Free AI Commerce Security Scanner for UCP & ACP

Audit your store's security for both UCP and ACP (ChatGPT) requirements. Check HTTPS enforcement, signing keys, endpoint security, and ACP server-to-server authentication in seconds.

Scan Your SecurityWhat is UCP?

🔒 Security Posture Scanner

Scan your UCP endpoint for common security misconfigurations. Exposing REST endpoints for AI agents creates new attack surfaces.

Check ACP Readiness

Security applies to both protocols. Also check your ACP readiness for ChatGPT.

ACP Readiness Checker

Check if your store is ready for OpenAI's Agentic Commerce Protocol (ChatGPT Instant Checkout).

What Does the Security Scanner Check?

Our AI commerce security scanner performs a thorough audit of your UCP profile's security configuration, covering every aspect that AI agents rely on for safe transactions.

🔒

HTTPS Enforcement

Verifies all endpoints use TLS/HTTPS with valid certificates and strong cipher suites.

🔑

Signing Key Validation

Checks Ed25519/ES256 signing keys for proper format, strength, and rotation readiness.

🛡️

Endpoint Security

Audits API endpoints for proper authentication, rate limiting, and input validation.

📋

CORS & Headers

Validates CORS configuration, Content-Security-Policy, and other security headers.

💳

Payment Handler Security

Checks payment endpoints for secure credential handling and PCI-relevant configurations.

🤖

ACP Authentication

Checks ACP server-to-server requirements: TLS 1.2+, Bearer token readiness, and HTTPS for ChatGPT Instant Checkout endpoints.

Why UCP & ACP Security Matters

AI agents are increasingly handling real transactions on behalf of consumers. When an AI shopping agent interacts with your store, it needs to trust your endpoints, verify your identity through signing keys, and securely process payment information.

Security builds trust with AI agents. Agents prioritize stores with strong security postures. Weak security can push your store out of AI-driven shopping recommendations entirely, and exposes you to fraud, data breaches, and PCI compliance scope issues.
  • Agent trust: AI agents verify signing keys and HTTPS before initiating transactions
  • Fraud prevention: Proper endpoint security prevents unauthorized transaction injection
  • PCI compliance: Secure payment handlers reduce your PCI DSS scope and audit burden
  • Data protection: Strong CORS and headers prevent cross-origin data leakage
  • Reputation: Security incidents erode consumer and agent confidence in your store
  • ACP checkout security: OpenAI's Agentic Commerce Protocol requires HTTPS with TLS 1.2+, Bearer token authentication, OpenAI IP allowlisting, and HMAC-signed webhooks for ChatGPT Instant Checkout to work safely

UCP & ACP Security Best Practices

Follow these best practices to ensure your UCP profile meets the highest security standards for AI commerce interactions.

HTTPS Everywhere

All UCP endpoints must use HTTPS with TLS 1.2 or higher. This includes discovery endpoints, API callbacks, webhook receivers, and payment handler URLs. Never expose any endpoint over plain HTTP.

EC P-256 / Ed25519 Signing Keys

Use elliptic curve signing keys (EC P-256 or Ed25519) for request signing. These provide strong security with compact signatures. Rotate keys periodically and always keep private keys server-side.

Webhook Verification

Verify all incoming webhooks using cryptographic signatures. Never trust webhook payloads without validating the signature header against your known signing keys. Reject requests with missing or invalid signatures.

Credential Handling

Never expose API keys, secrets, or tokens in your UCP profile responses. Use environment variables for sensitive configuration. Ensure payment handler endpoints do not leak credentials in error messages or logs.

ACP Server-to-Server Security

ACP (ChatGPT checkout) requires Bearer token authentication on all endpoints, OpenAI IP allowlisting to restrict access, HMAC-signed webhooks for event verification, and TLS 1.2+ on all API endpoints. These are server-side configurations separate from your UCP profile.

How to Run a Security Scan

1

Enter Your Domain

Type your store's domain (e.g., mystore.com) in the scanner input field above.

2

Run the Scan

Click "Scan" to analyze your UCP profile's security configuration and endpoints.

3

Review Findings

See your security score, identified vulnerabilities, and severity ratings for each issue.

4

Remediate Issues

Follow the specific remediation guidance for each finding, then re-scan to verify fixes.

More UCP Tools

Check Readiness

Validate your UCP profile for spec compliance

🔧

Generate UCP

Create a new UCP profile from scratch

🤖

AI Agent Test

Simulate real AI agent interactions with your store

🛒

ACP Checker

Check ChatGPT Instant Checkout readiness

Frequently Asked Questions

What does the UCP security scanner check?

The UCP security scanner performs a comprehensive audit of your AI commerce profile including HTTPS enforcement on all endpoints, Ed25519/ES256 signing key validation, CORS and security header configuration, payment handler endpoint security, webhook verification setup, and credential handling practices. It identifies vulnerabilities that could be exploited during AI agent transactions.

Why is security important for AI commerce?

AI agents autonomously interact with your store endpoints, making security critical. Unlike human shoppers, agents process transactions programmatically and rely on cryptographic signing to verify authenticity. A security vulnerability in your UCP profile could allow man-in-the-middle attacks, unauthorized transactions, or data exfiltration during automated checkout flows.

How often should I run a UCP security scan?

You should run a security scan after any changes to your UCP profile, payment handler endpoints, or server configuration. We recommend weekly scans as a baseline, and immediate scans after deploying new features, rotating signing keys, or updating SSL certificates. Continuous monitoring is available with UCPtools Pro.

What are the most common UCP security issues?

The most common issues include HTTP endpoints instead of HTTPS, missing or weak signing keys, exposed API credentials in profile responses, missing security headers (Content-Security-Policy, X-Frame-Options), misconfigured CORS allowing unauthorized origins, and unverified webhook endpoints that could be spoofed by malicious actors.

Does the security scanner affect PCI compliance?

The scanner itself does not affect your PCI compliance, but the issues it identifies often overlap with PCI DSS requirements. HTTPS enforcement, proper credential handling, and secure payment handler endpoints are all PCI-relevant. Fixing security scan findings can help improve your overall PCI compliance posture.

Is the UCP security scanner free?

Yes, the basic security scan is completely free with no signup required. You get a full security audit covering HTTPS enforcement, signing key validation, and endpoint security. For continuous monitoring, automated alerts, and historical trend tracking, check out our Pro plan.

Does the scanner check ACP security requirements?

Yes, the scanner checks HTTPS and TLS which are required by both UCP and ACP. ACP (ChatGPT Instant Checkout) also requires Bearer token authentication on all endpoints and OpenAI IP allowlisting — these are server-side configurations that must be verified separately. For a full ACP readiness check, use our dedicated ACP Readiness Checker at /acp-checker.

Want Continuous Security Monitoring?

Get automated daily security scans, instant vulnerability alerts, and historical trend tracking. 7-day free trial, no credit card required.

Start Free Trial