How AI Shopping Agents Discover Your Store: The 7-Step UCP Discovery Flow

You spent months perfecting your Shopify theme. Your product photos are stunning. Your checkout converts at 3.2%.

But when a customer asks ChatGPT "find me running shoes under $150," your store doesn't exist.

AI shopping agents don't see your homepage. They don't scroll your collections. They follow a strict, machine-readable discovery flow called UCP (Universal Commerce Protocol) - and if any step fails, they silently move to the next store.

Here's the exact 7-step sequence every AI agent follows.

The 7-Step AI Agent Discovery Flow

When an AI shopping agent (ChatGPT, Google Gemini, Perplexity, or any agentic commerce bot) tries to find and buy from your store, it follows this exact sequence:

Step 1: DNS + HTTPS    → Can I resolve your domain securely?
Step 2: UCP Discovery  → Is there a /.well-known/ucp manifest?
Step 3: Profile Parse  → Is it valid UCP (not just valid JSON)?
Step 4: Capability Scan → What can I do here? Browse? Checkout? Search?
Step 5: Endpoint Probe → Are the declared API endpoints actually reachable?
Step 6: Negotiate      → Do your capabilities match what I need?
Step 7: Transact       → Execute the purchase flow

Most stores fail silently at Step 2. There's no error page. No 404. The agent just... leaves.

Step 1: DNS and HTTPS (The Baseline)

This one's simple. Your domain needs to resolve, and it must serve HTTPS. No exceptions - the UCP specification mandates TLS for all endpoints.

If you're running HTTP-only in development, AI shopping agents can't reach you even for testing. The spec requires HTTPS because agents pass payment data through these endpoints.

Step 2: The UCP Manifest (Where Most Stores Fail)

This is where most stores drop off. AI agents look for a JSON manifest at a specific path:

https://your-store.com/.well-known/ucp

This is your store's machine-readable identity card. It tells agents: who you are, what you sell, what capabilities you support, and how to interact with your APIs.

No manifest = invisible store. It's that simple.

The .well-known path follows RFC 8615 - the same convention used by SSL certificates, Apple app associations, and OAuth discovery. AI agents check this path first because it's standardized.

Step 3: Valid UCP Profile, Not Just Valid JSON

Here's a mistake we see constantly: your manifest might parse fine with JSON.parse(). That doesn't mean it's a valid UCP profile.

The Universal Commerce Protocol requires specific fields, namespace bindings, version formats, and structural rules that go far beyond JSON syntax. Here's what a minimal valid UCP profile looks like:

{
  "ucp": {
    "version": "2025-04-01",
    "merchant": {
      "name": "Your Store",
      "url": "https://your-store.com",
      "contact": {
        "email": "support@your-store.com"
      }
    },
    "capabilities": [
      {
        "name": "dev.ucp.shopping.checkout",
        "version": "1.0",
        "spec": "https://ucp.dev/specification/checkout/",
        "schema": "https://ucp.dev/schemas/shopping/checkout.json",
        "endpoint": "https://your-store.com/api/ucp/checkout"
      }
    ]
  }
}

Common UCP validation failures that make AI agents skip your store:

• Missing version field - agents can't negotiate protocol compatibility
• Wrong version format - must be YYYY-MM-DD, not semver
• Namespace mismatch - dev.ucp.shopping.checkout must match the origin domain
• HTTP endpoints - every endpoint must be HTTPS
• Trailing slashes - some agents are strict about URL normalization

Step 4: Capability Scanning (What Can Your Store Do?)

Once an AI agent parses your UCP profile, it checks what capabilities you support. UCP capabilities are modular:

Checkout is the minimum. Without it, an agent can discover your store but can't buy anything. Most agents today are looking for checkout + catalog search as a baseline.

The more capabilities you support, the richer the agent interaction. But start with checkout - a store that can complete purchases beats one that can search but not buy.

Step 5: Endpoint Probing (The Silent Killer)

This is where things get interesting. AI agents don't just read your UCP manifest - they test your endpoints.

For each capability:
  1. Extract the endpoint URL
  2. Send a HEAD or OPTIONS request
  3. Check for 2xx response
  4. Verify Content-Type headers
  5. Optionally fetch the schema URL

If your checkout endpoint returns a 404, the agent marks that capability as broken. If the schema URL is unreachable, some agents will refuse to interact with the endpoint entirely.

This is the #1 source of silent failures. Your manifest says you support checkout, but the endpoint was moved, the server is down, or CORS blocks the preflight request.

Step 6: Capability Negotiation (The Handshake)

Not every AI agent needs every capability. When an agent wants to buy a specific product, the negotiation looks like:

Agent: "I need checkout + catalog.lookup"
Store:  "I support checkout + catalog.search + catalog.lookup"
Result: "Match - proceeding with checkout and catalog.lookup"

If the agent needs a capability you don't offer, it may:

• Proceed with reduced functionality
• Skip your store entirely
• Fall back to scraping your website (unreliable)

Why Most Stores Fail Silently at AI Agent Discovery

Here's the uncomfortable truth: there's no error message when an AI agent skips your store.

Unlike a browser showing a 404 page, AI shopping agents fail silently. Your server logs might show the initial GET /.well-known/ucp, but if the response isn't valid UCP, the agent moves on without a trace.

This means you could be losing AI-driven sales for weeks without knowing it. No bounce rate spike. No support tickets. Just... absence.

How to Validate Your UCP Profile

You can validate your UCP implementation against all four levels:

1. Structural validation - Is your JSON a valid UCP profile?
2. Rules validation - Does it follow UCP protocol requirements?
3. Network validation - Are your API endpoints reachable?
4. SDK compliance - Does it pass the official UCP SDK checks?

UCPtools runs all four validation levels and gives you an AI readiness score with specific issues to fix - free, no signup required.

For example, running UCP validation on a store might reveal:

Score: 62/100 (Grade C)

Errors:
- UCP_ENDPOINT_NOT_HTTPS: Checkout endpoint uses HTTP
- UCP_SCHEMA_FETCH_FAILED: Schema at catalog.json returns 404

Warnings:
- UCP_MISSING_SIGNING_KEYS: No signing keys for request verification
- UCP_ENDPOINT_TRAILING_SLASH: Inconsistent trailing slashes

Each issue maps to a specific step in the discovery flow. Fix the errors, and you move from "invisible to AI agents" to "discoverable."

Automate UCP Validation in CI/CD

Manual validation catches today's issues. But what about next week's deploy that accidentally breaks your UCP manifest?

The ucp-validate GitHub Action validates your UCP profile on every push:

- uses: Nolpak14/ucp-validate-action@v1
  with:
    domain: 'your-store.com'
    min-score: 70

If your AI readiness score drops below 70, the build fails. No more silent regressions that make your store invisible to AI agents.

Platform-Specific UCP Setup Guides

Setting up UCP varies by ecommerce platform. Here are step-by-step implementation guides:

• Magento / Adobe Commerce UCP Guide - Custom module with GraphQL integration
• Shopify UCP Guide - App proxy setup for the .well-known path
• WooCommerce UCP Guide - WordPress plugin approach
• Wix UCP Guide - Static file hosting workaround
• Squarespace UCP Guide - Code injection method

Key Takeaways

AI shopping agents follow a predictable, testable 7-step discovery flow. Here's what matters:

1. No UCP manifest = invisible store. AI agents like ChatGPT, Gemini, and Perplexity can't find you without /.well-known/ucp.
2. Valid JSON is not valid UCP. Structure, namespaces, versions, and HTTPS all matter.
3. Endpoint probing is the silent killer. Your manifest can be perfect, but broken endpoints mean broken commerce.
4. You can test this today. Validate your UCP profile free - no signup needed.
5. Automate it. The GitHub Action catches regressions before they go live.

The fix isn't complicated. It's a JSON file, a few API endpoints, and validation to make sure it all works. The hard part is knowing where to start - and now you do.