Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Zero-Trust Runtime Verification for Agentic Payment Protocols: Mitigating Replay and Context-Binding Failures in AP2

Qianlong Lan, Anuj Kaul, Shaun Jones, Stephanie Westrum

TL;DR

The paper addresses security gaps in mandate-based payments for autonomous agents (AP2) where runtime behaviors such as retries and orchestration can undermine static guarantees. It introduces a Zero-Trust Runtime Verifier (ZTRV) that enforces runtime mandate usage through context-aware binding, via $H_{\text{ctx}} = \text{SHA256}(\text{task.id} \parallel \text{agent.id} \parallel \text{merchant.id} \parallel \text{scope})$, and consume-once semantics using a dynamic nonce registry with a time window $\Delta t$. Evaluation under high concurrency shows 100% interception of replay and context-binding attacks with a stable ~3.8 ms verification latency at 10,000 TPS, and state that scales with peak concurrency rather than history. The results demonstrate that runtime enforcement can bridge the gap between protocol guarantees and real deployments, suggesting practical integration with gateway/sidecar architectures and future enhancements such as Trusted Execution Environments (TEEs).

Abstract

The deployment of autonomous AI agents capable of executing commercial transactions has motivated the adoption of mandate-based payment authorization protocols, including the Universal Commerce Protocol (UCP) and the Agent Payments Protocol (AP2). These protocols replace interactive, session-based authorization with cryptographically issued mandates, enabling asynchronous and autonomous execution. While AP2 provides specification-level guarantees through signature verification, explicit binding, and expiration semantics, real-world agentic execution introduces runtime behaviors such as retries, concurrency, and orchestration that challenge implicit assumptions about mandate usage. In this work, we present a security analysis of the AP2 mandate lifecycle and identify enforcement gaps that arise during runtime in agent-based payment systems. We propose a zero-trust runtime verification framework that enforces explicit context binding and consume-once mandate semantics using dynamically generated, time-bound nonces, ensuring that authorization decisions are evaluated at execution time rather than assumed from static issuance properties. Through simulation-based evaluation under high concurrency, we show that context-aware binding and consume-once enforcement address distinct and complementary attack classes, and that both are required to prevent replay and context-redirect attacks. The proposed framework mitigates all evaluated attacks while maintaining stable verification latency of approximately 3.8~ms at throughput levels up to 10{,}000 transactions per second. We further demonstrate that the required runtime state is bounded by peak concurrency rather than cumulative transaction history, indicating that robust runtime security for agentic payment execution can be achieved with minimal and predictable overhead.

Zero-Trust Runtime Verification for Agentic Payment Protocols: Mitigating Replay and Context-Binding Failures in AP2

TL;DR

The paper addresses security gaps in mandate-based payments for autonomous agents (AP2) where runtime behaviors such as retries and orchestration can undermine static guarantees. It introduces a Zero-Trust Runtime Verifier (ZTRV) that enforces runtime mandate usage through context-aware binding, via , and consume-once semantics using a dynamic nonce registry with a time window . Evaluation under high concurrency shows 100% interception of replay and context-binding attacks with a stable ~3.8 ms verification latency at 10,000 TPS, and state that scales with peak concurrency rather than history. The results demonstrate that runtime enforcement can bridge the gap between protocol guarantees and real deployments, suggesting practical integration with gateway/sidecar architectures and future enhancements such as Trusted Execution Environments (TEEs).

Abstract

The deployment of autonomous AI agents capable of executing commercial transactions has motivated the adoption of mandate-based payment authorization protocols, including the Universal Commerce Protocol (UCP) and the Agent Payments Protocol (AP2). These protocols replace interactive, session-based authorization with cryptographically issued mandates, enabling asynchronous and autonomous execution. While AP2 provides specification-level guarantees through signature verification, explicit binding, and expiration semantics, real-world agentic execution introduces runtime behaviors such as retries, concurrency, and orchestration that challenge implicit assumptions about mandate usage. In this work, we present a security analysis of the AP2 mandate lifecycle and identify enforcement gaps that arise during runtime in agent-based payment systems. We propose a zero-trust runtime verification framework that enforces explicit context binding and consume-once mandate semantics using dynamically generated, time-bound nonces, ensuring that authorization decisions are evaluated at execution time rather than assumed from static issuance properties. Through simulation-based evaluation under high concurrency, we show that context-aware binding and consume-once enforcement address distinct and complementary attack classes, and that both are required to prevent replay and context-redirect attacks. The proposed framework mitigates all evaluated attacks while maintaining stable verification latency of approximately 3.8~ms at throughput levels up to 10{,}000 transactions per second. We further demonstrate that the required runtime state is bounded by peak concurrency rather than cumulative transaction history, indicating that robust runtime security for agentic payment execution can be achieved with minimal and predictable overhead.
Paper Structure (32 sections, 1 equation, 5 figures, 2 tables, 1 algorithm)

This paper contains 32 sections, 1 equation, 5 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. AP2 and Mandate-Based Authorization
  4. Agentic Execution Model
  5. Related Work
  6. System and Threat Model
  7. System Model
  8. Threat Taxonomy
  9. Specification-Level Guarantees vs. Runtime Gaps
  10. Design of the Zero-Trust Runtime Verifier
  11. Design Goals
  12. Architecture Overview
  13. Context-Aware Binding
  14. Dynamic Consume-Once Nonce Registry
  15. Runtime Verification Algorithm
  16. ...and 17 more sections

Figures (5)

  • Figure 1: Zero-Trust Runtime Verifier (ZTRV) architecture
  • Figure 2: Attack Interception Rate: Baseline vs. ZTRV.
  • Figure 3: Processing Latency under increasing system load.
  • Figure 4: Ablation study of attack interception rates under different verifier configurations. Context-aware binding and consume-once enforcement address complementary attack classes; only their combination (ZTRV) mitigates all evaluated attacks.
  • Figure 5: Nonce registry size and estimated memory usage as a function of the nonce validity window ($\Delta t$) at 10,000 TPS. Storage scales with peak concurrency and plateaus once $\Delta t$ exceeds the experiment duration.