Introducing AP3
The Privacy Layer for
the Agentic Economy
AP3 is an open protocol for privacy-preserving multi-agent collaboration. Agents across organizations, jurisdictions, and vendors compute jointly.
DESIGN PARTNERS
The next bottleneck is not capability.
It is trust.
Individual agents are powerful. The problem starts when they need to work together across organizational boundaries. Today, cross-boundary agent collaboration means one of three things: share your data and lose confidentiality, withhold your data and lose the insight, or trust a third party and hope they do not get breached.
None of these are acceptable for financial services, healthcare, legal, or any domain where data has regulatory weight, or wherever there is confidential data that entities do not want to expose to one another, but still come to some decision
AP3 provides joint computation.
Zero exposure.
AP3 adds a cryptographic privacy layer to the inter-agent communication stack. Agents reason and compute together over sensitive inputs: context, memory, credentials, risk data, without any party seeing the other's information or the function logic itself.
This supports the agentic commerce flow by providing a a payment-protocol-agnostic binding layer for agentic commerce standards including AP2, x402, and the MPP family, enabling privacy-preserving commerce negotiation, followed by payment, workflows that compose AP3 confidentiality with existing mandate semantics.
The only thing returned is what the workflow requires:
Compliance attestation
Risk score within a bounded range
Sanctions screening result
Verified credential match
Negotiated price
AP3 uses privacy preserving tech.
Secure Multi-Party Computation (SMPC): Agents jointly evaluate functions over private inputs. The inputs never leave the originating agent. The computation happens collaboratively, with no intermediary holding the data.
Trusted Execution Environment (TEE) attestation: Hardware-rooted proof that the computation ran correctly and was not tampered with. Verifiable without trusting any single party.
AP3 is delivered as an extension to the Agent2Agent (A2A) protocol, compatible with major providers
AP3 enables usecases across industries
Financial Risk Profiling
Securely assess risk across institutions without exposing underlying portfolios.
Cross-Border Compliance Screening
Verify compliance globally without sharing sensitive customer data.
Supply Chain Reconciliation
Coordinate and validate records across competing organizations with full privacy.
Private Commerce Negotiation
Enable confidential agent-to-agent negotiation with automated payment settlement.
FAQs
How do I enable the AP3 SDK in my agent?
What computations does AP3 support?
Is there any additional step required for protocol installation apart from just AP3 SDK install?
When does the agent invoke the AP3 SDK?
In A2A communication, do both agents have to be enabled on AP3 to be able to perform privacy preserving computation?
Where is the AP3 enablement and protocol compatibility declared?
When does the compatibility check happen, to check if both Agents are enabled on AP3 and protocols?
Does the AP3 SDK automatically check for operation compatibility when reading a counterparty's card? Or is that check left to the developer's application logic?
If the agent workflow requires multiple protocols to be used, who defines what protocol is invoked when?
Is there a TypeScript SDK in addition to Python, and are the framework adapters available for both?
In an end to end agent flow, compatibility and handover is required with payment protocols. Is AP3 compatible?
What is the maximum dataset size PSI can handle before latency becomes a problem? Is there a recommended ceiling?
What happens if one party drops out mid-computation, or if there is some timeout? Does the session time out, and is there a retry mechanism?