- The paper's main contribution is a novel four-stage lifecycle framework for agent-to-agent blockchain payments that decomposes discovery, authorization, execution, and accounting.
- It analyzes current protocols, highlighting vulnerabilities in intent binding, delegated spend control, and the decoupling between payment and service delivery.
- The study outlines future research directions aimed at achieving secure, composable, and privacy-preserving monetary coordination among autonomous AI agents.
Systematizing Blockchain Agent-to-Agent Payments
Introduction
The paper "SoK: Blockchain Agent-to-Agent Payments" (2604.03733) presents a comprehensive systematization of knowledge across the emerging landscape of blockchain-enabled payment mechanisms among autonomous AI agents. As agents—especially those powered by LLMs—transition from episodic, human-mediated API calls to persistent, autonomous entities managing inter-agent workflows, the need for robust, programmable, and trust-minimized payment infrastructures becomes central. This work offers a critical, lifecycle-based framework for analyzing trust, privacy, and security issues in autonomous payment workflows, highlighting the architectural gaps, emergent risks, and outlining future research directions for trustworthy agent economies.
Lifecycle Model for Blockchain-Based Agentic Payments
A primary contribution of the paper is the introduction of a four-stage lifecycle abstraction for agent-to-agent (A2A) payments: discovery, authorization, execution, and accounting. This model enables a precise decomposition of functionality, trust assumptions, and vulnerabilities in blockchain-based A2A systems.

Figure 1: The Agentic Payment Lifecycle, encapsulating discovery, authorization, execution, and accounting for agent-to-agent payments.
- Discovery: Identification of counterparties, services, and the formation of structured, context-bound payment intents. Mechanisms vary from static capability descriptors to identity- and behavior-augmented discovery paradigms.
- Authorization: Evaluation of payment requests against governance, delegation, and policy constraints. Authorization models are classified by carrier (contract, allowance, wallet abstraction) and the expressiveness of enforcement logic.
- Execution: Realization of authorized payment through on-chain or off-chain settlement, fee orchestration, and triggering of service access conditioned on programmable payment evidence.
- Accounting: Binding of payment events to service outcomes, provision of audit artifacts, and establishment (or failure) of post hoc accountability through records and receipts.
By aligning existing mechanisms to these stages, the paper localizes systemic failures and facilitates rigorous cross-comparison.
Analysis of Current Mechanisms and Key Challenges
Discovery and Intent Binding
The discovery phase faces a trust deficit: payment intents are formed on externally exposed metadata, which remains susceptible to protocol-level phishing, registry manipulation, and counterfeit endpoints. Identity-augmented discovery (e.g., Know Your Agent layers, reputation-based models) offers partial mitigation but is not standardized. Critically, proposed advances such as on-chain intent proofs and attestation (e.g., EIP-8004, Acharya (Acharya, 8 Nov 2025)) remain at prototypical stages.
Intent binding in typical x402-style protocols relies on in-band, per-request challenge–response exchanges, which lack robust coupling to session semantics and do not guarantee outcome fulfillment.
Authorization and Delegated Spend Control
Authorization models enforce ex ante, transaction-level policy compliance, most often via contract-intermediated, token-allowance, or smart-contract wallet validation schemes. However, these fail to encompass full behavioral semantics (e.g., cumulative spending, inter-transactional policies), are susceptible to agent compromise through indirect prompt injection or adversarial tool calls, and cannot prevent fragmentation/replay across colluding entities. Current approaches decouple policy validity from dynamic context, failing to maintain referential integrity with intent or evolving trust.
Execution and Settlement
Execution is treated as the realization of authorized payment, typically relying on on-chain inclusion as the source of transactional finality. Off-chain coordination (e.g., state channels, liquidity protocols) improves scalability but introduces asynchronous settlement and potential state divergence. Importantly, payment finality is not equivalent to service fulfillment—blockchain-based systems generally lack atomic coupling between value transfer and service delivery, which leads to protocol-level misalignment and opens avenues for denial-of-service or provider fraud. Tighter coupling (e.g., A402 atomic service channels (Li et al., 1 Mar 2026)) is underexplored in deployed systems.
Accounting, Privacy, and Accountability
While the blockchain ledger guarantees transfer records, it is agnostic to higher-level causality and off-chain outcome linkage. There is an absence of verifiable, protocol-level evidence that payment resulted in intended service execution. Audit and dispute resolution are fundamentally limited by loose post hoc association. The transparency of transaction data is in tension with agent privacy: increasing accountability exposes counterparty and workflow data, while privacy-preserving protocols reduce forensic capability.
Authentication and Identity
Authentication primitives in A2A payments generally prove the right to access or spend but do not guarantee agent identity, provenance, or stable attribution (as per NIST SP800-63-4 and FATF compliance requirements). Existing mechanisms lack standardization for identity proofing, session re-binding, or legal admissibility, which constrains adoption in regulated domains.
Synthesis: Summary of Architectural Gaps
- Weak cross-stage consistency: Existing models cannot guarantee that payment intent, authorization, execution, and accounting reference a common, semantically valid workflow context.
- Behavioral misalignment: Delegated spend control and policy enforcement are myopic, focused on single-transaction validity rather than the larger behavioral trajectory of an agent.
- Decoupled service and payment: Payment success is not tightly bound to service delivery or real-world outcome, allowing partial or failed execution to propagate with valid settlement events.
- Accountability vs. privacy trade-off: Mechanisms for post hoc forensics or dispute resolution are structurally siloed from privacy-preserving execution.
Implications and Future Research Directions
The analysis in this paper establishes that current blockchain-based agentic payment models are incomplete with respect to workflow-aligned correctness, robust multi-stage attribution, and systemic adversarial resilience. Practical implications for both AI and crypto-economics include:
- Protocol-level consistency: End-to-end workflow traces that bind discovery, authorization, settlement, and outcome can enforce stronger alignment, a key direction for next-generation protocols.
- Compositional and behavior-aware control: Mechanisms must enable policy enforcement over execution histories, dynamic behavior, and multi-actor delegation—potentially leveraging on-chain identity and reputation systems.
- Atomic and compositional payment-service coupling: Research on cryptographic protocols that atomically bind value transfer to service fulfillment can reduce misalignment and enable richer agentic workflows.
- Integrated privacy and accountability: Cross-domain protocols must provide selective disclosure, cryptographic provenance, and minimal exposure, enabling compliance without excessive leakage.
Emergence of composable agentic economies, multi-hop delegation, iterative negotiation over payables, and adaptive trust frameworks will necessitate advanced abstractions in both protocol and governance layers.
Conclusion
This systematization provides a rigorous decomposition of blockchain-protocol support for agent-to-agent payments, identifying fundamental limitations in current mechanisms relating to intent binding, spend control, service coupling, and accountability. The four-stage lifecycle framework offers a foundational reference for ongoing research in trustworthy, scalable, and composable agentic economies. The paper concludes that substantial work remains in achieving secure, behavior-coherent, and privacy-preserving monetary coordination among autonomous agents, motivating future research at the intersection of LLM-powered agents and programmable value networks.