What is Universal Commerce Protocol? A Technical Primer

Universal Commerce Protocol (UCP) is an open standard developed by Google, Shopify, and 20+ partners that enables AI agents to discover products, compare options, and complete purchases on behalf of shoppers. It’s the protocol powering checkout in Google AI Mode and Gemini.

This primer covers the technical architecture, core capabilities, and implementation considerations for engineering teams evaluating UCP.

The Problem UCP Solves

Traditional e-commerce was built for humans. Product pages, shopping carts, checkout flows—all designed for people clicking through websites. But AI agents don’t browse. They need structured data, programmatic interfaces, and standardized protocols.

Before UCP, each AI agent had to:

• Scrape websites (unreliable, brittle)
• Integrate custom APIs per merchant (doesn’t scale)
• Guess at checkout flows (poor conversion)

UCP provides a universal contract between merchants and AI agents.

Architecture Overview

UCP operates through four primary capabilities:

1. Discovery Manifest

The entry point. Located at /.well-known/ucp, this JSON document tells agents what your store offers and how to interact with it.

{
  "schema_version": "1.0",
  "merchant": {
    "name": "Example Store",
    "id": "merchant_12345",
    "description": "Premium outdoor gear",
    "logo_url": "https://store.com/logo.png"
  },
  "capabilities": {
    "product_discovery": {
      "enabled": true,
      "feed_url": "https://store.com/api/ucp/products"
    },
    "checkout": {
      "enabled": true,
      "session_url": "https://store.com/api/ucp/checkout"
    },
    "payment": {
      "enabled": true,
      "methods": ["card", "google_pay", "shop_pay"]
    },
    "order_tracking": {
      "enabled": true,
      "status_url": "https://store.com/api/ucp/orders/{order_id}"
    }
  },
  "policies": {
    "returns": "https://store.com/returns",
    "shipping": "https://store.com/shipping",
    "privacy": "https://store.com/privacy"
  }
}

2. Checkout Sessions

When an agent wants to purchase, it creates a checkout session. This is a stateful object that tracks:

• Cart contents (products, quantities, variants)
• Shipping address and method
• Tax calculations
• Applied discounts
• Session expiration

// POST /api/ucp/checkout/sessions
{
  "items": [
    {
      "product_id": "SKU-12345",
      "quantity": 2,
      "variant_id": "size-large-color-blue"
    }
  ],
  "shipping_address": {
    "country": "US",
    "postal_code": "94105",
    "region": "CA"
  }
}

// Response
{
  "session_id": "cs_abc123",
  "status": "open",
  "expires_at": "2026-01-18T10:00:00Z",
  "totals": {
    "subtotal": 15999,
    "shipping": 999,
    "tax": 1440,
    "total": 18438
  },
  "currency": "USD"
}

3. Payment Handlers

UCP doesn’t process payments directly. It defines a contract for initiating payment through the merchant’s existing PSP:

// POST /api/ucp/checkout/sessions/{session_id}/pay
{
  "payment_method": "card",
  "payment_token": "tok_visa_4242",
  "billing_address": {
    "country": "US",
    "postal_code": "94105"
  }
}

The response includes confirmation or required actions (3DS, additional verification).

4. Order Management

Post-purchase, agents can query order status:

// GET /api/ucp/orders/{order_id}
{
  "order_id": "ORD-789456",
  "status": "shipped",
  "tracking": {
    "carrier": "UPS",
    "number": "1Z999AA10123456784",
    "url": "https://ups.com/track?num=..."
  },
  "estimated_delivery": "2026-01-22"
}

Transport Bindings

UCP is transport-agnostic. The protocol can be exposed via:

• REST APIs (most common)
• MCP (Model Context Protocol) for direct LLM integration
• A2A (Agent-to-Agent) for multi-agent workflows

This flexibility means the same UCP implementation can serve Google’s agents, Perplexity, and future AI shopping assistants.

Security Considerations

Authentication

UCP supports multiple auth patterns:

• Anonymous sessions — Guest checkout, no account required
• OAuth 2.0 — Link existing customer accounts for personalized pricing, saved addresses, loyalty points
• API keys — For trusted agent partners with pre-negotiated terms

Rate Limiting

Agents can be aggressive. Your implementation should:

• Implement rate limiting per agent/IP
• Cache product data at the discovery layer
• Use async processing for order creation

Data Validation

Never trust agent input. Validate:

• Product IDs exist and are available
• Quantities don’t exceed inventory
• Prices match current catalog (agents may cache stale data)
• Shipping addresses are deliverable

Platform Implementation Status

Platform	Status	Notes
Shopify Plus	Native	Built-in, requires enablement
SFCC	Custom	No native support; use ucp-sfcc cartridge
BigCommerce	Custom	Announced support, timeline TBD
commercetools	Custom	REST API compatible
Headless/Custom	Custom	Full flexibility

Performance Requirements

Agents expect fast responses. Target latencies:

• Discovery manifest: < 100ms
• Checkout session create: < 500ms
• Payment initiation: < 1000ms
• Order status: < 200ms

Cache aggressively. Pre-compute where possible.

Common Implementation Mistakes

1. Skipping the discovery manifest

Teams often jump straight to checkout session implementation because it feels like the “real” work. But agents can’t reach your checkout if they can’t discover your store. The manifest at /.well-known/ucp is the entry point — get it live first, even with minimal capabilities enabled.

2. Stale product data in the feed

UCP product feeds are often cached aggressively. If your inventory or pricing changes aren’t propagating within minutes, agents will recommend products that are out of stock or mispriced. Set short cache TTLs on inventory and pricing fields specifically; longer TTLs on stable attributes like descriptions and images are fine.

3. Session expiry not handled gracefully

Checkout sessions expire. Agents don’t always complete purchases in one shot — they may pause for user confirmation, additional queries, or multi-agent handoffs. If your session expiry is 15 minutes and the agent doesn’t handle 410 Gone responses correctly, the shopper gets a broken experience. Design for session resumption and expose clear expiry timestamps.

4. No rate limiting strategy

AI agents can generate significant traffic spikes during product comparison workflows. A single agent query might fan out into hundreds of product detail requests. Implement per-agent-identifier rate limiting at the discovery and product feed layers before you go live.

5. Authentication as an afterthought

Anonymous checkout (guest) is the simplest path to launch, but it gives up personalized pricing, loyalty, and saved preferences. Plan your OAuth 2.0 account linking flow from the start — retrofitting it after launch is more disruptive than building it in.

UCP vs. Direct API Integration

Some teams ask: why UCP? We already have REST APIs. Can’t agents just use those?

Technically yes — a determined agent developer can reverse-engineer your checkout flow and call your existing APIs. But UCP provides three things a custom integration can’t:

1. Discoverability — Agents don’t know your custom API exists. UCP’s /.well-known/ucp manifest is how they find you without any prior knowledge of your store.
2. Standardization — Google’s agents, Perplexity’s agents, and third-party shopping assistants all speak the same UCP protocol. One implementation serves all of them.
3. Trust — UCP-compliant merchants are verified participants in the ecosystem. Agents are more likely to recommend merchants with a valid UCP manifest than those without.

Relationship to MCP and A2A

UCP doesn’t operate in isolation. The full agentic commerce protocol stack is:

• UCP — The consumer-facing commerce layer: discovery, cart, checkout, payment, order tracking
• MCP (Model Context Protocol) — The data access layer: lets AI tools query your catalog, inventory, and orders through standardized tool definitions. Primarily relevant for B2B and enterprise buyer scenarios.
• A2A (Agent-to-Agent) — The automation layer: lets AI agents from different organizations communicate directly. Enables fully automated B2B procurement workflows.

UCP is typically the first protocol to implement because it has the highest near-term consumer traffic impact. MCP and A2A add incremental B2B and enterprise buyer coverage on top.

Platform Implementation Status

Platform	Status	Notes
Shopify Plus	Native	Built-in, requires enablement
SFCC	Custom	No native support; use ucp-sfcc cartridge
BigCommerce	Custom	Announced support, timeline TBD
Adobe Commerce	Custom	Extension-based; no native support announced
commercetools	Custom	REST API compatible
Headless/Custom	Custom	Full flexibility via direct API implementation

Performance Requirements

Agents expect fast responses. Target latencies:

• Discovery manifest: < 100ms
• Product feed: < 300ms (paginated)
• Checkout session create: < 500ms
• Payment initiation: < 1000ms
• Order status: < 200ms

Cache aggressively. Pre-compute where possible. Agents that encounter timeouts will move to a competitor in the same session.

Frequently Asked Questions (FAQ)

What is the Universal Commerce Protocol (UCP)?

UCP is an open standard that enables AI agents (like Google AI or Gemini) to discover products, compare options, and complete purchases natively on storefronts without human intervention.

How does UCP differ from traditional APIs?

Unlike custom REST APIs that require one-off integrations, UCP provides a standardized /.well-known/ucp manifest. This makes your storefront instantly discoverable and interoperable with any UCP-compliant shopping agent.

Is UCP available on Salesforce Commerce Cloud (SFCC)?

Yes, ForkPoint created the first open-source UCP cartridge for SFCC, allowing enterprise brands to enable agentic checkout flows on the platform.

What is the role of the Discovery Manifest in UCP?

The Discovery Manifest is the entry point for AI agents. It tells the agent what your store offers, where your product feeds are located, and which checkout and payment capabilities are currently enabled.

Getting Started

1. Audit your current APIs — Do you have the data UCP needs? Inventory, pricing, and fulfillment data must be real-time or near-real-time.
2. Evaluate platform options — Native support (Shopify Plus) vs. cartridge (SFCC) vs. custom implementation (headless, Adobe, BigCommerce).
3. Start with discovery — Get your manifest and product feed live. Agents can start recommending your products even before checkout is enabled.
4. Add checkout in phase 2 — Sessions, payment handling, and order management.
5. Test with agent simulators — Validate your implementation against real agent traffic patterns before production.

---

Ready to implement? Get your readiness score or explore our open-source SFCC cartridge on GitHub.