How to set up a UCP and MCP server on WooCommerce, Magento, BigCommerce, SFCC, and commercetools

When Google and Shopify announced the Universal Commerce Protocol at NRF in early 2026, Shopify merchants woke up to a new sales channel they did not have to build. Storefront MCP servers, UCP-compliant checkout, and product visibility inside Google AI Mode and the Gemini app were made available at the platform level. A few settings in the admin and a Shopify store can sell to AI agents.

If your store runs on WooCommerce, Magento, BigCommerce, Salesforce Commerce Cloud, or commercetools, nobody flips that switch for you. The protocols are open, and the tooling exists, but the setup falls on you and your development team.

In this guide, you will learn what UCP and MCP actually are, how an AI agent discovers and transacts with a store, and the concrete setup for each major non-Shopify eCommerce platform.

By the end, you will know which UCP and MCP server to launch, what to build, and how to test that a real AI agent can complete a purchase on your store.

What Shopify built natively, and why it sets the benchmark

Shopify co-authored the standard with Google and made its own infrastructure the reference implementation. Every Shopify store now gets a Storefront MCP server that AI agents can query for products, policies, and cart actions.

The catalog tools on that server, search_catalog, lookup_catalog, and get_product, conform to the UCP catalog specification, and a separate Global Catalog covers cross-merchant discovery across billions of products. Cart and Checkout MCP servers handle the transaction itself.

On April 22, 2026, they turned on Storefront Catalog MCP against UCP schemas, deprecated the old endpoint, and gave developers until June 15, 2026, to migrate. That is how committed the platform is to one shared standard.

Shopify's developer docs for the Storefront MCP server. Its catalog tools conform to the UCP catalog specification. Source: shopify.dev, captured June 2026.

Why is this important for you if you are not on Shopify?

Because Shopify defined what agents now expect from every store: a publicly discoverable manifest, structured tools with strict schemas, and a checkout an AI agent can drive without scraping your website. LLMs already speak this language. Your job is to answer it.

Agentic commerce protocol, explained in plain English

The acronym soup around agentic commerce confuses almost everyone, so let us sort it out before touching any code. Agentic commerce simply means AI agents completing shopping tasks on a person's behalf: finding products, comparing options, filling carts, and paying.

Four protocols make that possible, and they sit at different layers rather than competing head-to-head. MCP is the transport, UCP and ACP define the shopping semantics, and AP2 handles payment authorization. The diagram below explains the differences.

The agentic commerce protocol stack. MCP carries the messages, UCP and ACP define the shopping actions, and AP2 authorizes the payment.

What is an MCP server? (the connector layer)

The Model Context Protocol is an open standard released by Anthropic in November 2024. It defines how an AI model connects to outside tools and data.

An MCP server is a small piece of software that exposes actions, called tools, that an agent can call: search_products, get_cart, create_checkout, get_order.

Think of MCP as a universal power outlet. Any AI agent with the right plug, whether that is Claude, Gemini, ChatGPT, or a custom assistant, can connect to any MCP server without a one-off integration.

MCP went from interesting to unavoidable in 2026. When Adobe launched a Commerce MCP server at its Summit keynote in April, it confirmed what the ecosystem had already decided: MCP is the default integration layer between agents and commerce data.

What is UCP? (the commerce language)

The Universal Commerce Protocol is an open standard co-developed by Google and Shopify together with Etsy, Wayfair, Target, and Walmart, and endorsed by more than 20 partners, including Visa, Mastercard, Stripe, and Adyen. It is available on GitHub under the Apache 2.0 license and is live across Google AI Mode and the Gemini apps, with Microsoft Copilot checkout adding UCP support in April 2026.

The UCP project site. The protocol is open source under Apache 2.0 and co-developed by Google and Shopify. Source: ucp.dev, captured June 2026.

UCP covers the full shopping lifecycle in four stages: product discovery, capability negotiation, checkout, and post-purchase handoff.

Capability negotiation is the step where the agent reads what your store supports, things like discounts, fulfillment options, or identity linking, and adapts its behavior to match.

The part that makes UCP practical is that it is transport-agnostic. You can expose UCP capabilities via plain REST APIs, MCP, or A2A, the Agent2Agent protocol for agent-to-agent communication. Your MCP server and your UCP support are not separate projects. One serves the other.

What are ACP and AP2? (the OpenAI lane and the payment layer)

The Agentic Commerce Protocol is the parallel standard from OpenAI and Stripe. It was designed to power in-chat checkout and works through a small set of checkout endpoints plus a Shared Payment Token issued by Stripe. However, Instant Checkout inside ChatGPT was shut down in March 2026. The protocol itself continues.

The Agent Payments Protocol handles the money. It is a Google-associated standard for agent payments built around mandates: cryptographically signed proofs that a real user authorized a specific transaction within defined limits. A mandate gives you, the merchant, non-repudiable evidence of consent before an autonomous agent spends someone's money. UCP is designed to work with AP2 out of the box.

So which one of these agentic commerce protocols do you pick?

The honest answer for most merchants is all of them, at different layers. MCP is how AI agents reach your store, UCP and ACP define what shopping actions mean, and AP2 secures the payment. Supporting UCP over an MCP transport also gets you most of the way to ACP, since the underlying catalog and checkout mechanics are the same.

How an AI agent transacts with your store

Before building anything, it helps to see the whole journey from the agent's side. A shopper tells Gemini to find a waterproof hiking jacket under $200. What happens next is illustrated in the steps below.

The five stages of a UCP transaction, with the simplified checkout state inside stage three.

1. Discovery. The agent fetches a JSON file from your domain at /.well-known/ucp. This manifest is your AI-readable business card. It declares your protocol version, supported capabilities, endpoints, and payment configuration.

2. Capability negotiation. The agent compares what it needs against what you declared, agrees on capability versions, and plans the transaction. No hard-coded, merchant-specific flow is involved.

3. Checkout. The agent creates a checkout session and moves it through a series of defined states, supplying line items, shipping details, and contact information as your store asks for them.

4. Payment. The agent presents a tokenized payment credential along with an AP2 mandate proving the user approved the purchase. Your payment provider processes it, and you remain the merchant of record.

5. Post-purchase. Your store emits order webhooks for lifecycle events such as fulfilled, delivered, refunded, or returned, so the agent can answer questions like where is my order without anyone checking a tracking page.

The checkout state machine

UCP runs checkout as a state machine. The checkout sits in one state at a time and moves forward only along set paths. Think of it as a checklist the system works through in order, where each step must be cleared before the next opens.

A session starts as incomplete while required details are still missing. It moves to ready_for_complete once the totals, tax, and shipping are worked out, passes through complete_in_progress as the order finalizes, and ends as either completed or canceled. If something needs a human, it shifts to requires_escalation and hands the buyer back to your site to finish.

This is what keeps the agent predictable. The spec requires the flow to be deterministic, so the same inputs always produce the same path.

The agent does not improvise. It reads the current status, sees which details your store still needs, fills them in, and the status moves to the next step.

You stay in control of that status, which means steps like tax calculation or shipping validation can not be skipped to rush an order through. Once a checkout is marked completed, it is locked.

Identity linking and order management

Two more UCP capabilities complete the lifecycle. Both are worth planning for even if you launch checkout first.

Identity linking lets a platform obtain a shopper's authorization via OAuth 2.0, the same delegated login standard behind Google sign-in buttons, so an agent can act on a logged-in account. That unlocks personalized pricing, loyalty balances, saved addresses, and account-linked checkout instead of treating every agent visit as an anonymous guest.

Order management closes the loop after the sale. Your store publishes webhook updates for lifecycle events, agents subscribe to them, and the shopper hears their order is on its way without anyone hunting for a tracking number.

Support tickets that start with where is my order tend to fall first, which is a quiet but real cost saving. Now let us go through how to set this up step by step.

Step 1: Publish your UCP profile at /.well-known/ucp

As you have seen, everything in agentic commerce starts with discovery. Your first concrete task is publishing a UCP profile.

This is a public JSON file served at https://yourstore.com/.well-known/ucp. It must be accessible without authentication, and it must return an application/json content type.

The profile declares which services and capabilities your store supports, which spec versions you implement, where your endpoints live, and the public keys agents use to verify messages your server signed.

Here is a trimmed example using the current 2026-04-08 spec version:

{
  "ucp": {
    "version": "2026-04-08",
    "services": {
      "dev.ucp.shopping": [
        {
          "version": "2026-04-08",
          "spec": "https://ucp.dev/specification/overview",
          "transport": "rest",
          "endpoint": "https://yourstore.com/ucp/v1",
          "schema": "https://ucp.dev/2026-04-08/services/shopping/rest.openapi.json"
        }
      ]
    },
    "capabilities": {
      "dev.ucp.shopping.checkout": [
        {
          "version": "2026-04-08",
          "spec": "https://ucp.dev/specification/checkout",
          "schema": "https://ucp.dev/2026-04-08/schemas/shopping/checkout.json"
        }
      ],
      "dev.ucp.shopping.order": [
        {
          "version": "2026-04-08",
          "spec": "https://ucp.dev/specification/order",
          "schema": "https://ucp.dev/2026-04-08/schemas/shopping/order.json"
        }
      ]
    }
  }
}

A few rules save you pain later:

• Capabilities use reverse-domain naming, and versions follow the YYYY-MM-DD format.
• The origin of a capability's spec and schema URLs must match the namespace authority. Anything under dev.ucp points at ucp.dev, while custom capabilities point at your own domain.
• Keep the file out of aggressive cache layers. An agent reading a stale manifest will call endpoints that no longer exist.

Verify the basics with one command:

curl -i -H "Accept: application/json" https://yourstore.com/.well-known/ucp

Step 2: Set up your MCP server

With discovery in place, the MCP server is the workhorse. It is the piece of infrastructure that receives a tool call like search_products and translates it into real API calls against your platform. Four architecture patterns have emerged across the industry:

• Native endpoint. The platform itself serves MCP, the way Shopify does per store. You get this only if your platform builds it.

• Plugin or extension. A module installed inside the platform exposes MCP routes. This is the main way to set it up on WooCommerce and Magento.

• Standalone wrapper. A separate Node.js or Python service wraps your platform's REST or GraphQL API using the official MCP SDKs. Full control, more hosting responsibility.

• Gateway server. A service that sits between AI agents and your existing commerce infrastructure, translating MCP tool calls into platform API calls while adding governance, access controls, and rate limiting. commercetools and Salesforce Commerce Cloud follow this approach, and it is the right call for most enterprise platforms.

The gateway setup looks like this: one MCP server translates AI agent tool calls into your platform's existing catalog, cart, checkout, and order APIs.

The gateway pattern. One MCP server translates agent tool calls into your platform's existing catalog, cart, checkout, and order APIs.

Whichever pattern you choose, a minimal tool looks like this in TypeScript with the official MCP SDK. On newer SDK versions, server.registerTool with a config object is the preferred form, though the server.tool call below still works:

import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { z } from "zod";

const server = new McpServer({ name: "store-commerce", version: "1.0.0" });

server.tool(
  "search_products",
  "Search the live product catalog by keyword",
  { query: z.string(), max_results: z.number().default(10) },
  async ({ query, max_results }) => {
    const url = process.env.STORE_API +
      "/products?search=" + encodeURIComponent(query) +
      "&per_page=" + max_results;
    const res = await fetch(url, {
      headers: { Authorization: "Bearer " + process.env.STORE_API_KEY }
    });
    const products = await res.json();
    return { content: [{ type: "text", text: JSON.stringify(products) }] };
  }
);

Three implementation rules are more important than the framework you pick.

• First, start read-only. Deploy catalog search and order lookup before you let any agent write to a cart, and expand scopes once you trust your logging.
• Second, authenticate properly. MCP handles auth at the transport layer, and OAuth 2.1 is the emerging norm, so do not hide a god-mode admin key behind a public endpoint.
• Third, return strict, schema-valid responses. Agents make decisions on your data. If your API omits a price, an agent might guess one, and you do not want that conversation with a customer.

Not sure where your platform stands?

Shero Commerce audits ecommerce stores for agentic readiness across catalog data, API architecture, and protocol support, then builds the integration with your team. Our agentic readiness audit shows what agents find when they knock on your store.

Platform-by-platform setup guides

The protocol work above is universal. What differs is how each platform gets you there. Here is the current state of play and the practical implementation on each one.

One more decision before the platform specifics: decide which audience your first server serves. An admin-facing MCP server lets your own team query orders, update prices, and run reports conversationally, and it is low risk because it sits behind your existing staff permissions. A shopper-facing server is the one that puts you in front of agent traffic from Gemini or ChatGPT, and it demands the discovery, checkout, and payment work in this guide. Many of the Magento and WooCommerce tools below started life as admin assistants and grew shopper capabilities later, so you can stage the rollout the same way.

How to set up UCP and MCP on WooCommerce?

WordPress has taken concrete steps toward agentic commerce. The Abilities API gives WordPress a standard registry of machine-callable actions, and the WooCommerce MCP layer, released in developer preview with WooCommerce 10.3 in late 2025 and still in preview as of mid-2026, acts as a security proxy that translates protocol requests into executable WordPress actions. Community plugins such as UCP Connect go further and expose both a UCP profile and a native MCP endpoint, so desktop agents like Claude can connect directly to the store.

WooCommerce's Model Context Protocol integration, still in developer preview as of mid-2026. Source: developer.woocommerce.com, captured June 2026.

Setup steps: install an MCP-capable plugin or the WooCommerce MCP feature (linked above), define which abilities agents may call, generate scoped REST credentials, and publish the manifest. An ability registration is a contract, and it looks like ordinary WordPress code:

wp_register_ability( 'mystore/search-products', array(
  'label'               => 'Search products',
  'description'         => 'Keyword search across published products',
  'category'            => 'commerce',
  'execute_callback'    => 'mystore_search_products',
  'permission_callback' => function () { return true; },
) );

Watch two things on WooCommerce specifically. Page caching must never serve a stale /.well-known/ucp file or cached prices to agents, so exclude those routes. If you are on a shared hosting plan and receive rapid-fire agent requests, your site might slow down, so put rate limiting in front of the MCP routes and keep your pricing and stock endpoints loading fast.

How to set up UCP and MCP on Magento and Adobe Commerce?

Adobe made the loudest commitment of any enterprise platform. At Adobe Summit in April 2026, they launched a Commerce MCP server giving agents secure, real-time access to catalog, cart, pricing, inventory, promotions, checkout, order management, and post-purchase flows, with Stripe, Adyen, and PayPal partnerships covering ACP and UCP on the payment side.

For Magento Open Source, the ecosystem is just beginning to fill the gap. Early, mostly unofficial community modules are starting to appear that serve a /.well-known/ucp profile and expose MCP endpoints, but they are immature and should be vetted carefully before any production use. Admin-facing MCP extensions that connect Magento to LLMs like Claude, ChatGPT, and Gemini over OAuth are also emerging.

Setup steps: install the protocol modules via Composer, configure capabilities per store view, create a dedicated integration with scoped tokens, and map ACL roles to agent permissions. ACL stands for access control list, the Magento permission system that controls which API resources a user or integration can touch.

The catch is exactly there. In stores with incomplete ACL configuration, agents will hit authorization errors even during unauthenticated browsing calls. And third-party security extensions that rewrite API routes silently break the endpoints your manifest declares. Audit both before you blame the agent.

How to set up UCP and MCP on BigCommerce?

BigCommerce ranks as a strong performer in agentic readiness thanks to its API-first architecture, but it does not yet offer a full native shopping protocol stack, as Shopify does. The practical route is the gateway pattern: a standalone MCP server that wraps the Catalog API for products, the Carts and Checkout APIs for transactions, and the Orders API for post-purchase state, all ideally handled during a proper BigCommerce development build.

Setup steps: create a store-level API account with narrowly scoped OAuth tokens, build or deploy a gateway MCP server mapping tools to those APIs, serve the UCP manifest from your storefront domain or CDN, and wire order webhooks back to the agent surface. Several middleware vendors now operate this layer as a managed service if you would rather not host it.

How to set up UCP and MCP on Salesforce Commerce Cloud?

Salesforce runs a B2C Commerce MCP service, currently in pilot, that provides MCP tools for the agentic shopper experience and supports MCP, HTTP server-sent events, and Google's A2A standard. Authentication rides on SLAS, the Shopper Login and API Access Service: your storefront's guest or shopper login produces a JWT, a signed JSON Web Token, that must be passed as a Bearer token on every call to the MCP server.

Setup steps: enable the MCP service for your environment, then point your agent at the organization endpoint, which follows this format:

https://{short-code}.api.commercecloud.salesforce.com/mcp/shopper/v1/organizations/{org_id}/sse

Validate the SLAS JWT on every single call, because it is the API authentication for the whole MCP service. SFCC pairs this with Agentforce shopper agents on PWA Kit storefronts, so if you already run a headless SFCC front end, you are closer than you think.

How to set up UCP and MCP on commercetools?

Commercetools launched Commerce MCP into early access in May 2025. It exposes product catalogs, carts, pricing, promotions, and orders in an agent-accessible format without replatforming, and the ecosystem design lets partners add their own MCP tools on top. Because commercetools is fully headless, meaning the commerce engine has no built-in storefront, and everything happens through APIs, the MCP layer is a natural fit rather than a bolt-on.

Setup steps: enable Commerce MCP on your project, create an API client scoped to the exact resources agents need, connect your agent platform, and publish your UCP manifest from whatever serves your storefront domain.

Getting AI agents to actually transact: payments, credentials, and testing

Payments without touching card numbers

The fastest way to kill an agentic commerce project is to drag your MCP server into PCI scope. PCI DSS is the security standard for any system that stores, processes, or transmits raw card data, and the audit burden is heavy.

UCP's payment design lets you avoid it almost entirely. Agents pass opaque, tokenized credentials your server forwards but cannot read, your payment service provider handles tokenization, and wallet providers like Google Pay supply encrypted credentials. Never let raw card numbers pass through your MCP server, full stop.

For autonomous purchases, require the AP2 mandate extension. The signed mandate is your proof that the user authorized that specific transaction, which matters enormously when a chargeback dispute lands three months later. On the ACP side, the Shared Payment Token from Stripe plays the same role. In both protocols you remain the merchant of record and keep full control of payment processing.

Test it the way an agent would

Do not declare victory when the code deploys. QA it by following the same steps an AI agent does, in order:

• Fetch your manifest with curl and confirm valid JSON, the right content type, and capability versions that match what your endpoints really implement.
• Run the official ucp-schema validator against your request and response payloads to catch schema drift before an agent does.
• Exercise the state machine. Create a checkout session with incomplete shipping data and confirm your endpoint reports the session as incomplete with a list of the expected fields, and returns a 400 status for malformed payloads, instead of erroring out.
• Connect a real agent and run a sandbox purchase end-to-end, from catalog search through payment to the order webhook.
• That last step is easier than it sounds. The simplest path is Claude's native Custom Connectors: in Settings, add your server by its URL and let Claude handle the OAuth handshake. For older clients or file-based setups, you can bridge to it with mcp-remote in the desktop configuration file, then ask Claude to find a product and check out:

{
  "mcpServers": {
    "my-store": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://yourstore.com/mcp"]
    }
  }
}

Watching an agent reason through your catalog is also the best data-quality audit you will ever run. Vague product titles, missing attributes, and inconsistent variant naming show up instantly, because the agent stumbles exactly where a careful human shopper would.

What to watch while the standards evolve

Some honesty before you commit a roadmap to this. Agentic checkout is primarily in the US today, and UCP and ACP are still evolving and competing, so the rules may shift faster than you think.

Many platform modules remain early or experimental. The agentic channel also changes your economics. The agent owns the conversation, so watch fees, margins, and return rates closely once orders start flowing.

Yet doing the foundational work is not a waste.

Clean structured data, accurate availability, real shipping data, and resolvable policy pages drive your Google Merchant Center eligibility, your AI search visibility, and your organic results today. They will feed agentic commerce as it standardizes.

It is the same discipline that good SEO has demanded for years, now with a buyer that reads JSON instead of pixels.

Treat the agentic commerce protocol work as a separate channel on top of the SEO fundamentals you should already have in place. A fast API layer, accurate inventory, and product data that an LLM can verify. If those are working, adding the next protocol becomes a sprint, not a replatform.

Last, have a realistic budget. A read-only catalog MCP server on a healthy API is a small project measured in days. A transacting UCP implementation with payments, mandates, and webhooks takes weeks, and most of that time goes into testing edge cases like partial refunds, out-of-stock races, and tax on split shipments rather than the happy path.

Ready to make your store agent ready?

FAQs on how to set up a UCP and MCP server