DEV Community

Cover image for UCP Validation for Agencies: How to Audit AI Readiness Across Every Client Domain
Peter
Peter

Posted on • Originally published at ucptools.dev

UCP Validation for Agencies: How to Audit AI Readiness Across Every Client Domain

#ecommerce #webdev #ai #ucp

If you're a GEO consultant or agency managing ecommerce clients, you've probably been asked some version of this question:

"Can AI agents find my store? How do I know?"

The honest answer, until recently, was: you don't. There was no standardized way to measure AI agent discoverability. That changed with UCP (Universal Commerce Protocol) - the open standard from Google and Shopify that gives AI shopping agents a machine-readable entry point to any store.

Now there is something measurable. And if you're the one measuring it for your clients, that's a service worth charging for.

Why Agencies Should Care About UCP Audits

Google AI Mode, Microsoft Copilot, ChatGPT, and Perplexity are all building agentic commerce capabilities. Microsoft announced GA of UCP feeds in Merchant Center on April 21, 2026. Over 12,000 merchants have published UCP profiles as of Q1 2026.

Your clients are going to ask about this. Some already have. The agencies that can answer with data - not hand-waving - will win those conversations.

Here's what makes UCP audits a natural fit for agencies:

  • It's per-domain. Each client's hosting stack, CDN, and certificate chain breaks differently. A profile that works on Shopify fails on WooCommerce for entirely different reasons.
  • It's recurring. UCP validation isn't a one-time setup. Deploys break endpoints. CDN caches serve stale schemas. Certificate renewals don't propagate. The profile that passed last month can silently fail this month.
  • It's reportable. UCP validation produces a numerical AI readiness score (0-100) with specific, fixable issues. That's the kind of deliverable clients understand.

The Agency Audit Framework

Here's a repeatable process for running UCP audits across a client portfolio. It works whether you manage 3 domains or 300.

1. Baseline Scan: Does the Profile Exist?

Before anything else, check whether each client domain serves a UCP manifest at /.well-known/ucp.

https://client-store.com/.well-known/ucp
Enter fullscreen mode Exit fullscreen mode

Three outcomes:

  • 404 / No manifest - The store is invisible to AI agents. Full stop. This is your biggest finding and your clearest upsell.
  • Manifest exists but invalid JSON - Broken deployment or misconfigured server. Quick fix, high impact.
  • Valid manifest - Move to deeper validation.

In our experience, roughly 70% of ecommerce stores don't serve a UCP manifest at all. For the ones that do, about 60% have issues at deeper validation levels.

2. Four-Level Validation

UCP validation isn't binary (pass/fail). There are four distinct levels, and each catches different categories of issues:

Level What It Checks Common Failures
1. Structural JSON syntax, required fields, version format Missing ucp root, wrong version format
2. Compliance Protocol rules: namespaces, HTTPS, signing keys Namespace mismatches, missing signing keys (42% of L2 failures), HTTP endpoints
3. Network Do declared URLs actually resolve? CDN 404s, stale schemas, malformed JWK keys
4. Agent Simulation Full checkout lifecycle test Backend returns 500 on cart creation, state machine failures

Most validators - including the free ones your clients might have tried - only check Level 1. That gives false confidence. A Level 1 pass with Level 3 failures means the profile looks correct but agents can't actually use it.

For agencies, Level 3 is the most valuable finding. These are infrastructure-drift issues that only surface after deploys, CDN changes, or certificate renewals. They're invisible to the developer who wrote the profile but obvious to an auditor running regular checks.

3. Score and Categorize

After running validation, each domain gets an AI readiness score (0-100) and a letter grade:

Grade Score What It Means
A 90-100 AI agents can discover, browse, and transact
B 70-89 Discoverable with minor issues
C 50-69 Detected but can't complete transactions
D 20-49 Major issues blocking agent interaction
F 0-19 Effectively invisible

The Grade C trap is the most common: the profile exists and passes basic checks, but missing signing keys or broken endpoints prevent any actual transaction. Your client thinks they're "UCP ready" because they have a manifest file. They're not.

4. Build the Client Report

A useful client report contains:

  • Score and grade for each domain
  • Issue breakdown by validation level (structural, compliance, network, simulation)
  • Specific fixes with estimated effort (most Level 2 fixes take minutes)
  • Comparison to previous audit if this is a recurring engagement
  • Competitive context - how do they compare to others in their vertical?

The key metric clients care about: "Can AI agents buy from my store?" Frame everything around that question. A score of 62 means "AI agents can find you but can't complete a purchase." That's concrete enough to drive action.

What to Check Per Platform

UCP issues cluster differently by ecommerce platform. Knowing the common patterns saves audit time:

Shopify

  • UCP profile served via app proxy (path configuration matters)
  • Payment handler configuration usually correct (Shopify handles this)
  • Watch for: signing key rotation gaps, custom app conflicts

WooCommerce

  • Profile typically served via WordPress plugin or .htaccess rewrite
  • Watch for: HTTP endpoints (mixed content from plugin misconfiguration), schema URL 404s after plugin updates

BigCommerce

  • Common issue: dev.ucp.shopping service missing required spec field (UCP_INVALID_SERVICE)
  • Watch for: trailing slashes on API endpoints

Magento / Adobe Commerce

  • Custom module required for /.well-known/ucp routing
  • Watch for: namespace mismatches when using third-party extensions, GraphQL endpoint schema drift

Custom / Headless

  • Most flexibility, most failure modes
  • Watch for: CORS blocking agent preflight requests, endpoint URLs changing between environments

Automating Portfolio Audits

Running manual checks across 10+ domains doesn't scale. Two automation approaches:

CI/CD Integration (Per Client)

If you have access to client repos, the ucp-validate GitHub Action fails the build when the AI readiness score drops below a threshold:

- uses: Nolpak14/ucp-validate-action@v1
  with:
    domain: 'client-store.com'
    min-score: 70
Enter fullscreen mode Exit fullscreen mode

This catches regressions at deploy time - before they affect agent traffic.

Scheduled Monitoring (Portfolio-Wide)

For ongoing monitoring without repo access, run validation against each client domain on a schedule. The UCPtools validator supports domain-level validation via URL - no code access needed.

Track scores over time. A domain that drops from 85 to 62 between audits means something broke in production, and you're the one catching it before the client's AI-driven traffic disappears.

Positioning This as a Service

UCP auditing fits naturally into existing GEO/SEO service packages:

  • One-time audit - Baseline scan across all client domains with a findings report. Natural entry point.
  • Monthly monitoring - Recurring validation with score tracking and regression alerts. Retainer model.
  • Implementation support - Fix the issues the audit found. Scope varies by platform (Shopify is usually hours, custom builds are days).

The pitch to clients: "Your SEO drives traffic to your store. UCP drives AI agent traffic. We monitor both."

What makes this defensible: UCP validation requires understanding the spec, the four validation levels, and platform-specific patterns. A generic SEO tool can't do this. You can.

Getting Started

  1. Run a free validation against one of your client domains at ucptools.dev. See the score, the issues, and which level caught them.
  2. Repeat for your portfolio. Note which clients have no manifest at all vs. which have broken ones.
  3. Build the report. Score, grade, issues, fixes. Send it to the client.
  4. Set up monitoring. Catch regressions before they cost AI traffic.

The agencies that can quantify AI discoverability will own this conversation. The ones that can't will be explaining why they didn't notice their client's store disappeared from ChatGPT.

UCPtools is an independent community tool - not affiliated with Google, Shopify, or the UCP consortium.

Top comments (0)