← Back to Blog

September 29, 2025PayGoingGlobal Team

How ChatGPT's Agentic Commerce Protocol Keeps Merchants in Control

Explore the five design decisions that power ChatGPT's new shopping experience—prioritizing merchant ownership, secure payments, and an open API ecosystem.

Agentic CommerceChatGPTAI ShoppingOpenAIPaymentsSecurity

How ChatGPT's New Shopping System Actually Works (It's Not What You Think)

As AI agents like ChatGPT evolve from simple chatbots into tools that can perform real-world tasks, a new frontier is opening up: direct commerce. The idea of buying a product entirely within a chat conversation is compelling, but how would it actually work safely and efficiently? A close look at OpenAI's Agentic Commerce Protocol reveals five key design decisions that prioritize merchant control, robust security, and an open ecosystem over a closed, proprietary platform.

1. You're Still Buying Directly from the Merchant, Not OpenAI

When you make a purchase through ChatGPT, OpenAI is acting as a facilitator or a channel, not as the seller itself. The documentation is explicit that OpenAI is not the "merchant of record."

This means that all critical post-purchase activities remain firmly with the merchant and their chosen Payment Service Provider (PSP). These responsibilities include settlement, refunds, chargebacks, and compliance. This distinction is significant because it allows merchants to maintain their direct relationship with customers and control their own business logic—a stark contrast to closed marketplace models where the platform often becomes the merchant of record, intermediating the customer relationship.

2. Your Payment Info Is Wrapped in a Secure, Single-Use "Allowance"

The core of the system's security lies in the Delegated Payment Spec. When a purchase is initiated, ChatGPT securely shares your payment details with the merchant's PSP to create a temporary, scoped credential, or token.

This token is designed to be single-use and is constrained by a specific set of rules defined in an Allowance object. According to the specification, this object defines three key constraints on the transaction: a max_amount, a currency, and an expires_at timestamp. For the user, this design enhances security and privacy by ensuring the payment credential cannot be misused for other purchases or outside its narrowly defined limits.

Security by design: The Delegated Payment Spec ensures PSP-returned credentials are narrowly scoped and cannot be used outside the defined limits of the user-approved purchase.

3. Merchants Control Their Entire Catalog via a Hyper-Detailed Product Feed

For any product to appear in ChatGPT, merchants must provide a structured Product Feed that serves as the source of truth. This gives merchants a granular level of control over their inventory. For instance, the feed includes OpenAI Flags like enable_search and enable_checkout, allowing merchants to toggle a product's discoverability and purchasability directly within ChatGPT.

The feed specification is incredibly deep, covering everything from required basics like id, title, price, and availability to a rich set of recommended fields such as popularity_score, return_rate, and item_group_id for product variants. The specification goes even further, allowing merchants to provide data on Returns (return_rate), Performance Signals (popularity_score), Compliance (age_restriction), and even Reviews and Q&A (product_review_count), demonstrating a protocol built for rich, trustworthy shopping experiences, not just simple transactions. This approach is important because it ensures that information like pricing and stock levels is accurate and up-to-date, coming directly from the merchant and improving user trust.

4. The Entire System Is a Suite of APIs, Not a Simple Plugin

It would be easy to mistake this functionality for a simple "buy button" plugin, but Agentic Commerce is a protocol built on a series of REST APIs that developers at merchant and payment companies must integrate with. The complexity of the system is evident in its different components:

This developer-centric approach means the system is flexible and powerful, designed for serious commerce integrations that can be deeply embedded into a company's existing infrastructure.

5. Risk and Fraud Detection Are a Collaborative Effort

The protocol is designed with a layered approach to security, including mechanisms for sharing risk information between all parties. When OpenAI sends a payment delegation request to a PSP, it includes a Risk Signal object. This allows it to pass along initial signals, such as a score for potential card_testing, and even suggest a recommended action like blocked or manual_review.

Furthermore, PSP implementations of the protocol, like Stripe's Shared Payment Token, incorporate their own risk details. This provides the merchant with scores on the likelihood of events like a fraudulent dispute, stolen card, card issuer decline, or even detection of a bot. This shows a sophisticated security model where the AI agent provides initial signals, but the merchant and their payment provider retain the authority to make the final decision on whether to accept a transaction.

A Merchant-First Future for AI Shopping

Ultimately, the Agentic Commerce Protocol is architected to empower merchants and payment providers, not displace them. It's a thoughtfully designed ecosystem that carefully balances the power of conversational AI with the critical needs of e-commerce: merchant control, robust security, and an open, standards-based approach for developers. As AI agents become a primary way we interact with the digital world, how will protocols like this reshape the future of e-commerce?

Further Reading

Want to dive deeper into the Agentic Commerce Protocol? Here are the essential resources:

Work with PayGoingGlobal

Ready to bring AP2 × UPI to your business?

Tell us how we can help activate AI-powered cross-border payments. Our team will guide you through the next steps.

Talk to Our Team