Are UCP signing_keys optional?

No. The UCP spec requires signing_keys for any profile that supports transactional capabilities (Checkout, Payment, Cart). Some validators mark them "optional," which is misleading - if your store accepts purchases, your manifest needs signing_keys or AI agents will refuse to complete a transaction.

What format do UCP signing_keys need to be in?

JWK format. The spec recommends Ed25519 (kty "OKP", crv "Ed25519") or ES256. Raw PEM or hex-encoded keys will fail. Each key also needs a key ID (kid) so agents know which key to use to verify a signed request.

Why does my manifest pass validation but agents still cannot buy?

Structural validators only confirm the JSON is well-formed. They do not confirm an agent can actually verify a signed request. A manifest can pass structural checks while the signing key is malformed, missing a kid, or the signing implementation is wrong. Only network and simulation-level testing catches this.

May 18, 20265 min readUCP Fix

How to Fix "UCP signing_keys missing"

Your UCP manifest validates as structurally correct. But AI shopping agents still can't trust it. Here's why - and exactly how to fix it.

What are UCP signing_keys?

signing_keys are cryptographic public keys embedded in your UCP manifest at /.well-known/ucp. They let AI agents verify that your manifest hasn't been tampered with and that commerce requests originated from your domain.

Without signing_keys, an AI agent has no way to confirm that a checkout request or cart update actually came from your store. The agent will either refuse to transact or fall back to a degraded experience - which means you're invisible at the moment of purchase.

This is the single most common UCP failure. In our scans, missing signing_keys shows up on the majority of profiles that otherwise pass structural validation.

Why signing_keys are NOT optional

Some validators mark signing_keys as "optional" or "recommended." This is misleading.

The UCP spec requires signing_keys for any profile that supports transactional capabilities (Checkout, Payment, Cart). If your store accepts purchases, your manifest needs signing_keys. Period.

Google AI Mode, ChatGPT, and other AI shopping agents all require cryptographic verification before initiating transactions. A profile without signing_keys may still be "discovered" - but the agent won't complete a purchase.

Think of it like HTTPS certificates.

You wouldn't run an e-commerce site without TLS. You shouldn't run a UCP profile without signing_keys.

How signing_keys work (the short version)

Your UCP manifest declares one or more public keys under signing_keys
When an AI agent wants to interact with your store, it fetches your manifest
The agent uses those public keys to verify signed requests from your domain
If verification fails or keys are missing, the agent aborts the transaction

How to add signing_keys to your UCP manifest

Step 1: Generate a key pair

Use Ed25519 (recommended by the UCP spec) or ES256:

# Generate Ed25519 key pair
openssl genpkey -algorithm Ed25519 -out ucp_private.pem
openssl pkey -in ucp_private.pem -pubout -out ucp_public.pem

# Extract the public key in JWK format
# You'll need the key ID (kid) and the base64url-encoded x coordinate

Step 2: Add the key to your manifest

Your /.well-known/ucp file should include a signing_keys array. Here's a minimal example:

{
  "namespace": "ucp",
  "version": "1.0",
  "origin": "https://yourstore.com",
  "capabilities": {
    "checkout": {
      "endpoint": "https://yourstore.com/api/ucp/checkout"
    }
  },
  "signing_keys": [
    {
      "kid": "2026-05-primary",
      "kty": "OKP",
      "crv": "Ed25519",
      "x": "your-base64url-encoded-public-key-here",
      "use": "sig"
    }
  ]
}

Step 3: Sign your outgoing requests

When your store responds to AI agent requests, sign the payload with your private key. The agent verifies using the public key from your manifest.

Step 4: Validate the fix

After adding signing_keys, run a full UCP validation that includes network-level testing. A structural check won't catch key mismatches. You need structural (is the field present and well-formed?), network (can the agent fetch and parse the key?), and SDK/simulation (can the agent actually verify a signed request?).

Common signing_keys mistakes

Wrong key format. The spec requires JWK format. Raw PEM or hex-encoded keys will fail.
Missing key ID (kid). Agents use the kid field to identify which key to use. Omit it and verification breaks.
Key rotation without updating the manifest. If you rotate keys, update the manifest immediately. A stale manifest with revoked keys is the same as no keys at all.
Only testing structural validation. Your validator says "PASS" but the key is malformed or the signing implementation is wrong. Always test with an AI agent simulator.
Using the same key across multiple domains. Each origin should have its own signing key. Cross-domain key reuse breaks the origin verification model.

How to verify your fix actually works

Don't rely on structural-only validators. You need a tool that tests all four levels:

Structural: is the signing_keys field present?
Rules: are the key format and fields correct per spec?
Network: can agents fetch and parse the key over HTTPS?
SDK/Simulation: can an AI agent actually verify a signed request from your domain?

See the four levels of UCP validation for why a structural pass isn't enough.

Check your signing_keys in one scan

Run a free 4-level validation - structural, rules, network, and full agent simulation - to confirm agents can actually verify a signed request from your domain.

Validate Your Store Free