There is a thing happening in payments right now that almost no one outside the industry is paying attention to, and it is, I think, more important than most of the things people are paying attention to. It is the small, technical, slightly boring question of what happens when the thing trying to buy something is not a person.
The popular framing of this question is "agentic commerce," which is mostly a marketing term for the idea that an AI assistant will, at some point soon, book your flights and reorder your printer toner. The discourse around this — and there is a surprisingly large amount of discourse — tends to focus on the parts that look most like the existing internet. How does the agent find the product? How does it complete a checkout form? Will there be a new browser? Will OpenAI build a Shopify killer? These are reasonable questions and they are not the question that matters.
The question that matters is the one nobody asks at parties: what credential is the agent supposed to use?
I have spent the last year building infrastructure for this problem, in a company called Grantex. Before that, a decade shipping consumer credit and lending products at Quicken Loans, Nissan, Ford Credit, Guaranteed Rate, and a stint at PwC consulting for a major financial institution. I have come away from the Grantex build with a small number of strong opinions, most of which I cannot find expressed anywhere in the public conversation, and which I want to write down before they become obvious enough that everyone claims to have always thought them. This is that essay.
The thing that is wrong with every existing credential
Start with a fact that sounds trivial and isn't: every payment credential currently in widespread use was designed for a human.
I do not mean this in the squishy "humans-first" way that consumer tech people sometimes use the phrase. I mean it in the literal, technical sense. A credit card number is sixteen digits long because human eyes can scan sixteen digits without losing their place. The CVV exists because humans can be trusted to look at the back of a card and humans cannot be trusted to look at the back of a card they have not seen. The expiration date is two two-digit numbers because humans write dates that way. The signature panel, vestigial now, was once load-bearing for the same reason. The entire credential — its length, its structure, its security model, the rituals that attend its use — was designed around a creature with eyes, hands, and a tendency to leave things in restaurants.
None of this is a complaint. The credit card is a remarkable piece of engineering and it is, on balance, an enormous success. The reason I am writing it down is that the same properties that make a credit card good for a human make it bad for an agent, and the gap between those two facts is the entire opportunity.
An agent does not have eyes. An agent does not lose things in restaurants. An agent is, structurally, more like a small piece of automation talking to another small piece of automation than it is like a human shopper. Giving an agent a sixteen-digit number that it must store, protect, present at checkout, and rotate when compromised, is asking the wrong question. It is the answer to a different problem.
If you sit down with a clean piece of paper and ask "what would a payment credential designed for an agent actually look like," you arrive somewhere very different from where the industry currently is. You arrive at a credential that is:
- Single use. The agent does not need to remember it. There is no advantage to persistence and significant downside.
- Created on demand. No standing balance, no shared secret, no leakage surface. The credential does not exist until the agent needs it and ceases to exist immediately after.
- Machine-readable. The agent must be able to ask the credential what it is, what it can do, and what limits it carries — and get back an answer in a format it can reason about. Not a static number printed on a piece of plastic with no metadata.
- Network-enforced. The controls on the credential are enforced by the payment network itself, not by software running on the agent's side. The agent cannot reason its way around them because they are not in its layer.
None of these properties are individually novel. Virtual cards have been around for twenty years. Spend controls have been around longer. Single-use cards exist in corporate cards and in fraud-response flows. What is novel is treating the union of these properties as the default credential rather than a niche product, and making the credential itself interrogatable by software. Which brings me to the line I keep saying out loud and which I cannot find written down anywhere else:
The agent cannot work with a credential it cannot interrogate.
A static card number is invisible to an agent making a routing decision. The agent knows it has a card. It does not know whether the card will work at this merchant, in this category, at this amount. It does not know whether the card has been previously declined. It does not know whether the card has spending policies attached that will cause an authorization to fail for reasons the agent could have predicted. The card, from the agent's perspective, is opaque.
This is fine for a human. A human can call the bank. The agent cannot call the bank. Or rather, the agent can call the bank, but the bank does not have an API for "what is this card actually allowed to do right now," and even if it did, the latency of that conversation would be longer than the latency budget for the transaction itself. The bank's customer service phone tree is, in a real sense, the bottleneck for the agentic internet.
Why this matters more than it seems to
The natural objection at this point is that I am describing a problem that affects, charitably, the seven companies currently shipping agent-based purchasing flows. Why does it matter?
It matters because the structure of the credential determines the shape of everything built on top of it, and we are about to build a lot of things on top of it.
Consider, by analogy, what happened when HTTPS became universal in the mid-2010s. The technical change — that traffic between browser and server became encrypted by default — was small and, to most users, invisible. But the second-order effects were enormous. It changed which kinds of products could exist on the open web. It changed how identity worked. It changed which industries could be disrupted by software because it changed what could be done over a public network without losing your customers' money. The credential change was technical and quiet and it reshaped the consumer internet over a decade.
Agentic payments are going to do something similar, and the question is whether the credential that emerges is the right one for the world that will be built on top of it. If the dominant credential is "give your agent your existing credit card and hope," the world you get is mostly the world you already have, with a thin layer of automation sitting between consumers and merchants. Useful but unspectacular. If the dominant credential is something more like what I described above — single-use, interrogatable, network-enforced — the world you get is meaningfully different. You get autonomous procurement at small scale. You get agents that can transact with each other without a human in the middle. You get a payment surface that can be safely exposed to systems that, by their nature, cannot be fully trusted not to do something weird.
That third one is the one I would point to if pressed. The defining property of agents, from a payments perspective, is that they will occasionally do something weird. Not malicious. Not even necessarily wrong. Just weird in a way the system was not designed for. The interesting design question is not "how do we keep agents from doing weird things." It is "how do we build a payment system in which the weird thing an agent does at 3 a.m. is bounded, observable, and recoverable." Those are network-level properties. They cannot be solved at the application layer, no matter how clever the application layer gets.
I am aware that I am talking about Grantex without quite saying so. I am trying not to do the thing where the essay is a thinly disguised sales pitch, because those essays are not good and you can always tell. But it would be dishonest to pretend that I arrived at these conclusions in the abstract. I arrived at them by trying to build the thing, watching it work, and noticing what was missing from every alternative we evaluated.
The part that is not technical
Most essays about agentic commerce stop here. The technical bit is the interesting bit, the founder gets to feel smart about the technical bit, the technical bit gets a venture round. I want to do something slightly different and finish on a non-technical point, because the non-technical point is, I think, the more important one.
The payments industry is, for entirely good historical reasons, structured around the idea that the entity initiating a payment is the entity that bears responsibility for it. Card networks are organized around this. Bank compliance programs are organized around this. The entire regulatory apparatus, from CFPB on down, is organized around this. The person who swipes the card is the person who pays the bill.
Agents break this assumption in a way that is going to require a real reckoning. The entity initiating a payment is increasingly going to be a piece of software, acting on behalf of a person, in a way that the person did not specifically authorize but that they did, in some general sense, sanction. The agent's autonomy is the product. The point of an agent is precisely that you do not have to think about every transaction it initiates. So when the agent does something that the cardholder did not intend, and the cardholder calls the bank to dispute it, who is responsible?
This is not an unanswerable question. It is, in fact, a pretty answerable question. But it has not yet been answered, and the answer is going to determine an enormous amount about how this market develops. My strong suspicion is that the answer involves the credential itself carrying the policy — that is, the cardholder defines the bounds of agent authority at the moment of card creation, and the network enforces those bounds, and disputes outside those bounds are the cardholder's responsibility while disputes inside them are the network's. This is the same logic as a corporate card with spending limits, generalized.
I think this is going to be the most consequential consumer protection issue in fintech for the rest of the decade. I think nobody is writing about it. I think the people who eventually write about it will get a great deal of credit for noticing what was sitting in plain sight.
I have other opinions, but I will save them for the next one.