The First Fully Autonomous AI Agent Purchase Through UCP

An AI agent searched a store, picked a product, linked a customer identity, selected wallet payment, set shipping, and completed checkout — creating a real WooCommerce order. No browser. No card network. No human after “proceed.”

On March 25, 2026, session 01KMJ26KVH7ZZ78DWMHZ5BRK32 on UCP Playground became the first fully autonomous AI agent purchase completed through the Universal Commerce Protocol. Here’s what happened, what broke along the way, and why it matters.

What you’re looking at

The session replay shows Claude Sonnet 4.5 shopping at houseofparfum.nl — a real Dutch perfume store running WooCommerce with the UCPReady plugin by Zologic. The user said:

“Buy me a perfume under 30 euro, pay with my wallet”

Eight turns and 43 seconds later, WooCommerce order #82251 was created. €30.13 debited from the customer’s store wallet. Confirmation email sent. No redirect. No payment form. No human touched it after the initial confirmation.

Replay the full session →

The full tool call sequence

Every step of the purchase is visible in the session recording. Here’s what the agent executed:

• ucp_list_products — searched perfumes under €30, found Emanuel Ungaro Intense For Him (€18.95)
• User confirms: “yes”
• create_checkout — line items added, buyer pre-populated from linked identity (resolved to WooCommerce customer #1), status: requires_escalation
• update_checkout — selected_instrument_id: terrawallet-1 rejected (missing fulfillment)
• update_checkout — shipping method flat_rate1 set, payment still missing
• update_checkout — wallet instrument with handler_id: com.terrawallet.store_credit accepted, status: ready_for_complete
• complete_checkout — status: completed, order #82251, wallet balance: €467.32

Every call carried an OAuth bearer token from the linked identity. The merchant resolved it to WooCommerce customer #1, pre-populated name, email, phone, and address. The com.terrawallet.store_credit payment handler surfaced a €490.25 wallet balance with coverage: full — enough to cover the order without any card network involvement.

What had to work

This wasn’t a demo against a mock API. It was a real store with a real product catalogue, real pricing, real tax calculation, and a real wallet debit. For it to complete, every layer of the stack had to function.

Protocol layer

• .well-known/ucp manifest with MCP endpoint, capabilities, and payment handlers
• tools/list returning all 11 tools (search, product details, cart CRUD, checkout lifecycle, complete, cancel)
• Structured validation messages (requires_buyer_input) that the agent could read and act on

Identity linking

• OIDC discovery from issuer URL (RFC 8414 — UCPReady uses /.well-known/oauth-authorization-server)
• Dynamic client registration via the discovered registration_endpoint
• OAuth consent flow with PKCE
• Bearer token injected on every MCP request
• Merchant resolving the token to identity_customer_id: 1 with pre-populated buyer data

Agent orchestration

• System prompt with checkout completion instructions
• Auto-nudge when the model stopped after seeing validation errors
• Auto-injection of meta.idempotency-key (UUID) on complete_checkout — models consistently fail to format this correctly
• Payment handler IDs passed from manifest to system prompt

Payment processing

• TerraWallet store credit — entirely server-side, no browser interaction needed
• Wallet debit atomic with order creation on complete_checkout
• Balance surfaced in checkout response so the agent knows coverage

What broke along the way

We’d love to say this worked first try. It didn’t. Over 24hrs of debugging with Almin from Zologic, we hit and fixed:

• Wrong MCP endpoint — our Shopify storefront probe was overriding the manifest endpoint, so OAuth tokens were stored against /api/mcp but MCP calls went to /wp-json/ucpready/v1/mcp
• Stale OAuth sessions — merchant-side revocation wasn’t detected; we had to add token validation on connect and auto-clear on 401
• Model stringifying meta — Claude kept sending meta: "{\\"idempotency-key\\": \\"...\\"}" instead of a proper object. We fixed it by auto-injecting the key at the orchestrator level
• Wallet instrument format — the merchant’s validator checked for dots in handler names; terrawallet-1 (the instrument ID) failed the check while com.terrawallet.store_credit (the handler name) passed

Each of these was a real bug that blocked a real purchase attempt. The session data captured every failure, which is exactly what UCP Playground is built for.

Why protocol matters

Everything we built is protocol-level, not store-specific:

• OIDC discovery works for any merchant declaring an issuer
• Bearer token injection works for any MCP endpoint with OAuth tokens
• Checkout nudge fires for any store returning requires_buyer_input
• Payment handler passthrough works for any instrument the merchant advertises
• Idempotency key injection works for any complete_checkout / cancel_checkout call

The same Playground code that completed this WooCommerce wallet checkout handles Shopify’s update_cart, classified listings, and B2B procurement flows. The protocol is the abstraction — the store plugs in whatever it supports.

What’s next

This was a single-item purchase with a pre-funded wallet and a known merchant. The conditions were controlled — one product, one payment method, one confirmation. The next milestone is multi-item cart in fully autonomous mode: multiple products, multiple decisions, no human in the loop.

That’s where orchestration, spend limits, and merchant trust become non-optional. An agent selecting three items across two stores, choosing between wallet and saved card, applying a shipping preference — every one of those decisions needs a policy layer that doesn’t exist yet.

The protocol works. Now it needs guardrails.

Try it

• Replay the session: ucpplayground.com/s/01KMJ26KVH7ZZ78DWMHZ5BRK32
• Run your own: ucpplayground.com/agent — connect to any UCP-compatible store
• Check your store: ucpchecker.com/check
• Validate your manifest: UCP Validator — paste your JSON and check spec compliance
• Monitor your store: UCP Alerts — get notified when your manifest changes
• Browse verified merchants: Directory
• Read Almin’s perspective: WooCommerce Just Did What Shopify Did — Hours Later

Sources

• Session replay: 01KMJ26KVH7ZZ78DWMHZ5BRK32 — UCP Playground
• UCPReady Plugin for WooCommerce — Zologic
• UCP Now Supports Identity Linking — UCP Checker Blog
• Why We Built UCP Playground — UCP Checker Blog
• State of Agentic Commerce — March 2026 — UCP Checker Blog
• UCP Specification — ucp.dev
• WooCommerce Just Did What Shopify Did — Hours Later — Almin Zolotic, dev.to
• UCP Playground Changelog

Built with UCP Playground. Session data captured, replayed, and shared — because observability is the foundation of trust in agent commerce.