Skip to main content

Case Studies and Extensions

10.1 UCP Extension Mechanism

Beyond its core capabilities, UCP defines an extension mechanism. Extensions are associated with core capabilities through namespaces and participate in dependency pruning during capability negotiation. Namespace: dev.ucp.shopping.buyer_consent This extension enables merchants to obtain buyer privacy consent during the checkout flow, in compliance with regulations such as GDPR and CCPA: 
{
  "buyer_consent": {
    "analytics": true,
    "preferences": true,
    "marketing": false,
    "sale_of_data": false
  }
}
Four consent dimensions:
DimensionMeaningDefault
analyticsAllow data to be used for analyticsRequires explicit consent
preferencesAllow saving user preferencesRequires explicit consent
marketingAllow marketing communicationsRequires explicit consent
sale_of_dataAllow sale of personal dataRequires explicit consent
When creating a checkout session, if the merchant supports the buyer_consent extension, the AI agent must present consent options to the consumer and collect explicit consent or refusal. A boolean value of true indicates consent; false indicates refusal. Dependency: buyer_consent depends on the checkout capability. If checkout is not included in the negotiation result, buyer_consent is automatically removed during the pruning step.

AP2 Mandate Extension

Namespace: dev.ucp.shopping.ap2_mandate This extension adds cryptographic binding to the payment flow, ensuring non-repudiation of payment authorizations: Core mechanisms:
  • JWS Detached Signatures: Uses JSON Web Signature in detached mode, where the signature is transmitted separately from the payment request body
  • SD-JWT+kb Credentials: Selective Disclosure JWT with Key Binding, allowing buyers to disclose only the minimum information required to complete a transaction
AP2 Mandate Flow:

1. Merchant declares AP2 Mandate requirement
2. AI agent requests user authorization for payment
3. User's payment agent creates a JWS detached signature
4. Signature is bound to the specific transaction (amount, merchant, timestamp)
5. Merchant verifies the signature and completes the charge
6. Signature is archived as a non-repudiable payment receipt
Dependencies: ap2_mandate depends on both checkout and identity_linking. If either is missing from the negotiation result, ap2_mandate is pruned.

10.2 Case Study 1: Quick Onboarding for a Shopify Merchant

Background: A Shopify merchant with 500 SKUs wants AI agents to recommend products and complete checkout. Strategy: Leverage Shopify’s existing API foundation and deploy a UCP Profile via a proxy. Steps:
  1. Deploy the UCP Profile (30 minutes)
Deploy /.well-known/ucp via a Shopify App Proxy or a standalone service: 
{
  "supported_versions": ["2026-04-08"],
  "services": {
    "dev.ucp.shopping": {
      "base_url": "https://myshop.myshopify.com/apps/ucp-proxy"
    }
  },
  "capabilities": {
    "dev.ucp.shopping.checkout": {
      "version": "2026-04-08",
      "supported_operations": ["create", "get", "update", "complete", "cancel"]
    }
  },
  "payment_handlers": ["com.shopify.payments"],
  "signing_keys": []
}
  1. Product catalog adaptation (2 hours)
Convert Shopify Storefront API responses into UCP format.
  1. Checkout integration (1 day)
Map UCP checkout operations to the Shopify Checkout API.
  1. Testing and validation (2 hours)
Use the validation checklist from Chapter 9 to test all endpoints.

10.3 Case Study 2: Full Integration for a Custom-Built Store

Background: A Node.js custom-built store with 2,000 SKUs, a PostgreSQL database, and existing Stripe payment integration. Phase 1 — Profile + Product Catalog (1 day) 
const express = require("express");
const app = express();

// UCP Profile
app.get("/.well-known/ucp", (req, res) => {
  res.set("Cache-Control", "public, max-age=3600");
  res.set("Content-Type", "application/json");
  res.json({
    supported_versions: ["2026-04-08"],
    services: {
      "dev.ucp.shopping": { base_url: "https://mystore.com/ucp" }
    },
    capabilities: {
      "dev.ucp.shopping.checkout": {
        version: "2026-04-08",
        supported_operations: ["create", "get", "update", "complete", "cancel"]
      }
    },
    payment_handlers: ["com.stripe.payment"],
    signing_keys: []
  });
});

// Product search
app.get("/ucp/catalog/products", async (req, res) => {
  const { query, category, limit = 10, offset = 0 } = req.query;
  const products = await db.query(`
    SELECT id, name, description, price_amount, stock, image_url, category
    FROM products
    WHERE ($1::text IS NULL OR name ILIKE '%' || $1 || '%')
    AND ($2::text IS NULL OR category = $2)
    ORDER BY name LIMIT $3 OFFSET $4
  `, [query || null, category || null, Math.min(+limit, 50), +offset]);

  res.json({
    products: products.rows.map(p => ({
      id: p.id,
      name: p.name,
      description: p.description,
      price: { amount: p.price_amount, currency_code: "USD" },
      availability: p.stock > 0 ? "in_stock" : "out_of_stock",
      images: [{ url: p.image_url, alt: p.name }]
    })),
    total: products.rowCount,
    limit: +limit,
    offset: +offset
  });
});
Phase 2 — Checkout Capability (2-3 days) Implement the six-state state machine and five operations. Store checkout sessions in the database: 
CREATE TABLE ucp_checkout_sessions (
  id TEXT PRIMARY KEY,
  status TEXT NOT NULL DEFAULT 'incomplete',
  buyer JSONB,
  line_items JSONB NOT NULL DEFAULT '[]',
  pricing JSONB,
  fulfillment JSONB,
  payment JSONB,
  order_id TEXT,
  created_at TIMESTAMPTZ DEFAULT NOW(),
  updated_at TIMESTAMPTZ DEFAULT NOW()
);
Phase 3 — Identity Linking + Signing Keys (2-3 days)
  • Deploy an OAuth 2.0 authorization server (consider using an existing library such as oidc-provider or oauth2-server)
  • Publish /.well-known/oauth-authorization-server
  • Generate an ES256 key pair and publish the public key in the Profile’s signing_keys
Phase 4 — Order Management + Webhooks (2 days)
  • Order query API
  • RFC 9421 signed Webhook notifications
  • Return / refund adjustment API

10.4 Case Study 3: WooCommerce Cloudflare Worker Adapter

Background: A WooCommerce store with 800 SKUs, looking to integrate UCP with minimal effort. Solution: Deploy a Cloudflare Worker as a UCP adapter layer. 
AI Agent
  |
  v
Cloudflare Worker (UCP Adapter Layer)
  +- /.well-known/ucp -> Return Profile JSON
  +- /ucp/catalog/* -> Convert to WC API calls, transform responses to UCP format
  +- /ucp/checkout/* -> Convert to WC Checkout calls
  +- Signing key management (keys stored in CF Secrets)
  |
  v
WooCommerce REST API (wp-json/wc/v3/*)
Advantages:
  • No modifications to WooCommerce itself; the Worker is independently deployed
  • Global edge nodes for low latency
  • Can be toggled on or off without affecting the existing website
  • CF Worker Secrets can securely store signing private keys
Regardless of your platform, follow this sequence:
PhaseWorkTimeOutcome
1/.well-known/ucp Profile1 hourAI agents can discover you
2Product catalog API1 dayAI agents can search and display products
3Checkout capability2-3 daysAI agents can complete purchases
4Identity linking2-3 daysPersonalized shopping experiences
5Order management + Webhooks2 daysFull post-purchase support
6Extensions (Consent / AP2)1-2 daysCompliance and advanced payment
Phase 1 can be done at zero cost and makes your store discoverable by AI agents. Each subsequent phase adds capabilities incrementally, and every phase is independently useful.

10.6 Ecosystem Collaboration

UCP’s 30+ ecosystem partners mean:
  • Payments: Declare supported processors via payment_handlers (Stripe, Adyen, PayPal, Klarna, etc.). AI agents automatically negotiate the optimal payment method.
  • Buy now, pay later: Affirm and Klarna, as UCP partners, are expected to provide standardized installment payment processors.
  • Retailers: Support from major retailers like Best Buy, Target, and Walmart means AI agents can compare prices and make purchases across merchants.
  • Card networks: Participation from Visa and American Express ensures financial compliance in payment token exchange.
Congratulations on completing Book 3. You now understand the full technical architecture of the UCP protocol — from /.well-known/ucp Profile discovery and capability negotiation, through the four core capabilities (Checkout, Identity Linking, Order Management, and Payment Token Exchange), four transport mechanisms (REST, MCP, A2A, and Embedded), to RFC 9421 signatures and JWK key management. Recommended next steps:
Suggested next: ACP Agentic Commerce Protocol — Learn about the AI agent checkout and payment standard created by Stripe More case studies: OTR Case Studies | ACP FAQ | MCP Case Studies