Stripe legitimized agentic commerce and shifted liability to users

The change

On April 16, 2026, Stripe updated its Consumer Terms of Service, adding an entirely new section titled Link Agentic Terms. There was no announcement, no email to existing Link users, and no changelog entry. The revision date shifted from March 30 to April 16, and a new set of rules appeared in the document.

Venpo detected the update the morning it shipped. This is the first time a mainstream payment provider has written formal contractual rules for agentic commerce, and the structure of this update will likely shape how every other wallet and payment processor handles the same question in the months ahead.

What changed

The new section defines a category of users called Agents and specifies how they can connect to a Link account, what data they receive, and who is responsible when things go wrong.

The definition of an Agent is intentionally broad. Per the new terms, an Agent is any software or automated technology that acts as a delegate, proxy, or intermediary in a transaction, including systems that operate through chains of other platforms, APIs, or agents where the user has no direct visibility. The terms explicitly reference the Uniform Electronic Transactions Act, treating an authorized Agent as an electronic agent whose transactions are legally binding on the user.

Five substantive changes are worth understanding in detail.

Agent purchases are carved out of unauthorized transaction protection

This is the most consequential part of the update. U.S. Link users previously had protection against Unauthorized Transactions, defined as purchases made with their Link account that they did not authorize. That protection does not apply to Agent purchases.

The new terms state that transactions carried out by an Agent that you have authorized to connect to your Link Account will not be considered Unauthorized Transactions. The only exception is when the problem stems from Stripe's own technical failure.

If an AI agent misinterprets a prompt, buys the wrong product, pays the wrong price, or gets tricked by a malicious merchant, the resulting transaction is treated as the user's own.

Data sharing scope expanded significantly

Connecting an agent authorizes Stripe to share four categories of data with both the agent and the AI platform running it:

• account information including name, email, and phone number

• payment information including card and bank details

• shipping information

• order information including purchase details and transaction history

Once shared, the agent's own privacy policy takes over. Stripe explicitly disclaims responsibility for how the Agent handles, uses, stores, or discloses personal data after it has been shared.

Separately, Stripe reserves the right to process user prompts, API activity, and metadata to improve Link services and interoperability with agents. Agent conversations become part of Stripe's service improvement data.

Spending approval requirements are on the user

The terms introduce a concept called a Spend Request, which is the amount an agent presents for user approval before a purchase. Users are solely responsible for reviewing and approving each Spend Request when required, and for monitoring agent activity on an ongoing basis.

Stripe explicitly warns that agents may misinterpret instructions, provide inaccurate information about products or pricing, engage in transactions the user did not intend, or populate inaccurate information within the Link Transaction History. The user is expected to catch these errors in real time.

Refund rights are more limited

Refunds for agent purchases follow a merchant-first process. Users must contact the merchant directly. Stripe may refuse refunds when it sees evidence of fraud, refund abuse, or other misbehavior.

Change-of-mind refunds are not guaranteed. Unused subscription refunds are not guaranteed unless law requires them. Product and delivery issues are entirely the merchant's responsibility.

Disconnection is forward-only

Users can disconnect an agent at any time through Link settings or the agent's own platform. After disconnection, Link stops sending new data to the agent, and the agent cannot initiate new transactions. But disconnection does not reverse previously approved transactions, and the agent retains whatever data it already received.

Why this matters

Stripe is the first mainstream payment provider to write formal contractual rules for agent-initiated commerce. The structural choices in this update will likely shape how every wallet, payment processor, and buy-now-pay-later provider handles the same question. This is exactly the pattern covered in our analysis of the hidden risk of vendor legal changes.

The direction is consistent across the update: users absorb agent liability, providers disclaim responsibility, and the legal framework for agentic commerce gets written one vendor update at a time. Expect similar structures to appear from PayPal, Apple Pay, Amazon Pay, and other major wallets within 12 months.

Potential impact for companies

Companies building on Stripe Link, evaluating agentic checkout, or running consumer-facing flows may need to:

• reassess legal exposure for any agent-enabled purchase flows

• review user communication and consent language around agent authorization

• update internal documentation to reflect the new liability model

• audit whether existing fraud and dispute processes still apply

For teams that rely on Stripe's protections as a baseline, the changes narrow those protections in a specific and important way. This is where continuous vendor risk monitoring becomes a structural control rather than a periodic administrative task.

How Venpo detected it

Venpo continuously monitors vendor legal documents and detects changes in real time. When Stripe published the updated Consumer Terms of Service, Venpo immediately:

• detected the new Link Agentic Terms section

• classified ten distinct changes across privacy, liability, refund rights, and user control

• translated the legal update into clear business impact

Instead of discovering this shift weeks later through a news article or a customer complaint, teams were able to understand exactly what changed and who is affected on the day it shipped. This is the second time this year Stripe has materially expanded how it processes user data through its terms, following a similar pattern we covered when Stripe expanded the definition of Transaction Data in January.

Business outcome

Companies that identified this change early were able to:

• evaluate their current exposure to Stripe Link and agent-enabled commerce

• brief legal and compliance teams before customer-facing rollouts

• update internal policies and user-facing documentation

• make informed decisions about whether to adopt agentic checkout in upcoming roadmaps

Instead of reacting after the first customer dispute or unexpected charge, they gained time to adapt. This is the difference between operating with clarity and operating on assumptions that no longer hold.

Key takeaway

The most important vendor changes often arrive without announcement. A new section in a Terms of Service document can redraw the liability model for an entire category of transactions. Stripe's Link Agentic Terms is exactly that kind of change. Venpo helps companies catch these updates the moment they happen, turning quiet legal shifts into clear insights before they become operational surprises. A detailed comparison of how structured detection differs from scheduled rediscovery is explored in our analysis of manual vs automated vendor monitoring.