Visa TAP
An open specification that signs an AI agent's identity into HTTP request headers so any merchant can cryptographically verify the agent is legitimate before agent-driven checkout.
- name
- Visa TAP
- full_name
- Visa Trusted Agent Protocol
- layer
- payments
- creator
- Visa (with Cloudflare)
- status
- live (launched Oct 2025)
- year
- 2025
- one_liner
- An open specification that signs an AI agent's identity into HTTP request headers so any merchant can cryptographically verify the agent is legitimate before agent-driven checkout.
- spec_url
- https://developer.visa.com/capabilities/trusted-agent-protocol
- snippet
RFC 9421 HTTP message signatures over Web Bot Auth → merchant verifies agent against Visa's key directory.- abbreviation
- Visa TAP
- also_known_as
Trusted Agent ProtocolVisa TAPTAP- canonical_spec_url
- https://developer.visa.com/capabilities/trusted-agent-protocol/trusted-agent-protocol-specifications
- entity_uri
- https://github.com/visa/trusted-agent-protocol
- taxonomy_layer
- identity
- sub_layer
- agent-identity-for-commerce
- protocol_type
- verification
- central_problem
- Lets a merchant cryptographically answer one question at agent-driven checkout — is this AI agent legitimate — by verifying a signed agent identity carried in HTTP headers, distinguishing real agents from malicious bots.
- maintainer
- Visa (visa/trusted-agent-protocol), announced with Cloudflare
- governance_body
- vendor (Visa); open specification
- license
- — verify-against-primary-at-build ↗ https://github.com/visa/trusted-agent-protocol
- maturity_tag
- emerging
- current_spec_version
- — verify-against-primary-at-build ↗ https://developer.visa.com/capabilities/trusted-agent-protocol/trusted-agent-protocol-specifications
- spec_date
- — verify-against-primary-at-build ↗ https://developer.visa.com/capabilities/trusted-agent-protocol/trusted-agent-protocol-specifications
- launch_date
- 2025-10-14 verify-against-primary-at-build ↗ https://investor.visa.com/news/news-details/2025/Visa-Introduces-Trusted-Agent-Protocol-An-Ecosystem-Led-Framework-for-AI-Commerce/default.aspx
- last_verified
- 2026-06-15
- transport
- HTTP Message Signatures (RFC 9421) over the Web Bot Auth pattern; Ed25519; Visa-operated key directory
- core_mechanism
- Visa TAP signs an approved agent's identity into HTTP request headers using RFC 9421 HTTP Message Signatures built on the emerging Web Bot Auth standard; merchants verify the Ed25519 signature against a Visa-operated directory of agent public keys. Agents are vetted through Visa's Intelligent Commerce program and issued a unique key. TAP sits as an identity wrapper in front of whatever payment rail the merchant runs, layering on top of agent-commerce protocols like ACP and UCP.
- discovery_endpoint
- Signed HTTP request headers verified against Visa's agent public-key directory
- settlement_type
- —
- adoption_metric
- Announced with launch partners including Adyen, Ant International, Checkout.com, Coinbase, Cybersource, Elavon, Fiserv, Microsoft, Nuvei, Shopify, Stripe, and Worldpay source
- notable_adopters
{"value":"Visa (creator)","source":"https://github.com/visa/trusted-agent-protocol"}{"value":"Cloudflare (co-announcer)","source":"https://investor.visa.com/news/news-details/2025/Visa-Introduces-Trusted-Agent-Protocol-An-Ecosystem-Led-Framework-for-AI-Commerce/default.aspx"}- relationships
{"predicate":"built_on","target":"web-bot-auth","note":"Visa TAP -built_on-> Web Bot Auth: it uses RFC 9421 HTTP Message Signatures over the Web Bot Auth pattern to sign agent identity."}{"predicate":"complements","target":"acp-commerce","note":"TAP is an identity wrapper that layers on top of agent-commerce protocols like ACP and UCP, verifying the agent before checkout."}- ideal_use_case
- Letting merchants verify that an AI agent attempting checkout is a vetted, legitimate agent before processing payment.
- when_to_use
- When you run agent-driven commerce and need to cryptographically distinguish legitimate, Visa-vetted agents from malicious bots at the request layer.
- when_not_to_use
- When you need the payment/settlement itself (use AP2/ACP/x402) — TAP only verifies identity — or you don't want a Visa-operated directory in the loop.
- code_example
- Signature-Agent: "https://agent.visa-vetted.example" Signature-Input: sig1=("@authority" "signature-agent");keyid="visa-key-id";alg="ed25519" Signature: sig1=:<base64 ed25519 signature>: # Merchant verifies against Visa's agent public-key directory (RFC 9421).
- source
- Visa Trusted Agent Protocol: open spec signing agent identity into HTTP headers via RFC 9421 / Web Bot Auth, Ed25519, Visa key directory, launched with Cloudflare ~2025-10-14, 12 launch partners, layers over ACP/UCP: https://github.com/visa/trusted-agent-protocol , https://developer.visa.com/capabilities/trusted-agent-protocol , https://investor.visa.com/news/news-details/2025/Visa-Introduces-Trusted-Agent-Protocol-An-Ecosystem-Led-Framework-for-AI-Commerce/default.aspx . Listed for addition in research §2.
- agent_readiness_link
- agent-readiness/web-bot-auth
- layer_legacy
- identity