Skip to content
UCP
Menu

Security · Agentic Commerce

Security in agentic commerce: how UCP protects merchants and consumers

When an AI agent makes purchases on your behalf, fraud, spoofing, and unintended transaction risks exist. The Universal Commerce Protocol integrates multiple security mechanisms to protect all three transaction actors: the user, the AI agent, and the merchant. Here's how they work.

Updated : April 2026 · Primary query : agentic commerce security

Risk vectors specific to agentic commerce

Agentic commerce introduces risk vectors that classical e-commerce doesn't face:

  • Agent identity spoofing: a malicious actor impersonating a legitimate AI agent (Gemini, ChatGPT) to initiate fraudulent orders via UCP endpoints
  • AP2 session hijacking: intercepting a valid AP2 token to execute unauthorized transactions
  • Identity Linking attack: modifying delivery data during transmission between agent and merchant
  • AP2 permission abuse: a compromised AI agent (via prompt injection) making purchases beyond the user's intentions
  • Fraudulent merchants: stores that expose UCP endpoints but deliver products different from or inferior to their catalog description

UCP security mechanisms

1. Cryptographic agent authentication

UCP defines an identity attestation system for AI agents. Each AI agent authorized to execute UCP transactions holds a certificate issued by a UCP certification authority. When an agent initiates a request on POST /ucp/v1/checkout, it attaches its cryptographic signature. The merchant verifies this signature against the UCP authority before processing the order.

2. AP2 tokenization with parameterized limits

Payment tokens are issued with strict constraints: maximum amount, authorized categories, validity duration. These constraints are verified on the payment processor side, neither the merchant nor the agent can bypass them. If an AI agent is compromised via a prompt injection attack, AP2 limits automatically prevent transactions exceeding user-defined parameters.

3. Identity Linking with cryptographic signature

Identity data transmitted via Identity Linking (name, delivery address, phone) is signed by the AI agent with its private key. The merchant verifies data integrity via the signature before using it. Any in-transit modification invalidates the signature and triggers order rejection.

4. Immutable transaction logging

Each UCP transaction generates a timestamped, cryptographically signed log, stored on both the AI agent side and the merchant side. In case of dispute, the AI agent can present the signed log proving the transaction was initiated according to user-authorized parameters.

5. Merchant reputation system

UCP includes a merchant reputation registry. Merchants who receive too many reports (products non-conforming to description, non-delivery, fraud) see their reputation score drop. AI agents can filter results to only show merchants above a reputation threshold.

Merchant security recommendations

  • Enable mutual TLS authentication on your UCP endpoints (not just server-side TLS)
  • Implement rate limiting on /ucp/v1/checkout: 10 requests/minute per IP is a reasonable starting point
  • Keep logs of all agentic transactions for at least 3 years
  • Regularly test your endpoints with the official UCP test suite
  • Set up alerts for anomalies: order bursts, unusual amounts, unrecognized agents

User protection: what AI agents must do

UCP imposes behavior rules on AI agents to protect users:

  • Mandatory confirmation for transactions exceeding the user-defined threshold
  • Notification of every completed transaction with merchant, product, price, and order number details
  • Cancellation grace period: user has a configurable window to cancel an agentic order before preparation
  • Monthly summary of agentic purchases made, with option to revoke permissions

Further reading