A practical 2026 guide to verifying a Universal Commerce Protocol (UCP) implementation — what to check, and how to check it in the browser, pip, or CI.
Independent, unofficial. Not affiliated with or endorsed by the UCP project.
The Universal Commerce Protocol (UCP) is the open standard — co-developed by Google and Shopify — that lets AI agents discover products, run checkouts, and place orders with any merchant. A conformant UCP server is one whose behavior matches the spec's normative requirements: the discovery profile has the right shape, checkout follows the lifecycle, errors are structured, totals add up, and so on.
Getting this right matters because agents integrate against the spec, not against your specific server. A profile that's subtly off — capabilities as an array instead of a keyed object, a missing required field — can make your store invisible or broken to shopping agents.
Every UCP interaction starts at /.well-known/ucp. Fetch yours and confirm:
2026-04-08).{ "dev.ucp.shopping.checkout": [ … ] }) — not an array.{ transport, endpoint } entries (REST, MCP, or embedded).The quickest way to verify all of this is to paste your store URL into the free checker — it fetches the profile server-side (no CORS headaches) and validates it against the official schema:
Run an instant profile check →The profile is just the front door. To verify checkout, order, discount, catalog, cart, and the totals invariants, run the open-source CLI:
pip install spck-conformance
# scaffold a config tailored to your server's capabilities
spck-conformance --server https://your-store.example.com --init merchant.json
# run the full suite
spck-conformance --server https://your-store.example.com --config merchant.json
On any deviation it shows the requirement vs your actual response, so you can fix it directly. It's capability-adaptive: it only runs checks for what your server declares, and reports anything it can't test as not-tested rather than a silent pass.
Add the GitHub Action so conformance is verified on every push — it fails the build on any MUST deviation and writes a JUnit report:
- uses: vishkaty/ucp-conformance@main
with:
server: https://your-store.example.com
config: merchant.json # optional
A checker that can silently pass a broken server is worse than none. Look for a tool where each check is proven to catch the defect it's for (kill-rate testing), is anchored to the official ucp-schema validator, and cites the specific spec clause it enforces — so a "pass" is earned, not assumed. (That's the principle spck.dev is built on.)
/.well-known/ucp returns 200 JSON over HTTPS, no redirectversion; capabilities is a keyed object; services values are arrays