A federal court in San Francisco has issued an injunction that every company building AI shopping agents should read carefully. US District Judge Maxine Chesney ruled that Amazon has demonstrated sufficient evidence that Perplexity's Comet agent was accessing users' password-protected accounts without Amazon's authorisation, and ordered Perplexity to stop.
The agent must cease operations. Perplexity must delete all collected Amazon data. The company has one week to appeal.
This is the first time a US court has formally intervened in the question of whether AI agents can shop on platforms without the platform's consent.
What Comet Did
Perplexity launched Comet as a browser-based AI shopping agent that could browse, compare, and purchase products on behalf of users. The pitch was simple: tell the agent what you want, and it handles the rest.
The problem was how it handled the rest. Comet accessed users' Amazon accounts using credentials the users voluntarily provided, but it did so without Amazon's knowledge or approval. It failed to disclose when it was shopping on a user's behalf. And when Amazon sent cease-and-desist notices, Perplexity ignored them.
Amazon sued in November 2025, accusing Perplexity of fraud. Judge Chesney's ruling this week sided with Amazon, finding that the company had "produced strong evidence that Perplexity was accessing users' password-protected accounts with their permission but without Amazon's authorization."
The Three-Party Problem
This case crystallises a tension that has been building across agentic commerce for months. We have explored it before in our analysis of the delegation problem: when a user delegates authority to an AI agent, who actually holds the permission?
The user gave Perplexity their Amazon credentials. From the user's perspective, they authorised the transaction. From Amazon's perspective, an unauthorised third party was accessing their platform at scale, scraping product data, and placing orders through automated means that violate their terms of service.
Judge Chesney's ruling lands firmly on Amazon's side of that divide. The platform's consent matters independently of the user's consent.
User permission alone is not enough. The platform gets a vote.
This is a significant precedent. If it holds on appeal, every AI agent that interacts with a third-party platform, whether for shopping, booking, or financial transactions, will need explicit platform authorisation to operate. The "act first, ask forgiveness later" approach that defined the first wave of agentic commerce just hit a wall.
The Amazon Paradox
The irony is hard to miss. While Amazon's legal team was blocking Perplexity's shopping agent in court, Amazon's cloud division was moving in the opposite direction.
AWS announced its entry into agentic payments the same week, building infrastructure for AI-powered agents to conduct transactions at scale. Amazon also invested heavily in OpenAI, which has been developing its own shopping and checkout features within ChatGPT.
Amazon does not oppose AI agents shopping. It opposes AI agents shopping on Amazon without Amazon's permission. The distinction matters enormously. Amazon wants to be the one providing the agentic commerce infrastructure, not the platform being scraped by someone else's agent.
This is the same playbook we identified in the marketplace extinction event: incumbents are not fighting agentic commerce. They are fighting to control it.
What This Means for Agentic Commerce
The ruling has immediate implications for the broader ecosystem.
For agent builders: The credential-sharing model is legally risky. Agents that access platforms using user-provided passwords without platform consent are now operating in territory where a federal court has already intervened. Expect platforms to enforce their terms of service more aggressively.
For platforms: This is a green light to restrict unauthorised agent access. Amazon now has judicial precedent backing its right to block agents, even when users have consented. Other marketplaces and retailers will take note.
For the standards race: The case strengthens the argument for formal agent authentication protocols. As we covered in our look at who authorised the agent, the identity layer for agentic commerce remains unsolved. OAuth-style permission frameworks for AI agents, where users, agents, and platforms all explicitly consent, are no longer a theoretical nice-to-have. They are a legal necessity.
What Comes Next
Perplexity has one week to file an appeal. Given the stakes, it almost certainly will.
But regardless of the appeal's outcome, the signal is clear. Courts are willing to intervene when AI agents overstep platform boundaries. The era of AI agents operating in legal grey zones is narrowing. The companies that build compliant agent authentication from the start will have the advantage. Those that do not will find themselves in front of Judge Chesney, or someone like her.
Sources
If user consent is not enough to authorise an AI agent, who gets to decide which agents are allowed to transact, and on whose terms?