Skill

ap2-challenge-stepup

Implements AP2 challenge flows: 3DS2, OTP verification, redirects to trusted surfaces for step-up auth in agentic payment processing.

authentication

security

Install

npx claudepluginhub orcaqubits/agentic-commerce-skills-plugins --plugin ap2-agentic-payments

Tool Access

This skill is limited to using the following tools:

ReadWriteEditBashGrepGlobWebSearchWebFetch

Preview

**Fetch live docs**:

SKILL.md

Similar Skills

cache-components

Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.

cache-components

139.1k

claude-opus-4-5-migration

2 files

Migrates code, prompts, and API calls from Claude Sonnet 4.0/4.5 or Opus 4.1 to Opus 4.5, updating model strings on Anthropic, AWS, GCP, Azure platforms.

claude-opus-4-5-migration

83.2k

claude-code-plugin-release

1 file

Automates semantic versioning and release workflow for Claude Code plugins: bumps versions in package.json, marketplace.json, plugin.json; verifies builds; creates git tags, GitHub releases, changelogs.

claude-mem

64.7k

Stats

Parent Repo Stars14

Parent Repo Forks9

Last CommitMar 9, 2026

Actions

View Source View Plugin View on GitHub View README

AP2 Challenge and Step-Up Flows

Before writing code

Fetch live docs:

Fetch https://ap2-protocol.org/specification/ for challenge flow specification
Web-search site:github.com google-agentic-commerce AP2 challenge OTP 3DS step-up for implementation examples
Fetch https://ap2-protocol.org/topics/privacy-and-security/ for security context
Web-search ap2 protocol 3DS2 OTP challenge redirect for integration details

Conceptual Architecture

What Challenges Are

Challenges are additional authentication steps that any participant in the payment ecosystem can require during an AP2 transaction. They provide an extra layer of security beyond the mandate signatures.

When Challenges Occur

Any ecosystem participant may trigger a challenge:

Payment Network — Requires 3DS2 for high-risk transactions
Issuer/Bank — Requires OTP or biometric for verification
Merchant — Requires confirmation for unusual orders
Credentials Provider — Requires step-up for new payment methods

V0.1 Supported Challenge Types

AP2 V0.1 supports redirect challenges:

3DS2 (3D Secure 2.0) — Card network strong customer authentication
OTP (One-Time Password) — SMS/email/app verification codes
User is redirected to a trusted surface (not the agent) for resolution

Challenge Flow

1. Payment processing initiated
2. Network/Issuer determines challenge required
3. Challenge request returned to MPP
4. MPP sends challenge to Merchant Agent
5. Merchant Agent forwards to Shopping Agent (via A2A)
6. Shopping Agent redirects user to trusted surface
7. User completes challenge (enters OTP, completes 3DS)
8. Trusted surface confirms completion
9. Shopping Agent receives confirmation
10. Flow resumes from where the challenge was triggered

Redirect Pattern

The redirect challenge follows this pattern:

Shopping Agent can't handle the challenge itself (security)
User is redirected to the challenger's trusted surface
This is a separate UI/page, not an agent conversation
User interacts directly with the challenger's system
Completion triggers a callback/redirect back to the flow

Key Design Decisions

Why redirect? Agent conversations are not trusted surfaces for authentication. The challenge must happen on a system controlled by the challenging entity.

Why A2A messaging? The challenge request and completion notification flow through the A2A protocol, keeping the multi-agent orchestration consistent.

Duplicate prevention: The protocol ensures that if one entity has already challenged the user, others are informed to avoid duplicate challenges.

OTP Implementation (from samples)

The reference sample implements OTP:

MPP determines OTP required
Sends OTP challenge via A2A to Shopping Agent
Shopping Agent presents to user
User enters code (test value: "123")
Code returned to MPP for verification
Payment proceeds if code is valid

3DS2 Integration

For 3DS2 (Strong Customer Authentication):

Card network requires 3DS2 during authorization
MPP receives 3DS challenge data
Challenge forwarded to Shopping Agent
User redirected to issuer's 3DS2 page
User authenticates (biometric, SMS, etc.)
Authentication result returned
MPP retries authorization with 3DS result

Backward Compatibility

AP2 challenges are backward compatible with existing systems:

Works with existing 3DS2 infrastructure
Compatible with existing OTP systems
Doesn't require payment networks to change their risk systems
Adds agentic context without breaking existing flows

Best Practices

Always redirect challenges to trusted surfaces — never handle auth in agent conversation
Implement timeout handling for challenges (user may not respond)
Support multiple challenge types (3DS, OTP, biometric)
Handle challenge failure gracefully (retry or abort)
Avoid duplicate challenges — check if user has already been challenged
Log all challenges for audit and fraud analysis
Test with various challenge scenarios in staging
Implement fallback flows when challenges can't be completed

Fetch the specification for exact challenge message formats, redirect protocols, and completion callback schemas before implementing.