Zero-Trust Runtime Verification for Agentic Payment Protocols: Mitigating Replay and Context-Binding Failures in AP2

The deployment of autonomous AI agents capable of executing commercial transactions has motivated the adoption of mandate-based payment authorization protocols, including the Universal Commerce Protocol (UCP) and the Agent Payments Protocol (AP2). These protocols replace interactive, session-based authorization with cryptographically issued mandates, enabling asynchronous and autonomous execution. While AP2 provides specification-level guarantees through signature verification, explicit binding, and expiration semantics, real-world agentic execution introduces runtime behaviors such as retries, concurrency, and orchestration that challenge implicit assumptions about mandate usage. In this work, we present a security analysis of the AP2 mandate lifecycle and identify enforcement gaps that arise during runtime in agent-based payment systems. We propose a zero-trust runtime verification framework that enforces explicit context binding and consume-once mandate semantics using dynamically generated, time-bound nonces, ensuring that authorization decisions are evaluated at execution time rather than assumed from static issuance properties. Through simulation-based evaluation under high concurrency, we show that context-aware binding and consume-once enforcement address distinct and complementary attack classes, and that both are required to prevent replay and context-redirect attacks. The proposed framework mitigates all evaluated attacks while maintaining stable verification latency of approximately 3.8~ms at throughput levels up to 10{,}000 transactions per second. We further demonstrate that the required runtime state is bounded by peak concurrency rather than cumulative transaction history, indicating that robust runtime security for agentic payment execution can be achieved with minimal and predictable overhead.

💡 Research Summary

The paper investigates security weaknesses that arise when autonomous AI agents execute payments using the Agent Payments Protocol (AP2), a mandate‑based authorization scheme designed for headless, asynchronous commerce. While AP2’s specification guarantees cryptographic integrity, authenticity, and expiration of mandates, it makes no explicit assumptions about how those mandates are consumed at runtime. Modern agentic systems, however, exhibit behaviors such as automatic retries, parallel tool invocations, inter‑agent delegation, and extensive observability pipelines. These patterns create four concrete threat classes: (T1) same‑context replay, where a valid mandate is submitted repeatedly within its validity window; (T2) cross‑context replay, where a mandate intended for one merchant or task is redirected to another; (T3) leakage‑induced misuse, where sensitive metadata embedded in the mandate is exposed through logs or tracing systems and later abused; and (T4) observability‑based replay, where an attacker harvests mandates from unencrypted monitoring streams. The authors argue that AP2’s static guarantees are insufficient to mitigate these threats because the protocol does not require consume‑once enforcement or strict execution‑time context binding.

To close this gap, the authors propose the Zero‑Trust Runtime Verifier (ZTRV), a middleware component positioned between autonomous agents and merchant/payment service provider back‑ends. ZTRV enforces three security goals: (1) prevent replay under high concurrency and retries, (2) bind each mandate to its intended execution context, and (3) fail closed on any verification error. The design consists of a three‑stage verification pipeline. First, a Context‑Binder recomputes a cryptographic hash of the execution context (task ID, agent ID, merchant ID, scope) and compares it with the hash embedded in the signed mandate. Any mismatch results in immediate rejection, thereby guaranteeing that a mandate cannot be reused across different tasks, agents, or merchants. Second, a Dynamic Nonce Registry implements consume‑once semantics. Each mandate carries a unique nonce; the verifier performs an atomic check‑and‑set operation against a sliding‑window data structure (Δt) that automatically expires entries after a bounded interval. This approach provides replay protection with bounded state that scales with peak concurrency rather than total transaction volume. Third, the verifier performs the standard AP2 checks (signature validation, expiration, key binding). The entire process is formalized in Algorithm 1 and follows a fail‑closed policy.

The authors evaluate ZTRV using a Python‑based microservice prototype and a simulated workload that mimics autonomous agents issuing payment requests. Two configurations are compared: (a) a baseline verifier that implements only the AP2‑specified checks, and (b) the full ZTRV implementation. Security experiments replay each of the four threat scenarios 10 000 times. The baseline allows replay in 30 %–100 % of cases, depending on the scenario, whereas ZTRV blocks 100 % of attempts, confirming that both context binding and nonce enforcement are required to eliminate the attack surface. Performance measurements show that ZTRV adds an average latency of 3.8 ms per request (standard deviation 0.4 ms) while sustaining up to 10 000 transactions per second. The nonce registry’s memory footprint remains under 2 MB even at peak concurrency, demonstrating that the required runtime state is modest and predictable.

The discussion acknowledges limitations such as reliance on a single‑region Redis instance for the nonce store and the need for a policy framework to customize which context attributes are bound. Future work includes extending the design to multi‑region, highly available deployments, integrating with other mandate‑based standards (e.g., Universal Commerce Protocol, WebAuthn), and exploring formal verification of the runtime logic.

In conclusion, the paper shows that applying a zero‑trust mindset to payment mandates—by verifying authorization decisions at execution time rather than assuming correctness from static issuance—provides robust protection against replay and context‑binding attacks in highly concurrent, autonomous agent environments. ZTRV demonstrates that strong security can be achieved with minimal overhead, offering a practical blueprint for securing the next generation of agent‑driven commerce.