How do agencies audit UCP across multiple client domains?

Run a 4-level UCP validation (structural, compliance, network, agent simulation) against each client domain. Each domain gets an AI readiness score (0-100). Track scores over time to catch regressions from deploys, CDN changes, or certificate renewals. Use the ucp-validate GitHub Action for CI/CD integration or scheduled monitoring for portfolio-wide checks.

What is a UCP AI readiness score?

A UCP AI readiness score is a 0-100 numerical rating that measures how well an ecommerce store can be discovered and transacted with by AI shopping agents. Scores map to letter grades: A (90-100) means agents can fully transact, C (50-69) means detected but unable to complete purchases, F (0-19) means effectively invisible to AI agents.

Why do UCP profiles break after deployment?

UCP profiles often break silently after deploys due to infrastructure drift: CDN caches serving stale 404s for schema URLs, certificate renewals that don't propagate, endpoint URLs changing between environments, or plugin updates breaking .well-known/ucp routing. These are Level 3 (network) failures that only surface when making actual HTTP requests to the declared endpoints.

April 29, 20268 min readGEO

UCP Validation for Agencies: How to Audit AI Readiness Across Every Client Domain

GEO consultants managing multiple ecommerce clients need more than a one-time UCP check. Here's a repeatable audit framework for measuring and reporting AI agent discoverability across a portfolio.

If you're a GEO consultant or agency managing ecommerce clients, you've probably been asked some version of this question:

"Can AI agents find my store? How do I know?"

The honest answer, until recently, was: you don't. There was no standardized way to measure AI agent discoverability. That changed with UCP (Universal Commerce Protocol) - the open standard from Google and Shopify that gives AI shopping agents a machine-readable entry point to any store.

Now there is something measurable. And if you're the one measuring it for your clients, that's a service worth charging for.

Why Agencies Should Care About UCP Audits

Google AI Mode, Microsoft Copilot, ChatGPT, and Perplexity are all building agentic commerce capabilities. Microsoft announced GA of UCP feeds in Merchant Center on April 21, 2026. Over 12,000 merchants have published UCP profiles as of Q1 2026.

Your clients are going to ask about this. Some already have. The agencies that can answer with data - not hand-waving - will win those conversations.

Here's what makes UCP audits a natural fit for agencies:

It's per-domain. Each client's hosting stack, CDN, and certificate chain breaks differently. A profile that works on Shopify fails on WooCommerce for entirely different reasons.
It's recurring. UCP validation isn't a one-time setup. Deploys break endpoints. CDN caches serve stale schemas. Certificate renewals don't propagate. The profile that passed last month can silently fail this month.
It's reportable. UCP validation produces a numerical AI readiness score (0-100) with specific, fixable issues. That's the kind of deliverable clients understand.

The Agency Audit Framework

Here's a repeatable process for running UCP audits across a client portfolio. It works whether you manage 3 domains or 300.

1. Baseline Scan: Does the Profile Exist?

Before anything else, check whether each client domain serves a UCP manifest at /.well-known/ucp.

https://client-store.com/.well-known/ucp

Three outcomes:

404 / No manifest - The store is invisible to AI agents. Full stop. This is your biggest finding and your clearest upsell.
Manifest exists but invalid JSON - Broken deployment or misconfigured server. Quick fix, high impact.
Valid manifest - Move to deeper validation.

In our experience, roughly 70% of ecommerce stores don't serve a UCP manifest at all. For the ones that do, about 60% have issues at deeper validation levels.

2. Four-Level Validation

UCP validation isn't binary (pass/fail). There are four distinct levels, and each catches different categories of issues:

Level	What It Checks	Common Failures
1. Structural	JSON syntax, required fields, version format	Missing root, wrong version format
2. Compliance	Protocol rules: namespaces, HTTPS, signing keys	Namespace mismatches, missing signing keys (42% of L2 failures)
3. Network	Do declared URLs actually resolve?	CDN 404s, stale schemas, malformed JWK keys
4. Simulation	Full checkout lifecycle test	Backend 500s on cart creation, state machine failures

Most validators - including the free ones your clients might have tried - only check Level 1. A Level 1 pass with Level 3 failures means the profile looks correct but agents can't actually use it.

For agencies, Level 3 is the most valuable finding. These are infrastructure-drift issues that only surface after deploys, CDN changes, or certificate renewals. They're invisible to the developer who wrote the profile but obvious to an auditor running regular checks.

3. Score and Categorize

After running validation with the UCPtools validator, each domain gets an AI readiness score (0-100) and a letter grade:

Grade	Score	What It Means
A	90-100	AI agents can discover, browse, and transact
B	70-89	Discoverable with minor issues
C	50-69	Detected but can't complete transactions
D	20-49	Major issues blocking agent interaction
F	0-19	Effectively invisible

The Grade C trap is the most common: the profile exists and passes basic checks, but missing signing keys or broken endpoints prevent any actual transaction.

4. Build the Client Report

A useful client report contains:

Score and grade for each domain
Issue breakdown by validation level (structural, compliance, network, simulation)
Specific fixes with estimated effort (most Level 2 fixes take minutes)
Comparison to previous audit if this is a recurring engagement
Competitive context - how do they compare to others in their vertical?

The key metric clients care about: "Can AI agents buy from my store?" Frame everything around that question. A score of 62 means "AI agents can find you but can't complete a purchase." That's concrete enough to drive action.

What to Check Per Platform

UCP issues cluster differently by ecommerce platform. Knowing the common patterns saves audit time:

Shopify

UCP profile served via app proxy (path configuration matters)
Payment handler configuration usually correct (Shopify handles this)
Watch for: signing key rotation gaps, custom app conflicts

WooCommerce

Profile typically served via WordPress plugin or .htaccess rewrite
Watch for: HTTP endpoints (mixed content from plugin misconfiguration), schema URL 404s after plugin updates

BigCommerce

Common issue: dev.ucp.shopping service missing required spec field (UCP_INVALID_SERVICE)
Watch for: trailing slashes on API endpoints

Magento / Adobe Commerce

Custom module required for /.well-known/ucp routing
Watch for: namespace mismatches with third-party extensions, GraphQL endpoint schema drift

Custom / Headless

Most flexibility, most failure modes
Watch for: CORS blocking agent preflight requests, endpoint URLs changing between environments

Automating Portfolio Audits

Running manual checks across 10+ domains doesn't scale. Two automation approaches:

CI/CD Integration (Per Client)

If you have access to client repos, the ucp-validate GitHub Action fails the build when the AI readiness score drops below a threshold:

- uses: Nolpak14/ucp-validate-action@v1
  with:
    domain: 'client-store.com'
    min-score: 70

This catches regressions at deploy time - before they affect agent traffic.

Scheduled Monitoring (Portfolio-Wide)

For ongoing monitoring without repo access, run validation against each client domain on a schedule. The UCPtools validator supports domain-level validation via URL - no code access needed.

Track scores over time. A domain that drops from 85 to 62 between audits means something broke in production, and you're the one catching it before the client's AI-driven traffic disappears.

Positioning This as a Service

UCP auditing fits naturally into existing GEO/SEO service packages:

One-time audit - Baseline scan across all client domains with a findings report. Natural entry point.
Monthly monitoring - Recurring validation with score tracking and regression alerts. Retainer model.
Implementation support - Fix the issues the audit found. Scope varies by platform (Shopify is usually hours, custom builds are days).

The pitch to clients: "Your SEO drives organic traffic to your store. UCP drives AI agent traffic. We monitor both."

What makes this defensible: UCP validation requires understanding the spec, the four validation levels, and platform-specific patterns. A generic SEO tool can't do this. You can.

Start Your First UCP Audit

Run a free 4-level validation against any client domain. See the AI readiness score, the issues, and which level caught them.

Validate a Domain Free

The agencies that can quantify AI discoverability will own this conversation. The ones that can't will be explaining why they didn't notice their client's store disappeared from ChatGPT.

UCPtools is an independent community tool - not affiliated with Google, Shopify, or the UCP consortium.