# Visa TAP > An open specification that signs an AI agent's identity into HTTP request headers so any merchant can cryptographically verify the agent is legitimate before agent-driven checkout. _The Agent Protocol Atlas · /protocols/visa-tap · [JSON](/api/protocols/visa-tap) · [all The Agent Protocol Atlas](/protocols)_ - **name:** Visa TAP - **full_name:** Visa Trusted Agent Protocol - **layer:** payments - **creator:** Visa (with Cloudflare) - **status:** live (launched Oct 2025) - **year:** 2025 - **one_liner:** An open specification that signs an AI agent's identity into HTTP request headers so any merchant can cryptographically verify the agent is legitimate before agent-driven checkout. - **spec_url:** https://developer.visa.com/capabilities/trusted-agent-protocol - **snippet:** ``` RFC 9421 HTTP message signatures over Web Bot Auth → merchant verifies agent against Visa's key directory. ``` - **abbreviation:** Visa TAP - **also_known_as:** Trusted Agent Protocol, Visa TAP, TAP - **canonical_spec_url:** https://developer.visa.com/capabilities/trusted-agent-protocol/trusted-agent-protocol-specifications - **entity_uri:** https://github.com/visa/trusted-agent-protocol - **taxonomy_layer:** identity - **sub_layer:** agent-identity-for-commerce - **protocol_type:** verification - **central_problem:** Lets a merchant cryptographically answer one question at agent-driven checkout — is this AI agent legitimate — by verifying a signed agent identity carried in HTTP headers, distinguishing real agents from malicious bots. - **maintainer:** Visa (visa/trusted-agent-protocol), announced with Cloudflare - **governance_body:** vendor (Visa); open specification - **license:** — (verify-against-primary-at-build) - **maturity_tag:** emerging - **current_spec_version:** — (verify-against-primary-at-build) - **spec_date:** — (verify-against-primary-at-build) - **launch_date:** 2025-10-14 - **last_verified:** 2026-06-15 - **transport:** HTTP Message Signatures (RFC 9421) over the Web Bot Auth pattern; Ed25519; Visa-operated key directory - **core_mechanism:** Visa TAP signs an approved agent's identity into HTTP request headers using RFC 9421 HTTP Message Signatures built on the emerging Web Bot Auth standard; merchants verify the Ed25519 signature against a Visa-operated directory of agent public keys. Agents are vetted through Visa's Intelligent Commerce program and issued a unique key. TAP sits as an identity wrapper in front of whatever payment rail the merchant runs, layering on top of agent-commerce protocols like ACP and UCP. - **discovery_endpoint:** Signed HTTP request headers verified against Visa's agent public-key directory - **settlement_type:** — - **adoption_metric:** Announced with launch partners including Adyen, Ant International, Checkout.com, Coinbase, Cybersource, Elavon, Fiserv, Microsoft, Nuvei, Shopify, Stripe, and Worldpay (source: https://investor.visa.com/news/news-details/2025/Visa-Introduces-Trusted-Agent-Protocol-An-Ecosystem-Led-Framework-for-AI-Commerce/default.aspx) - **notable_adopters:** {"value":"Visa (creator)","source":"https://github.com/visa/trusted-agent-protocol"}, {"value":"Cloudflare (co-announcer)","source":"https://investor.visa.com/news/news-details/2025/Visa-Introduces-Trusted-Agent-Protocol-An-Ecosystem-Led-Framework-for-AI-Commerce/default.aspx"} - **relationships:** {"predicate":"built_on","target":"web-bot-auth","note":"Visa TAP -built_on-> Web Bot Auth: it uses RFC 9421 HTTP Message Signatures over the Web Bot Auth pattern to sign agent identity."}, {"predicate":"complements","target":"acp-commerce","note":"TAP is an identity wrapper that layers on top of agent-commerce protocols like ACP and UCP, verifying the agent before checkout."} - **ideal_use_case:** Letting merchants verify that an AI agent attempting checkout is a vetted, legitimate agent before processing payment. - **when_to_use:** When you run agent-driven commerce and need to cryptographically distinguish legitimate, Visa-vetted agents from malicious bots at the request layer. - **when_not_to_use:** When you need the payment/settlement itself (use AP2/ACP/x402) — TAP only verifies identity — or you don't want a Visa-operated directory in the loop. - **code_example:** Signature-Agent: "https://agent.visa-vetted.example" Signature-Input: sig1=("@authority" "signature-agent");keyid="visa-key-id";alg="ed25519" Signature: sig1=:: # Merchant verifies against Visa's agent public-key directory (RFC 9421). - **source:** Visa Trusted Agent Protocol: open spec signing agent identity into HTTP headers via RFC 9421 / Web Bot Auth, Ed25519, Visa key directory, launched with Cloudflare ~2025-10-14, 12 launch partners, layers over ACP/UCP: https://github.com/visa/trusted-agent-protocol , https://developer.visa.com/capabilities/trusted-agent-protocol , https://investor.visa.com/news/news-details/2025/Visa-Introduces-Trusted-Agent-Protocol-An-Ecosystem-Led-Framework-for-AI-Commerce/default.aspx . Listed for addition in research §2. - **agent_readiness_link:** agent-readiness/web-bot-auth - **layer_legacy:** identity