Agent Commerce Weekly: Issue #2

The protocol layer for autonomous commerce

MCP Goes Stateless, Europe Goes Live, and x402’s 100 Million Question

Lead Story: MCP Goes Stateless

The Model Context Protocol’s July 28 release candidate is the most significant revision since the protocol launched. It is not an incremental update. It is an architectural reset, and builders shipping remote MCP servers have a firm deadline.

The most consequential change is the removal of the initialize/initialized handshake (SEP-2575). Combined with the removal of the Mcp-Session-Id header and protocol-level sessions (SEP-2567), the spec no longer assumes a persistent connection between client and server. Protocol version, client info, and capabilities now travel in _meta on every individual request. Any MCP request can land on any server instance. Sticky routing is no longer required at the protocol layer.

For infrastructure teams, that changes the operational profile of every remote MCP server deployed today. Servers built with shared session state, sticky session routing, or SSE-based long-lived prompting require migration before July 28. That is a hard deadline, not a soft one.

Three core features are deprecated in the release. Roots is removed, replaced by tool parameters and resource URIs. Sampling is removed, replaced by direct integration with LLM provider APIs. Logging at the protocol layer is removed, replaced by stderr and OpenTelemetry. Each removal reflects a judgment that the protocol was carrying concerns that belong in adjacent layers.

Two new official extensions ship with the release candidate. MCP Apps allows servers to ship interactive HTML UIs rendered in sandboxed iframes, adding a presentation layer to MCP-native tooling without requiring a separate web deployment. Tasks moves from core to extension status, and the tasks/list endpoint is removed entirely. Builders who shipped against the experimental Tasks API from the 2025-11-25 spec have a migration path, but they need to take it before the final spec drops.

On security, the release mandates that OAuth clients validate the iss parameter per RFC 9207. That hardening was overdue. More than 30 CVEs were filed against MCP OAuth implementations in January and February 2026. The new requirement closes a class of token injection vulnerabilities that existed in the prior spec.

The final spec drops July 28, 2026. Builders should treat the release candidate as stable for planning purposes. The architectural direction is settled.

Data: x402’s 100 Million Transactions: What the Numbers Actually Show

Chainalysis published the first serious on-chain analysis of x402 adoption on Base, with cumulative transaction volume crossing 100 million through Q1 2026. The headline is technically accurate. It is also operationally misleading in ways that matter for anyone building on the protocol.

The Q4 2025 surge that produced most of the volume came from a single experiment: PING, a “pay-to-mint” meme coin that used x402 mechanics. PING alone processed more than 150,000 transactions in its first month and drove a spike of more than 10,000 percent in weekly transaction counts. Weekly wallet retention hit 87 percent during peak PING activity, then collapsed to 5 percent after the speculative moment passed. That trajectory is not a product signal. It is a crowd signal.

Q1 2026 moderated as speculative activity cooled, which is the expected behavior. But several underlying metrics from that same period are worth reading carefully.

Transaction size distribution shifted substantially. Transactions above $1 went from 49 percent of volume in early 2025 to 95 percent by early 2026. Transactions between 10 cents and $1 collapsed from 46 percent to 4 percent. That is not a sign of declining activity. It is a sign that the micro-transaction use cases that appeared early are giving way to higher-value transfers.

The tester-to-payer conversion rate improved fourfold in six months. Wallets active on x402 are younger on average (197 days versus 423 days for the broader Base population), hold more tokens (26 versus 4), and have received capital inflows 12 times higher than the average Base wallet.

Retention is now trending back upward after the post-PING collapse. The current user base is entirely crypto-native. That is both a description of where adoption stands today and a clear signal of the distance to institutional participation.

Builders should read the Chainalysis report before citing the 100 million figure. The more durable signals are the transaction size shift, improving retention, and conversion rate gains. Those are the numbers that indicate whether real use cases are forming underneath the noise.

Field Dispatch: Europe’s First Live Agentic Payment

On June 2, the opening day of Money20/20 Europe in Amsterdam, three announcements arrived in sequence that together represent the most significant single-day movement in production agentic payments to date.

Worldline, ING, and Mastercard completed Europe’s first end-to-end agentic payment transaction in a live production environment. The transaction ran between an ING cardholder and a Dutch merchant, with the same infrastructure already extended across Belgium. This was not a controlled demo or a sandbox test. It ran on production rails.

Mastercard confirmed the same day that all European issuers are now enabled at network level for Agent Pay. Thirty-six banks, including Santander, Deutsche Bank, N26, Bunq, UniCredit, and Raiffeisen, are live on the network. That is not a pilot group. That is a production rollout.

Separately, Hey Savi and PayPal announced the UK’s first consumer agentic commerce experience, offering native checkout with a major UK retailer.

The significance of these announcements, taken together, is that the card networks moved faster in Europe than most x402-native builders expected. None of this involves new payment protocols. These are existing card network rails extended to support agent-initiated authorization. The operational question is now a production race, not a roadmap comparison: card-network agent pay, which is live today across 36 European banks, versus stablecoin-native x402, which is live on Base but carries the adoption profile described above.

Both approaches can coexist. They are unlikely to compete for the same customers in the near term. They will compete for the same builders.

Protocol Watch: Boson x402B: Adding a Trust Layer

The base x402 specification assumes that once a buyer pays, the seller delivers. That assumption works at low transaction values with known counterparties. It does not hold for higher-value or novel commerce contexts, where neither party has an established track record.

Boson Protocol launched x402B on June 8 to address that gap. The protocol is live on mainnet across five EVM chains: Ethereum, Base, Optimism, Arbitrum, and Polygon.

x402B adds non-custodial escrow to the standard x402 flow. When a server returns a 402 response, the buyer locks payment into Boson’s on-chain escrow rather than paying directly. Funds release on confirmed delivery, by mutual agreement, or through on-chain dispute resolution if neither condition is met. Each commitment is represented as a redeemable NFT (rNFT), giving both parties a portable, on-chain record of the transaction state.

The implementation extends Boson’s Diamond escrow contract, which has been live in production since 2021. The infrastructure is not experimental. A demo published at launch shows a whitepaper purchase for 0.10 USDC running the full x402B flow.

BOSON token price did not move on the announcement.

Adoption depends on whether developers building on x402 need escrow for their specific use case. For micropayment-scale transactions with commodity content, the base spec may be sufficient. For any context where delivery risk is real, x402B provides a production-ready option that did not exist six weeks ago. The code is open source.

Institutional Lens: JP Morgan on Auditability

At NY Tech Week 2026, Zack Anderson, Chief Data and Analytics Officer at JP Morgan Payments, identified the central question in enterprise agentic payment adoption: what are organizations willing to delegate to a machine, at what thresholds, and under what conditions.

The framing is precise and worth dwelling on. Anderson named auditability as the foundation, specifically the ability to know why a payment was made and under what policy. Without that, high-value payment authorization cannot be delegated to an agent regardless of the technical capability. The governance requirement precedes the infrastructure requirement.

On cross-border compliance, Anderson was more optimistic in the near term. AI can process jurisdictional rules at a volume and specificity that human compliance teams cannot manage consistently at scale. That is a tractable problem with a clear value proposition, and it is where JPM sees the clearest near-term AI opportunity in payments.

Treasury automation follows, but Anderson placed it behind customer-facing functions in the adoption sequence. The prerequisites are data foundations, clear policies, and governance infrastructure. Organizations that have not built those foundations are not ready for treasury automation, regardless of what the tooling can do.

The broader observation from Anderson is that most AI agents currently operating in payments are invisible, running in the background improving efficiency of existing flows. That framing describes the current deployment reality more accurately than the public discourse around agentic payments, which tends to focus on novel consumer-facing experiences.

The contrast with x402’s current user profile is direct. The prerequisites JPM identifies for institutional participation (auditability, governance infrastructure, data foundations) are absent from every x402 deployment in production today. That is the distance builders need to close, and it is not primarily a technical problem.

Closing

Agent Commerce Weekly is published for builders and analysts working on the infrastructure layer for autonomous commerce.