An Agent Checked Out. Your Refund Flow Wasn't Ready.

A founder I work with runs a $9M consumer brand, mostly direct to consumer through her own Shopify store. In April she noticed a new line in her payments dashboard: a few percent of orders tagged as coming through ChatGPT Instant Checkout. She didn't build anything for it. A shopper asked an agent to find the product, the agent checked out, the money landed. Then a buyer wanted to swap a size, and her support lead couldn't re-charge the card. The token was already dead.

That's the part nobody mentions about agentic checkout. The sale works. Everything after the sale is where your process breaks.

How the token actually works

OpenAI's Agentic Commerce Protocol, built with Stripe, issues a Shared Payment Token at checkout. It's bound to one merchant and one dollar amount, it expires fast, and it works exactly once. Visa's Trusted Agent Protocol and Mastercard Agent Pay use the same shape: a credential locked to one agent, one merchant, one consent policy. By April, five agentic checkout deployments were running in production, including ChatGPT Instant Checkout and Amazon's Buy for Me.

For the sale, this is great. You get paid, the fraud surface shrinks, the token can't be reused by anyone. For everything downstream, the same property works against you.

Where order-to-cash breaks

A refund against the original charge still works. You're crediting back a transaction that already happened. Fine.

An exchange doesn't. If a customer wants a different size and the new item costs more, you have no card on file to bill the difference. The token bought once and disappeared. Your support flow assumed a reusable card. Now it assumes a conversation with a shopper who placed the order through an agent and may never open your confirmation email.

Disputes get harder in a quieter way. Chargeback representment depends on the cardholder recognizing the charge and on you proving the buyer saw what they bought. When an agent did the buying, the human behind it might not recognize your descriptor on a statement, and your evidence trail (the confirmation you emailed, the tracking link) went to an agent, not a person. Friendly-fraud disputes rise. Your win rate on them falls.

An agent is great at buying. It can't receive your shipping update, read your return policy, or recognize your name on a statement.

Your customer record is now a token, not a person. The email in your CRM might be a relay address. AR follow-up, win-back campaigns, lifetime-value math: all of it assumed you knew who bought. You know what was bought.

What to check this quarter

Pull your processor data and find out what share of orders already came through an agentic rail. Most founders I ask have no idea it's nonzero. It usually is.

Then walk one exchange and one dispute through your real support flow as if the buyer is an agent that never reads email. Where does it stall? That's the gap. Fix the exchange path first, because that's the one losing you a sale you already won.

Last, check your statement descriptor. If a human can't recognize your name in two seconds, an agent-driven purchase becomes a dispute you'll lose.

The sale got easier. Keeping the sale didn't.