Web 4.0 — The AI Web

MCP · AI Apps · NLWeb · AP2 · ACP · Visa TAP · Mastercard Agent Pay · x402 — the foundation of a new, agentic Internet.

A new kind of web is emerging — a web made for AI.

The main trend we’re observing comes from technologies like AI apps, which are redefining how web applications are built, and AI browsers, which aim to replace traditional browsers with AI-driven interfaces.

AI apps are AI tools that return React components, allowing them to create interactive UIs directly inside AI interfaces. For example, you could ask an AI to order food, and it could display a product carousel, a shopping basket, and buttons to add items, all within the chat. You can also simply talk or write to the AI to describe the actions you want it to take.

In parallel, AI browsers are bringing the existing web into AI interfaces. They replace the traditional URL and search bars with conversational AI prompts. You might ask the browser to “show me the new iPhone,” and it would open Apple’s website inside a widget within the chat, displaying the relevant content.

AI apps are still new, only a few exist today, and AI browsers are currently slow, prone to errors, and struggle with tasks like authentication or payments.

However, it’s easy to imagine that in just a few months, we’ll see millions of AI apps, and AI browsers will significantly improve in performance.

We can expect AI apps and AI browsers to eventually converge into a new web — Web 4.0 — where AI becomes the new browser, and classic web technologies like JavaScript and HTML are enriched by new protocols that make the web AI-friendly.

AI-driven traffic is already replacing traditional webpage traffic, rendering advertising less effective and forcing a paradigm shift. As a result, more content is being hidden behind paywalls, protected by protocols like HTTP x402 — Cloudflare is a good example of this emerging trend.

E-commerce platforms are adopting the Stripe Agentic Commerce Protocol (ACP), which allows AIs to add products to baskets and complete checkouts. Many merchants are already live inside ChatGPT in the U.S. market.

Other emerging payment protocols include Google AP2, Visa TAP, and Mastercard Agent Pay, which aim to standardize how AIs authorize payments.

The European Commission’s 2023 definition of Web 4.0 describes it as a web where advanced and ambient AI, IoT, trusted blockchain transactions, virtual worlds, and XR technologies enable digital and real-world objects to communicate and fully integrate — creating intuitive, immersive experiences that seamlessly blend the physical and digital worlds.

Dealing with so many new protocols and technologies may seem intimidating at first, but they’re actually quite easy to understand and work with. This article will finally bring clarity, helping you make sense of this new landscape.

Let’s analyze each of these protocols in detail.

Model Context Protocol

MCP turns any API into something an AI can instantly understand and call.

At its core, MCP is simply an API protocol (based on gRPC) with a predefined structure.

Traditional APIs do not include built-in documentation; developers usually need to browse separate documents to learn how to use them. This approach is impractical for AI systems.

MCP solves this problem by defining a standard way to build APIs with a set of required endpoints that provide structured documentation directly through the API itself.

MCP is typically used as a wrapper around existing APIs, enabling them to be used by AI systems. There are SDKs available to simplify the creation of MCP tools, and defining an MCP interface is very similar to creating a standard API.

Version 2 (is in development) to add extra standarization for:

• Authentication support (OAuth, API keys, delegated tokens).

• Session state and capability negotiation, allowing persistent logins.

• Improved schema introspection and tool versioning.

AI Apps

AI apps turn the chat into a browser — where apps live inside the AI, blending natural-language commands with full graphical interaction.

AI Apps started as MCP-UI and introduced into ChatGPT as Apps, return React components instead of plain text from MCP tools.

These components are rendered as interactive widgets inside the AI interface — forms, tables, charts, maps, checkout panels, etc.

Users can interact directly with these components (click, type, select), and the AI observes those actions in real time, updating its reasoning or calling new MCP tools as needed.

Microsoft NLWeb

NLWeb (Natural Language Web) replaces web pages with AI queryable knowledge. It is an API definition that agents can use trought an agentic tool such as an MCP web crowler.

NLWeb, like MCP, is a way to define APIs in a standardized format so that AI systems can understand and use them directly.

It is Microsoft’s vision for the next generation of web content, designed to be read and queried directly by AI agents, not scraped like HTML pages. Instead of relying on brittle DOM parsing, websites expose structured, semantically indexed endpoints that understand natural-language queries.

Created by R.V. Guha at Microsoft, who also created RSS, RDF, and Schema.org. Each NLWeb site defines a .well-known/nlweb.json manifest describing what types of questions it can answer and how to handle requests. Agents discover these endpoints through vector search and interact with them using natural-language queries such as “show your latest laptops under $1000” or “book a meeting room for tomorrow at 10 a.m.”.

In short:

• MCP is the dynamic layer of the new web — it powers interactive apps and tools.

• NLWeb is the static knowledge layer — it exposes structured, queryable information that AIs can browse and understand without scraping.

AI → Site: NLWeb query (”Find blue sweater < €50”)
Site (NLWeb): returns hits + suggested MCP tools

Stripe Agentic Commerce Protocol

API definition to manage how an agent and a merchant create/update/complete a cart, quote taxes/shipping, and then hand off to a payment method.

ACP (Agentic Commerce Protocol) is, a simple OpenAPI definition that specifies a few basic endpoints:

🛒 Checkout API

1. POST /checkout_sessions – Create a checkout session

2. GET /checkout_sessions/{checkout_session_id} – Retrieve a checkout session

3. POST /checkout_sessions/{checkout_session_id} – Update a checkout session

4. POST /checkout_sessions/{checkout_session_id}/complete – Complete (finalize) a checkout session

5. POST /checkout_sessions/{checkout_session_id}/cancel – Cancel a checkout session

🔔 Webhooks API

6. POST /agentic_checkout/webhooks/order_events – Receive order lifecycle events

💳 Delegate Payment API

7. POST /agentic_commerce/delegate_payment – Create a delegated payment token

ACP is a standard used by ChatGPT and commonly uses delegated payments via a PSP (e.g., Stripe’s Shared Payment Token). But could also use Google AP2, Visa TAP, etc.

A typical payment involve:

1. AI Platform (ChatGPT) – customer-facing agent that orchestrates the purchase.

2. Merchant / Commerce Platform – exposes checkout APIs and owns fulfillment.

   1. Merchant uploads its product feed to OpenAI every 15 minutes for synchronization and discovery.

   2. Product feed includes inventory, pricing, fulfillment options, and promotions.

3. Payment Service Provider (PSP) or Google AP2 – currently Stripe, handles delegated payments.

🛒 Stripe ACP Checkout Flow

1. Customer initiates a purchase

The customer selects a product through ChatGPT.

The AI constructs a proposed order and calls the merchant’s API:

POST /checkout_sessions → CreateCheckoutSession

Payload includes:

• Items and quantities

• Customer details

• Shipping address

• Fulfillment preferences (if applicable)

2. Merchant returns checkout details

The merchant responds with a checkout session that includes:

• Calculated taxes and totals

• Available shipping or fulfillment options

• Supported payment methods (e.g., Stripe, Visa TAP, Google AP2)

This response represents the authoritative state of the cart.

3. Customer refines the order

The customer can make adjustments, such as:

• Changing item quantities

• Applying promotions or discount codes

• Selecting a different shipping option

Each modification triggers an update via:

POST /checkout_sessions/{checkout_session_id} → UpdateCheckoutSession

The AI and merchant continue to exchange updates until the checkout is finalized and marked as ready for payment.

4. Customer confirms the order

When the customer confirms (“Complete Order”), the AI prepares to delegate payment authorization.

At this point, the checkout is fully defined — totals, fulfillment, and buyer details are final.

5. AI requests a delegated payment from the PSP

The AI platform (e.g., ChatGPT) requests a delegated payment token from the Payment Service Provider (PSP), such as Stripe, using:

POST /agentic_commerce/delegate_payment

The request specifies:

• The merchant’s identifier

• The authorized payment amount and currency

• An expiration time (allowance window)

The PSP returns a delegated payment token (e.g., Stripe’s Shared Payment Token, SPT) that can only be used by that merchant within the defined constraints.

6. AI completes the checkout with the merchant

The AI calls the merchant’s API:

POST /checkout_sessions/{checkout_session_id}/complete → CompleteCheckoutSession

Payload includes: the delegated payment token from the PSP.

The merchant validates the token and proceeds to authorize the payment.

7. Merchant captures the payment

The merchant’s backend calls the PSP’s API (e.g., Stripe) directly, using the delegated payment token to create and/or capture a PaymentIntent.

Once the PSP confirms success, the merchant marks the order as paid and begins fulfillment.

8. Optional cancellation

If the customer or merchant cancels the order before payment capture, the AI calls:

POST /checkout_sessions/{checkout_session_id}/cancel → CancelCheckoutSession

The merchant updates the order status accordingly.

Customer (ChatGPT UI)
↓
AI (ChatGPT)
├── CreateCheckout → Merchant
├── UpdateCheckout ↔ Merchant (edits, shipping, promotions)
├── Request Delegated Payment → Stripe
│ ↓
│ Stripe returns Payment Token (SPT)
├── CompleteCheckout (token) → Merchant
│ ↓
│ Merchant → Stripe (capture via SPT)
│ ↓
│ Stripe confirms payment
└── Merchant fulfills order

Agentic Payment Authorization Protocols

APIs that allow an AI agent to authorize a payment and obtain a payment token, which is then passed to the merchant so the merchant can take the payment.

These are competing protocols that do all more or less the same things:

---

Stripe SPT (Shared Payment Token)

A delegated payment token that an agent (e.g., ChatGPT) creates at Stripe with the buyer’s consent. It’s a scoped reference to a stored Payment Method—not card data—and it comes with limits (max amount), an expiry, and a specific seller scope.

On CompleteCheckout (ACP), the agent passes the SPT to the merchant. The merchant then creates/confirms a Stripe PaymentIntent using the SPT (via the shared_payment_granted_token field). Stripe verifies scope/limits and executes the charge.

Security & privacy model:

• No PANs or wallet credentials are shared with the agent or merchant.

• Token is single-merchant, time-boxed, and amount-capped; unusable elsewhere.

• Works with Stripe’s existing auth flows (e.g., 3DS/SCA) when required.

---

Google AP2

AP2 (Agent Payment Protocol) is Google’s open framework for AI-initiated payments.

It defines how an AI agent securely authorizes, authenticates, and executes payments on behalf of a user — regardless of the underlying payment rail (card, bank transfer, stablecoin, etc.).

AP2 introduces a standard payment mandate model:

• The user gives the AI permission to spend a defined amount, time window, and merchant scope.

• The agent signs this mandate and sends it to the Payment Service Provider (PSP) or bank for verification.

• The PSP validates the signature, confirms the merchant identity, and executes the charge.

The goal is to replace ad-hoc delegated payment flows (like Stripe’s SPT) with a universal, open, verifiable payment protocol for agents.

AP2 is designed to integrate with existing ACP checkouts, providing the standardized “payment leg” of the transaction.

In short:

AP2 makes payments agent-native and rail-agnostic — one mandate, any rail, any PSP.

Customer (ChatGPT UI)
        ↓
AI (ChatGPT)

├── Create Mandate (scope: merchant, max amount, expiry) → PSP/Bank (AP2)
│       ↓
│   PSP/Bank returns Mandate (active) → mandate_id
│
├── Authorize Payment (mandate_id, final_amount, merchant) → PSP/Bank
│       ↓
│   PSP/Bank returns Authorization (authorized) → authorization_id
│
├── Complete Order → Merchant (includes authorization_id / receipt)
│       ↓
│   Merchant → PSP/Bank: Capture (authorization_id)      ← (one-step flows may auth+capture)
│       ↓
│   PSP/Bank settles on chosen rail (Card / ACH / RTP / Stablecoin)
│       ↓
│   PSP/Bank returns Payment Receipt (rail_reference, proof)
│
└── Merchant fulfills order

(Optionals)
- Revoke/Suspend Mandate → PSP/Bank
- Refund (full/partial) → PSP/Bank (references capture_id)

---

Visa TAP & Mastercard Agent Pay 💳

Visa TAP (Trusted Agent Protocol) and Mastercard Agent Pay are parallel frameworks that enable AI agents or digital assistants to initiate trusted, tokenized payments across their respective card networks.

Both rely on the same core principles:

• Agent identity and attestation: Each AI agent is registered and cryptographically verified as a trusted entity.

• Delegated consent: Users grant scoped authorization (e.g., “this agent can spend up to $200 at this merchant”).

• Network tokenization: A one-time, merchant-scoped token is issued for the transaction.

• Verification and settlement: When the merchant charges, the network validates the token, agent identity, and user consent before completing the transaction.

• Traceability: Every payment includes provenance metadata for audit and compliance.

Together, Visa TAP and Mastercard Agent Pay extend the Agentic Payment Authorization model to the global card networks, complementing protocols like Stripe SPT and Google AP2.

HTTP x402

x402 brings native micropayments to the web, replacing ads and subscriptions with direct, machine-to-machine value exchange.

It implements the HTTP status code 402 Payment Required, returning a payment endpoint where the client can send a signed transaction or token.

HTTP/1.1 402 Payment Required
Content-Type: application/json

{
  “amount”: “1.00”,
  “currency”: “USDC”,
  “payment_url”: “https://pay.coinbase.com/x402?chain=base&to=0xMerchantWallet”
}

While x402 could theoretically be used as an additional payment rail within Stripe ACP, it is generally used standalone to paywall API requests or digital resources.

x402 is designed for high-frequency, low-value transactions — think pay-per-document, pay-per-query, or pay-per-API-call — and integrates naturally with NLWeb or MCP endpoints.

It can also interoperate with higher-level authorization systems such as AP2, Visa TAP, or Mastercard Agent Pay, while remaining payment-rail–agnostic.

Payment Flow Example:

AI → Server: GET /resource
Server → AI: 402 Payment Required (price, accepted rails)
AI → Payment Rail: pay (often stablecoin/tokenized credits)
AI → Server: re-GET /resource with proof
Server → AI: 200 OK (content) + receipt

Version 2 (is in development) to add extra features:

• Adds Signed Identifier object (resource, expiry, signature).

• Introduces externalId for linking payment request and payload.

• Supports CAIP network IDs (e.g., Ethereum, Solana, ACH, Cloudflare).

• Removes old X- headers (now standard names like Payment-Signature).

• Adds route-level payTo and dynamic pricing middleware.

Here a possible example of a x402 v2 payment request:

HTTP/1.1 402 Payment Required
Content-Type: application/json

{
  “amount”: “1.00”,
  “currency”: “USDC”,
  “networks”: [”eip155:8453”], 
  “payTo”: { “type”: “address”, “value”: “0xMerchantWallet” },
  “facilitator”: “https://pay.coinbase.com/x402”,
  “supportedProtocols”: [”x402-usdc”],
  “externalId”: “req_12345”,
  “signedIdentifier”: {
    “resource”: “https://api.example.com/resource/12345”,
    “expiry”: “2025-12-31T23:59:59Z”,
    “curve”: “secp256k1”,
    “signature”: “<base64-signature>”
  }
}

AI-Generated Web

In the beginning, we will see a few human-made AI apps appearing in OpenAI marketplace. Then, AI will be trained to generate AI apps itself. Software like Claude Code or new version of Lovable will emerge, creating an explosion of millions of AI apps. Eventually, ChatGPT itself will be trained to generate AI apps.

At that stage, ChatGPT will be able to produce HTML and JavaScript instead of Markdown. AI apps will be generated on demand, based on each conversation with users. The existing web will be scraped for ideas and inspiration, but the actual UI displayed will be created by the AI itself — just as when you ask ChatGPT a question: it first searches for information from various sources, then formulates a new and unique response.

We will have shifted from a web made for AI to a web made by AI.

Comments

[Daniel Popescu / ⧉ Pluralisk]

Brilliant take! Realy makes you think about how this Web 4.0 shift will totally redefine our digital lives, thanks for layin it out so clear.