You installed the WordPress plugin. Your .well-known/ucp endpoint returns valid JSON. The UCP checker says "Detected."
But AI shopping agents still can't buy from your store.
After scanning 43 WooCommerce domains with UCP manifests, we see the same 3 missing fields over and over. Not edge cases. Not spec trivia. These are the fields that determine whether an AI agent can actually complete a purchase - or just window-shop and leave.
The state of WooCommerce UCP right now
WooCommerce does not have native UCP support. There's an official feature request and a GitHub discussion, but as of April 2026, you're on your own.
The WordPress plugin gets you started. It generates the manifest and serves it at the right endpoint. That covers structural validation.
But structural validation is level 1 of 4. The next 3 levels are where WooCommerce stores fall apart.
Field 1: signing_keys (missing on ~60% of WooCommerce UCP profiles)
The signing_keys field tells AI agents how to verify that your manifest is authentic - that it actually came from you and wasn't tampered with.
Without signing_keys:
- Agents can't cryptographically verify your manifest
- Some agents will skip your store entirely rather than risk interacting with an unverified profile
- Google's UCP documentation explicitly recommends including signing keys
In our Apr 10 scan of 15 domains, over half were missing this field. The WordPress plugin doesn't generate it by default. You need to add it manually.
How to add it:
- Generate a key pair (Ed25519 recommended):
openssl genpkey -algorithm ED25519 | openssl pkey -outform DER | base64
- Add to your
.well-known/ucpmanifest:
{
"signing_keys": [{
"alg": "EdDSA",
"kid": "key-1",
"key": "BASE64_PUBLIC_KEY_HERE"
}]
}
- Store the private key securely. You'll need it if you ever sign UCP responses.
Field 2: payment_handlers (missing on ~70% of WooCommerce UCP profiles)
This is the one that actually breaks checkout. payment_handlers tells AI agents which payment methods your store accepts. Without it, agents know your store exists but have no idea how to pay.
This is not the same as your WooCommerce payment gateway settings. Those are for human checkout flows. payment_handlers is the machine-readable equivalent.
How to add it:
{
"capabilities": {
"checkout": {
"payment_handlers": [
{
"type": "card",
"networks": ["visa", "mastercard", "amex"]
},
{
"type": "payment_link",
"url": "https://your-store.com/pay/{sessionId}"
}
]
}
}
}
Match the networks to what your WooCommerce payment gateway actually supports. Don't declare Amex if you don't accept it - agents will try to use it and the transaction will fail at checkout.
Field 3: Namespace/origin match (broken on ~40% of WooCommerce UCP profiles)
The namespace and origin fields in your manifest must match your actual domain. This sounds obvious, but it breaks constantly when:
- Your WordPress site is at
www.yourstore.combut the manifest declaresyourstore.com - You use a CDN subdomain that differs from your WooCommerce origin
- The WordPress plugin auto-generates the origin from
site_urlwhich may not match the domain AI agents use to discover you
If an agent requests /.well-known/ucp from www.yourstore.com and the manifest says origin: "yourstore.com", the agent may reject the manifest as invalid for that domain.
How to fix it:
Check what domain AI agents actually use to find your store. It's usually the canonical URL (the one with www or without, whichever you've standardized on).
Make sure your manifest matches:
{
"namespace": "https://www.yourstore.com",
"origin": "https://www.yourstore.com"
}
- If you serve on both www and non-www, pick one canonical domain and redirect the other. Don't try to serve different manifests on each - that's a namespace collision.
Why these 3 matter more than the rest
All three of these failures happen at validation level 2 (rules) or level 3 (network). A basic JSON validator won't catch them. A "Detected / Not Detected" checker won't catch them. They only surface when you:
- Run rules-based validation that checks capability consistency
- Actually test the endpoint with a live HTTP request
- Simulate an AI agent trying to complete a purchase flow
This is the gap between "my UCP file exists" and "AI agents can buy from my store." It's the gap that matters.
Quick validation checklist for WooCommerce stores
Run through this after you set up the WordPress plugin:
- [ ]
signing_keyspresent with Ed25519 or RSA key - [ ]
payment_handlerslists the card networks you actually accept - [ ]
namespaceandoriginmatch your canonical domain (including www) - [ ] All endpoints use HTTPS (no HTTP)
- [ ] No trailing slashes on endpoint URLs
- [ ] Cart capability includes add, remove, and view actions (not just add)
- [ ] Return policy schema present if you have a return policy
You can validate all 4 levels for free at ucptools.dev. It runs structural validation, rules checks, live endpoint testing, and AI agent simulation - not just "is the file there."
What about Google's March 2026 UCP update?
Google released new UCP capabilities and a simplified onboarding experience in March 2026. The update focuses on making it easier for merchants to get started, but the core validation requirements haven't changed. Your .well-known/ucp still needs the same fields. The difference is that Google is now providing more guidance on what "complete" looks like - which makes the missing fields above even more visible.
If you set up your WooCommerce UCP profile before March 2026, it's worth re-validating. The rules about what constitutes a "passing" profile have tightened.
Bottom line
The WordPress plugin gets your WooCommerce store to level 1. That's the floor. If you want AI agents to actually complete purchases - not just discover your products and bounce - you need level 2-4 validation. The 3 fields above are where most WooCommerce stores fail. Fix them and you're ahead of the curve.
Validation data from UCPtools scans conducted Apr 1 and Apr 10, 2026. Sample sizes: 28 and 15 domains respectively. Percentages are approximate given sample size.
Top comments (0)