DEV Community

Cover image for How I Built Autonomous AI Purchasing on WooCommerce: OAuth 2.0, Identity Linking, and Wallet Payments
Almin Zolotic
Almin Zolotic

Posted on

How I Built Autonomous AI Purchasing on WooCommerce: OAuth 2.0, Identity Linking, and Wallet Payments

#woocommerce #webdev #opensource #ai

An AI agent searched a 40,000-SKU store, identified a product, pre-populated the buyer's details from a linked identity, debited a wallet, and created a paid WooCommerce order — with zero human interaction after the initial consent screen.

This is what I built this week. Here's how it works.

The Problem: AI Agents Can't Authenticate as Customers

AI agents can already browse your store, read product listings, and build a cart. That part is solved by protocols like UCP (Universal Commerce Protocol) and MCP (Model Context Protocol).

But the moment an agent tries to actually complete a purchase, it hits a wall:

  • Whose account is this order going on?
  • What's the shipping address?
  • How does the agent pay without a browser redirect?

The standard answer is: surface a continue_url and make the human finish the job in a browser. That's not agentic commerce — that's just a fancy product search with extra steps.

The real problem is identity. The agent doesn't know who it's acting for, and the store doesn't know who the agent represents.

The Solution: OAuth 2.0 Identity Linking

The draft UCP spec (version 2026-03-14) introduces a capability called dev.ucp.common.identity_linking. The mechanism is OAuth 2.0 Authorization Code flow with PKCE, where the AI agent platform is the OAuth client and the WooCommerce store is the authorization server.

The flow in plain English:

  1. Agent platform discovers the store's capabilities via /.well-known/ucp
  2. Sees that the store supports identity linking via OAuth 2.0
  3. Discovers the OAuth server metadata endpoint (RFC 8414)
  4. Initiates an authorization request — the customer sees a consent screen
  5. Customer approves once — agent platform receives a bearer token
  6. Every subsequent API call includes that token
  7. The store resolves the token to a WC customer account and pre-populates all buyer data automatically

OAuth consent screen on houseofparfum.nl — AI agent requesting permission to create checkout sessions and pre-fill buyer details

After consent, every checkout session created with that bearer token automatically has the customer's name, email, billing address, shipping address, and available store credit surfaced as a payment instrument — without the customer doing anything.

The customer approves once. After that, the agent can complete purchases autonomously until the token expires or the customer revokes access.

What I Built: UCPReady

UCPReady is a WooCommerce plugin that implements the full UCP spec including identity linking. The key components:

A complete OAuth 2.0 authorization server inside WordPress — dynamic client registration, Authorization Code + PKCE S256, refresh token rotation, token revocation with cascade revocation on account events, and RFC 8414 server metadata. All rendered server-side, no external dependencies.

Identity resolution — bearer token resolves to a WC customer automatically. Checkout sessions created with a valid token have buyer data pre-populated without any additional calls.

Connected Agents tab in My Account — customers see every agent platform that has access, when it was granted, when it expires, and can revoke any of them with one click.

Automatic token revocation — tokens are cascade-revoked automatically when a customer changes their password, updates their account, or deletes their account. No stale access.

The Result

Here's what actually happened on houseofparfum.nl — a live WooCommerce store with 40,000+ SKUs:

  1. Agent platform connected to the store via MCP
  2. Customer linked identity via the OAuth consent screen (one click, one time)
  3. Agent searched the catalog, found the product, created a checkout session
  4. Buyer details pre-populated automatically from the linked account
  5. Shipping method selected, wallet balance surfaced as payment option
  6. Agent completed the purchase — wallet debited server-side
  7. WooCommerce order created, status: Processing, customer: linked account, attribution: agent platform

WooCommerce order #82137 — Status: Processing, Paid, Customer: Almin Zolotic, Order attribution: Referral Ucpchecker.com

No browser. No redirect. No human interaction after the initial consent.

What the Store Owner Sees

Orders placed by AI agents appear in WooCommerce exactly like any other order — but with full attribution:

  • Status: Processing (paid)
  • Customer: the linked WC account, not Guest
  • Order attribution: the agent platform hostname that placed the order
  • UCPReady Analytics: revenue breakdown by AI platform, order count, average order value

WooCommerce My Account Connected AI Agents tab showing UCP Playground and WalletPay with access dates and Revoke buttons

Every agent that has ever been granted access is visible and revocable by the customer. No black boxes.

The Wallet Payment

When a customer has store credit and their identity is linked, the wallet balance is surfaced automatically in the checkout response as an available payment instrument. The agent sees it, selects it, and calls complete_checkout. The payment is processed entirely server-side — no Stripe, no card network, no browser redirect.

Customer wallet on houseofparfum.nl showing €59,04 remaining balance and -€16,88 debit from autonomous agent purchase on 22 March 2026

This works with any WooCommerce wallet plugin that exposes a programmatic debit API. We tested with TeraWallet.

UCP Playground Validation

Ben Fisher's UCP Playground — the primary tool for testing UCP compliance — now has a "Link Identity" button. When pointed at houseofparfum.nl, it discovers the identity linking capability, triggers the OAuth flow, and renders our consent screen correctly.

Schema Quality score: A (98).

UCP Playground connected to houseofparfum.nl showing Link Identity button and Schema Quality score A 98

The Playground currently stops at checkout creation — full autonomous completion from the Playground requires Ben to add payment instrument selection to the runtime. That's the next step on his end.

What's Missing (Honest Assessment)

Playground autonomous completion — identity linking and checkout creation work end to end via the Playground. Full completion requires payment instrument selection in the Playground runtime, which isn't there yet.

Attribute-based disambiguation — the flow assumes the agent can identify exactly which product to buy. "The blue one, size M" requires variant resolution before checkout. That's an agent-side problem, not a protocol problem.

AP2 for non-wallet payments — for stores without store credit, completing payment without a browser redirect requires an AP2-compatible payment processor. Store credit / wallet is the cleanest path today. Card payments without browser redirect are the next frontier.

Try It

The live UCP discovery endpoint: https://houseofparfum.nl/.well-known/ucp

The OAuth server metadata: https://houseofparfum.nl/.well-known/oauth-authorization-server

If you're building an agent platform and want to test identity linking against a live WooCommerce endpoint, both are open. Point your runtime at the discovery endpoint and the rest is spec-compliant.

UCPReady runs on any WooCommerce store. Available at zologic.nl.

The Bigger Picture

Identity linking is the piece that turns AI agents from "helpful product finders" into actual autonomous purchasing agents. Without it, every agentic commerce flow ends with "here's the checkout URL, go finish it yourself."

With it, the agent can complete the entire transaction — discovery, identity, payment, order creation — without the customer ever opening a browser after the first consent.

The UCP spec is still in draft on this capability (2026-03-14). But the implementation is live and working today on a real store.

UCPReady is built by Almin Zolotic at Zologic. The live test store is houseofparfum.nl.

Want this on your store?

UCPReady is available at zologic.nl/ucpready — €149/year, instant download, works on any WooCommerce store.

Tags: #woocommerce #ai #webdev #opensource

Tags: #woocommerce #ai #webdev #opensource

Top comments (0)