AI-Commerce/default.aspx" } ], "relationships": [ { "predicate": "built_on", "target": "web-bot-auth", "note": "Visa TAP -built_on-> Web Bot Auth: it uses RFC 9421 HTTP Message Signatures over the Web Bot Auth pattern to sign agent identity." }, { "predicate": "complements", "target": "acp-commerce", "note": "TAP is an identity wrapper that layers on top of agent-commerce protocols like ACP and UCP, verifying the agent before checkout." } ], "ideal_use_case": "Letting merchants verify that an AI agent attempting checkout is a vetted, legitimate agent before processing payment.", "when_to_use": "When you run agent-driven commerce and need to cryptographically distinguish legitimate, Visa-vetted agents from malicious bots at the request layer.", "when_not_to_use": "When you need the payment/settlement itself (use AP2/ACP/x402) — TAP only verifies identity — or you don't want a Visa-operated directory in the loop.", "code_example": "Signature-Agent: \"https://agent.visa-vetted.example\"\nSignature-Input: sig1=(\"@authority\" \"signature-agent\");keyid=\"visa-key-id\";alg=\"ed25519\"\nSignature: sig1=::\n# Merchant verifies against Visa's agent public-key directory (RFC 9421).", "source": "Visa Trusted Agent Protocol: open spec signing agent identity into HTTP headers via RFC 9421 / Web Bot Auth, Ed25519, Visa key directory, launched with Cloudflare ~2025-10-14, 12 launch partners, layers over ACP/UCP: https://github.com/visa/trusted-agent-protocol , https://developer.visa.com/capabilities/trusted-agent-protocol , https://investor.visa.com/news/news-details/2025/Visa-Introduces-Trusted-Agent-Protocol-An-Ecosystem-Led-Framework-for-AI-Commerce/default.aspx . Listed for addition in research §2.", "agent_readiness_link": "agent-readiness/web-bot-auth", "layer_legacy": "identity" } }