[startups]May 6, 2026 3 min read

Inside AMEX's agentic commerce stack: intent contracts and single-use tokens

Agentic commerce at American Express just got its most concrete shape yet: the company is building infrastructure that lets AI agents execute purchases on behalf of users, using single-use tokens and intent contracts to enforce transaction boundaries. It's the most payment-layer-complete attempt in this space so far — and it still has a trust problem.

Why Amex has a structural edge nobody else does

Amex isn't just a card issuer — it also runs its own payment network, which Visa and Mastercard don't do directly, and which banks like Chase or Bank of America can't replicate. That closed-loop position is exactly what the ACE (Agentic Commerce Experiences) developer kit exploits to validate AI-initiated transactions end-to-end without relying on external parties. Luke Gebb, Amex's EVP and global head of innovation, told VentureBeat this is "the first time that an issuer is coming to the table."

What the ACE kit actually does

ACE gives developers access to five integrated services:

Agent registration: establishes mutual identity and trust between the user's agent and the merchant's agent before any transaction begins.
Account enablement: links the user's Amex account to their agent and grants purchase permissions.
Intent intelligence: the user defines what they want, and the system generates an Intent ID and a Proof of Intent Token — a cryptographic record usable in disputes.
Payment credentials: a single-use token is created, hard-bound to the user's constraints — say, a $500 spending cap that the token physically cannot exceed.
Cart context: the agent can verify that items in the cart actually match the original stated intent.

As Gebb put it: "If they said they only wanted to spend $500, that token won't allow for a purchase" above that limit. Clean in theory. The execution is where things get murky.

The part nobody wants to say out loud: the black box

Here's the uncomfortable part. Amex says ACE performs intent validation — but won't explain how. It describes at which layer validation happens while abstracting how it actually works. Raj Ananthanpillai, CEO of identity verification provider Trua, is blunt about it: systems like ACE, Stripe's Agentic Commerce Suite, and Google's Verifiable Intent proof chain "excel at handling proofs and verifiable authorizations, but leave upstream human validation opaque and underdeveloped." Without a high-assurance cryptographic link proving an agent is acting under the explicit authority of a verified human, merchants and issuers still face real exposure to fraud, massive chargebacks, and repudiation risk.

What this means for the payments industry

Amex is planting a flag in territory nobody had seriously occupied: the payment layer of agentic commerce. Its participation in Google's Agent Pay Protocol (AP2) signals it also wants a seat at the interoperability table — not just a proprietary solution. That move puts quiet pressure on Visa, Mastercard, and large card-issuing banks to rethink where they stand, because in a world where AI agents execute purchases autonomously, whoever controls intent validation controls trust.

What happens next: standard or fragmentation

The real test for ACE isn't technical — it's adoption. If developers build on it and merchants integrate it, Amex could set a de facto standard before any official one exists. But if black boxes persist and regulators start pushing on auditability — which they will — the entire agentic commerce ecosystem risks splintering into incompatible proprietary stacks. Transparency here isn't a nice-to-have; it's the prerequisite for any of this working at scale.

The question worth sitting with: can a company that operates its own closed loop genuinely be the neutral trust arbiter that agentic commerce needs?