Agentic Commerce Protocol Integration
Enable secure agentic purchases using Basis Theory Elements with the Agentic Commerce Protocol and Stripe's Shared Payment TokensThis guide walks you through implementing the Agentic Commerce Protocol (ACP) with Basis Theory Elements, enabling AI agents to securely make purchases on behalf of consumers. You'll learn how to collect payment credentials securely and create Shared Payment Tokens that agents can use across ACP-enabled merchants.
What You'll Learn
- How to securely collect payment credentials using Basis Theory Elements
- Creating Stripe payment methods from tokenized card data
- Generating Shared Payment Tokens for agentic commerce
- Enabling purchases across ACP-compatible merchants and AI platforms
Why Agentic Commerce Protocol Matters
The Agentic Commerce Protocol is an open standard for programmatic commerce flows between buyers, AI agents, and businesses. Developed collaboratively by Stripe and OpenAI, ACP defines a common language for how agents and businesses transact, including coordinating checkout and securely sharing payment credentials.
Key benefits of ACP:
- Open Standard: Community-designed under Apache 2.0 license, allowing any business to implement the specification
- Business Control: Merchants maintain customer relationships as the merchant of record, controlling product presentation and order fulfillment
- Secure Credentials: Payment tokens have usage limits and expiry windows without revealing PANs or raw credentials
- Platform Agnostic: Works with any AI agent or payment processor that implements the standard
Stripe is the first payment service provider to implement ACP with Shared Payment Tokens, with more merchants and platforms expected to adopt the protocol. OpenAI has integrated ACP into ChatGPT's Instant Checkout feature, enabling users to make purchases directly within AI conversations.
Prerequisites
Basis Theory Account
You'll need a Basis Theory account to securely collect and tokenize payment credentials. Sign up for free if you don't have an account.
Stripe Account
A Stripe account is required to create payment methods and Shared Payment Tokens. The examples in this guide use Stripe's implementation of ACP.
Understanding of Payment Flows
Basic familiarity with payment processing concepts and API integration will help you follow along with the examples.
1. Collecting Card Data with Elements
Use Basis Theory Elements to securely collect and tokenize credit card data without your systems ever touching sensitive information. This approach maintains PCI compliance while providing the flexibility to use tokens with any payment processor.
Public Application
You will need a Public Application to authenticate requests. Click here to create one using the Basis Theory Customer Portal.
This will create an application with the following Access Controls:
- Permissions:
token:create
key from the created Public Application as it will be used later in this guide.Configure Elements SDK
Basis Theory Elements are available for multiple platforms. Choose your preferred technology:
Add Card Elements to Your Application
Once configured, add Card Elements to securely capture payment credentials:
- JavaScript
- React
<div id="cardNumber"></div>
<div style="display: flex;">
<div id="cardExpirationDate" style="width: 100%;"></div>
<div id="cardVerificationCode" style="width: 100%;"></div>
</div>
<button id="submit">Create Payment Method</button>
import { basistheory } from '@basis-theory/web-elements';
let bt;
let cardNumberElement;
let cardExpirationDateElement;
let cardVerificationCodeElement;
async function init() {
bt = await basistheory('<PUBLIC_API_KEY>');
// Create Elements instances
cardNumberElement = bt.createElement('cardNumber', {
targetId: 'cardNumber'
});
cardExpirationDateElement = bt.createElement('cardExpirationDate', {
targetId: 'cardExpiration'
});
cardVerificationCodeElement = bt.createElement('cardVerificationCode', {
targetId: 'cardVerification'
});
// Mount Elements in the DOM
await Promise.all([
cardNumberElement.mount('#cardNumber'),
cardExpirationDateElement.mount('#cardExpirationDate'),
cardVerificationCodeElement.mount('#cardVerificationCode'),
]);
// Bind card brand to verification code element
cardNumberElement.on('change', ({ cardBrand }) => {
cardVerificationCodeElement.update({ cardBrand });
});
document.getElementById("submit").addEventListener("click", createPaymentMethod);
}
init();
import React, { useRef, useState } from 'react';
import {
BasisTheoryProvider,
CardNumberElement,
CardExpirationDateElement,
CardVerificationCodeElement,
useBasisTheory,
} from '@basis-theory/react-elements';
export default function App() {
const { bt } = useBasisTheory('<PUBLIC_API_KEY>');
const cardNumberRef = useRef(null);
const cardExpirationRef = useRef(null);
const cardVerificationRef = useRef(null);
const [cardBrand, setCardBrand] = useState();
return (
<BasisTheoryProvider bt={bt}>
<CardNumberElement
id="cardNumber"
ref={cardNumberRef}
onChange={({ cardBrand }) => setCardBrand(cardBrand)}
/>
<div style={{ display: 'flex' }}>
<div style={{ width: "100%" }}>
<CardExpirationDateElement
id="cardExpiration"
ref={cardExpirationRef}
/>
</div>
<div style={{ width: "100%" }}>
<CardVerificationCodeElement
id="cardVerification"
ref={cardVerificationRef}
cardBrand={cardBrand}
/>
</div>
</div>
<button onClick={createPaymentMethod}>Create Payment Method</button>
</BasisTheoryProvider>
);
}
Tokenize Card Data
Create a Basis Theory token from the collected card data:
- JavaScript
- React
async function createPaymentMethod() {
try {
// First, create a Basis Theory token
const token = await bt.tokens.create({
type: 'card',
data: {
number: cardNumberElement,
expiration_month: cardExpirationDateElement.month(),
expiration_year: cardExpirationDateElement.year(),
cvc: cardVerificationCodeElement,
}
});
console.log('Basis Theory token created:', token.id);
// Send token to your backend for Stripe integration
const response = await fetch('/api/create-stripe-payment-method', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
tokenId: token.id
})
});
const result = await response.json();
console.log('Stripe payment method created:', result.paymentMethodId);
} catch (error) {
console.error('Error:', error);
}
}
const createPaymentMethod = async () => {
try {
// Create Basis Theory token
const token = await bt?.tokens.create({
type: 'card',
data: {
number: cardNumberRef.current,
expiration_month: cardExpirationRef.current.month(),
expiration_year: cardExpirationRef.current.year(),
cvc: cardVerificationRef.current,
}
});
console.log('Basis Theory token created:', token.id);
// Send to backend for Stripe integration
const response = await fetch('/api/create-stripe-payment-method', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
tokenId: token.id
})
});
const result = await response.json();
console.log('Stripe payment method created:', result.paymentMethodId);
} catch (error) {
console.error('Error:', error);
}
}
2. Create Stripe Payment Methods
Once you have a Basis Theory token, use it to create Stripe payment methods through your backend. When using Basis Theory tokens with Stripe.
curl -X POST https://api.stripe.com/v1/payment_methods \
-u "sk_test_...:" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "type=card" \
-d "card[number]={{ token: <token_id> | json '$.data.number' }}" \
-d "card[exp_month]={{token: <token_id> | json '$.data.expiration_month'}}" \
-d "card[exp_year]={{token: <token_id> | json '$.data.expiration_year' }}" \
-d "card[cvc]={{token: <token_id> | json '$.data.cvc' }}"
Response:
{
"id": "pm_1234567890",
"object": "payment_method",
"type": "card",
"card": {
"brand": "visa",
"last4": "4242",
"exp_month": 12,
"exp_year": 2025
},
...
}
3. Create Shared Payment Token
With a Stripe payment method created, generate a Shared Payment Token for agentic commerce. This token can be safely shared with AI agents and has built-in usage limits and expiration controls.
curl -X POST https://api.stripe.com/v1/shared_payment/issued_tokens \
-u "sk_test_...:" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "payment_method=pm_1234567890" \
-d "usage_limits[currency]=usd" \
-d "usage_limits[max_amount]=10000" \
-d "usage_limits[expires_at]=1735689600" \
-d "seller_details[network_id]=your_network_id" \
-d "seller_details[external_id]=customer_12345"
Response:
{
"id": "spt_1234567890",
"object": "shared_payment.issued_token",
"payment_method": "pm_1234567890",
"usage_limits": {
"currency": "usd",
"max_amount": 10000,
"expires_at": 1735689600
},
"seller_details": {
"network_id": "your_network_id",
"external_id": "customer_12345"
},
"status": "active"
}
Usage Limits Configuration
Configure appropriate limits for your use case:
max_amount: Maximum transaction amount in centscurrency: Three-letter ISO currency codeexpires_at: Unix timestamp for token expirationnetwork_id: Your business network identifierexternal_id: Optional identifier for tracking (customer ID, cart ID, etc.)
4. Enable Agentic Commerce Purchases
Once you have a Shared Payment Token, AI agents can use it to make purchases across any ACP-enabled merchant. The token provides secure access to payment credentials without exposing sensitive card data.
How Agents Use Shared Payment Tokens
AI agents receive the Shared Payment Token ID and can create payments on ACP-compatible merchants:
curl -X POST https://api.stripe.com/v1/payment_intents \
-u "sk_test_merchant_key:" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "amount=5000" \
-d "currency=usd" \
-d "shared_payment_granted_token=spt_1234567890"
The merchant receives a new PaymentMethod automatically created from the shared token, containing only non-sensitive data like card brand and last 4 digits.
FAQ
Can I use other payment processors with ACP?
Currently, Stripe is the first payment service provider to implement ACP with Shared Payment Tokens. As the protocol is open source, other processors are expected to add support in the future.
How secure are Shared Payment Tokens?
Shared Payment Tokens never expose raw payment credentials like PANs. They include built-in usage limits, expiration times, and risk assessment data. The underlying payment method data is replicated without sensitive information.