“Cloudflare-Browserbase axis of evil was not in my bingo card for 2025,” Y Combinator’s Garry Tan wrote on X in August, reacting to Cloudflare’s plan to give AI agents digital passports.
That remark now reflects an industry shift. Cloudflare has partnered with Visa, Mastercard, and American Express to create a system that lets merchants decide which AI agents to trust and which to block.
Visa launched the Trusted Agent Protocol, developed with Cloudflare’s Web Bot Auth, to verify AI agents before they transact online. Approved agents use cryptographic signatures to transmit intent, consumer recognition data, and payment credentials. Merchants validate these details to confirm legitimacy.
Jack Forestell, Visa’s Chief Product & Strategy Officer, said in a company statement that the protocol lets merchants “serve real customers without letting in bad bots.”
Cloudflare’s Chief Strategy Officer Stephanie Cohen said the company’s global network gives it a unique role in enabling this new trust layer. “The future of commerce is agentic, and Cloudflare is building the trusted foundation for it,” she said.
The system will extend across major networks. Mastercard is integrating Web Bot Auth into its Agent Pay framework. American Express will use it for its agentic commerce programs. Other payments firms (including Adyen, Checkout.com, and Worldpay) contributed feedback.
Cloudflare’s Chief Strategy Officer Stephanie Cohen
The Shift Toward Agentic Commerce
Visa says AI-driven traffic to U.S. e-commerce sites has surged 4,700 percent in the past year. As more users rely on AI assistants to shop, merchants face a new problem: standard bot filters can’t tell a legitimate AI agent from a scraper or card tester.
The Trusted Agent Protocol is Visa’s answer. It gives merchants a way to validate AI agents through digital signatures built on the HTTP Message Signature standard. It integrates with existing systems through Visa’s Developer Center and Cloudflare’s edge network.
Visa has invested heavily in AI. The company’s internal network runs more than 400 AI models to detect fraud and score risk across 300 billion annual transactions. Its “Intelligent Commerce” platform now embeds AI in payment routing, risk detection, and personalization.
Cloudflare’s recent changes show a similar push to control how AI interacts with the web. In July, the company began blocking AI crawlers by default, requiring explicit permission for access. It introduced Pay Per Crawl, which lets sites charge AI companies for scraping content.
Cloudflare said this change “rebalances” the economics between content creators and AI firms. In a July 1 blog post it declared “Content Independence Day,” saying no AI crawl should happen without approval or payment.
Publishers such as The Atlantic and BuzzFeed have joined its early access program.
The company is also building payment and identity layers for AI activity. It is launching the x402 Foundation with Coinbase to set open standards for agent payments and plans a NET Dollar stablecoin to support machine-to-machine transactions.
These moves connect Cloudflare’s business in security and networking with the growing AI economy. Together, they create a model where websites can authenticate, meter, and monetize AI access.
The New Rules of the AI Economy
Not everyone supports this direction. Garry Tan’s comment reflects concern that AI agents could require corporate approval to function. Other developers have raised similar concerns on GitHub and Reddit, arguing that digital passports for AI could restrict open innovation.
Visa and Cloudflare say the opposite: that open standards will prevent lock-in. Visa’s announcement notes ongoing work with the Internet Engineering Task Force, the OpenID Foundation, and EMVCo to make the protocol interoperable.
Still, there are other standards forming. Google recently released its Agent Payments Protocol (AP2), and OpenAI and Stripe are exploring their own agent frameworks. Analysts say this could fragment the market and slow adoption until compatibility improves.
Visa’s protocol also raises regulatory questions. The company is already under investigation by the U.S. Department of Justice over debit-routing rules and faces ongoing antitrust scrutiny in Europe. Giving Visa a new gatekeeping role in AI commerce could attract more oversight.
Merchants and developers are still evaluating how these systems fit into current infrastructure. Visa says onboarding for the Trusted Agent Protocol is open through its Developer Center. Cloudflare has added agent verification to its Bot Management tools so site owners can test the process.
For now, the focus is on making agentic commerce safe. Forestell said Visa’s goal is to ensure “sellers can trust AI agents as much as they trust their best customers.”
Cloudflare and Visa are building a trust system that defines how AI agents act online. If it becomes the default, agents may need verified credentials to read, buy, or pay across the web. That could change how the internet works for machines and everyone who relies on them.
