Vault token vs Shared Payment Token (SPT)
In ACP, the Shared Payment Token is the credential type name used at /complete. The vault token (vt_...) is the artifact Stripe issues at delegate_payment. They are related but distinct.
In detail
The Stripe Delegate Payment endpoint (PSP-side, not merchant-side) returns a vault token with an allowance object: max_amount, currency, merchant_id, expires_at, and reason set to "one_time" for single-charge agent purchases. The allowance bounds what the merchant can capture against the token before it expires.
At POST /checkout_sessions/{id}/complete, the agent passes the vault token inside a payment_data.instrument.credential object with type: "spt". The "spt" marker tells the merchant what credential schema to expect; the vt_... value is the credential itself. The separation lets the spec accept alternative credential types over time without reshaping the request body.
As of the 2026-01-30 stable spec, Stripe is the only publicly named "first compatible PSP with Shared Payment Token." Adyen and Braintree appear as example values in the payment_handlers RFC but are not named launch partners.
Why it matters
The distinction shows up in implementation handoffs. A backend engineer asked to "support SPT" needs to know the type marker is constant ("spt") while the vault token value changes per session. A finance lead asking whether the merchant ever holds raw card data should be told no — the vault token's allowance is what the merchant captures against, and the underlying credential never leaves the PSP.
Related terms
- ACP (Agentic Commerce Protocol) — the spec the SPT/vault distinction sits inside.
- Shopify Agentic Storefronts — wraps this layer so Shopify merchants do not touch it directly.
- AP2 (Agent Payments Protocol) — Google's counterpart on the UCP side.
Ask AI about Vault tokens and SPT
Have your favorite AI engine summarize this for your specific use case.