Title: SDX AI Readiness Toolkit for WooCommerce
Author: shan
Published: June 17, 2026
Last modified: June 17, 2026
---
Search plugins
# SDX AI Readiness Toolkit for WooCommerce
By [shan](https://profiles.wordpress.org/suhanduman/)
[Download](https://downloads.wordpress.org/plugin/sdx-ai-readiness-toolkit.0.3.0.zip)
* [Details](https://wordpress.org/plugins/sdx-ai-readiness-toolkit/#description)
* [Reviews](https://wordpress.org/plugins/sdx-ai-readiness-toolkit/#reviews)
* [Installation](https://wordpress.org/plugins/sdx-ai-readiness-toolkit/#installation)
* [Development](https://wordpress.org/plugins/sdx-ai-readiness-toolkit/#developers)
[Support](https://wordpress.org/support/plugin/sdx-ai-readiness-toolkit/)
## Description
**SDX AI Readiness Toolkit** makes any WooCommerce store auto-discoverable, readable,
and purchasable by AI shopping agents — ChatGPT plugins, Perplexity Shopping, Google’s
commerce AI, custom Claude tools, and any agent that speaks the open protocols of
the agentic commerce ecosystem.
#### Why this matters
In 2026 Google launched the **Universal Commerce Protocol (UCP)** with Shopify,
Walmart, Target, Wayfair, and Etsy. WooCommerce was absent. This plugin closes that
gap.
#### What this plugin does
* **UCP discovery** at `/.well-known/ucp` — agents auto-find your store
* **MCP server** at `/wp-json/agtc/v1/mcp` — JWT-authenticated tools for product
listing, search, and order lookup
* **ACP checkout** at `/wp-json/agtc/v1/acp/checkouts` — agentic checkout sessions
with Stripe `payment_intent` support
* **OAuth 2.0 server** — dynamic client registration + `client_credentials` grant
* **WC native ACP coexistence** — auto-detects WooCommerce 10.7+ native ACP and
defers when active
* **Web discovery** — HTML `` tags, HTTP Link headers, `robots.txt` advisory,`/
llms.txt`
* **Google Merchant Center feed** at `/merchant-feed/google.xml` — a self-hosted,
Google-spec product feed you register as a scheduled fetch
* **AI readiness dashboard** — scores your store, shows what’s missing, offers
one-click fixes
* **Production-grade engineering** — 260+ unit tests, integration-tested on live
WordPress 7.0 + WooCommerce, WordPress Coding Standards compliant, PHP 7.4+ compatible
#### How agents use your store
1. Agent fetches `/.well-known/ucp`
2. Agent registers via `/oauth/register` receives client ID + secret
3. Agent exchanges credentials for JWT at `/oauth/token`
4. Agent calls MCP tools under `/mcp` (search, list)
5. Agent creates an ACP checkout session at `/acp/checkouts`
6. Agent completes the session real WooCommerce order in your admin
All standard payment gateways work. UCP creates standard WC orders.
#### How this actually helps your store
AI shopping assistants — ChatGPT, Perplexity, Gemini, Claude — now help millions
of people find products every day. When a shopper asks “find me a waterproof backpack
under $80”, the assistant doesn’t open Google and click around. It queries machine-
readable storefronts directly. The way it finds those storefronts is by fetching`/.
well-known/ucp` on each domain it knows about. If that file doesn’t exist, your
store is invisible to the agent — not low-ranked, _invisible_.
This plugin publishes that file automatically, along with the MCP tools the agent
uses to actually browse your catalog. You don’t have to write a single line of integration
code; activating the plugin is enough to put your store on the map for every agent
that speaks UCP, MCP, or ACP.
A few complementary moves we recommend alongside this plugin: register your products
in **Google Merchant Center** so the Google Shopping feed picks them up, keep product
titles and descriptions clear and well-structured (the same SEO discipline that
helps humans also helps AI parsing), and make sure your site runs on HTTPS end-to-
end so agents trust the responses.
Once your store is published, agents can do three things that previously required
a human: discover that you exist, browse your catalog in real time, and — with ACP
enabled — create a real WooCommerce order on behalf of their user, with the same
checkout, tax, shipping, and fulfillment plumbing your human customers go through
today.
#### Google Merchant Center
The plugin publishes a Google-spec product feed at `https://yourstore.com/merchant-
feed/google.xml`. It is fully self-hosted — the plugin contacts no external service.
Instead, you register that URL in **Google Merchant Center Products Feeds** as
a scheduled fetch, and Google pulls the feed on its own schedule. Once Google has
the feed, your products become eligible for Google Shopping and Google’s shopping
AI.
The feed is built from your published, catalog-visible WooCommerce products and
includes each product’s title, description, price, availability, image, and — when
set — brand and GTIN. Filling in **brand** and **GTIN** (Products product Inventory
Global Unique ID, on WooCommerce 9.2+) materially improves listing quality and how
often Google can match your products. Variable products are expanded to their purchasable
variations. The generated XML is cached for one hour to keep the endpoint fast.
#### Privacy & Data Handling
This plugin is built to be conservative about data:
* The plugin only exposes publicly available product data — name, price, image,
description — through its UCP and MCP discovery endpoints. Anything you already
display on a public product page is fair game; nothing else is.
* Order data is gated behind a valid OAuth 2.0 access token AND is scoped to the
agent’s own orders. An agent (OAuth client) can only read orders it created itself
through the ACP checkout flow; it can never read other agents’ orders or orders
placed by human customers through normal checkout. An agent without the `read:
orders` scope cannot read any orders at all, and `read:orders` is never granted
by open client registration unless it is explicitly requested.
* No customer personally identifiable information (PII) is collected, transmitted
to third parties, or stored beyond standard WooCommerce order records that WooCommerce
itself already manages.
* All admin actions — including the audit dashboard and one-click auto-fix buttons—
require the `manage_woocommerce` capability and a verified WordPress CSRF nonce.
* No outbound telemetry. No analytics calls. No external “phone home” requests.
The plugin does not contact the author, an analytics vendor, or any third party
at install time, on activation, or during normal operation.
#### External Services
WordPress.org guideline #6 requires that we disclose any external services this
plugin contacts. The list is short:
* **Stripe (optional, opt-in):** Stripe is only contacted when the ACP module’s`
payment_intent` flow is explicitly enabled by defining the `AGTC_STRIPE_SECRET_KEY`
constant in `wp-config.php`. When an agent completes a checkout session under
that flow, the plugin makes a server-to-server POST to `https://api.stripe.com/
v1/payment_intents` to authorize the payment. No data is sent to Stripe unless
this flow is activated. Stripe service terms: https://stripe.com/legal — Stripe
privacy policy: https://stripe.com/privacy.
* **No other external services are contacted by default.** UCP, MCP, and ACP discovery
endpoints are served from your own WordPress installation. The agent pulls data
_from_ you; you do not push data _to_ the agent or to any intermediary.
#### Disclaimer
This plugin is an independent, community-driven implementation of open commerce
protocols. It is not affiliated with, endorsed by, or sponsored by Stripe, Inc.,
OpenAI, Google, Anthropic, Automattic, or the WooCommerce trademark holders. “WooCommerce”
is a trademark of Automattic Inc. and is referenced solely for descriptive interoperability
purposes.
## Installation
1. Upload to `/wp-content/plugins/agtc-commerce` (or install via WP admin Plugins
Add New)
2. Activate via Plugins menu
3. Visit **SDX AI Readiness** in the admin sidebar to see the AI Readiness dashboard
4. (Optional) Define `AGTC_STRIPE_SECRET_KEY` in `wp-config.php` to enable ACP payment
intents
#### Requirements
* WordPress 7.0 or higher
* WooCommerce 8.0 or higher
* PHP 7.4 or higher (PHP 8.x recommended)
* OpenSSL and libsodium PHP extensions
* Pretty Permalinks enabled
## FAQ
### Will this conflict with WooCommerce’s built-in ACP support?
No. WooCommerce 10.7+ ships internal ACP infrastructure with the `agentic_checkout`
feature flag (default off). Our `Coexistence` detector activates our endpoints only
when the WC native flag is off, and defers (410 + Location header) when on.
### Do I need Stripe?
Only for ACP payment_intent flow. Without Stripe, agents can still discover, browse,
and create checkout sessions — they just can’t authorize payment through ACP directly.
There are two flow models to choose from, and most stores can start without Stripe
entirely:
* **Model A — Agent pays directly (ACP `payment_intent`):** Requires Stripe. The
ACP protocol uses Stripe’s PaymentIntent under the hood, so you must define `
AGTC_STRIPE_SECRET_KEY` in `wp-config.php`. The agent never sees the customer’s
card; payment is captured server-side at session completion. This is the fully
autonomous flow.
* **Model B — Agent creates order, customer pays later:** Works with **any** WooCommerce
payment gateway — PayPal, Square, Stripe via WooCommerce Payments, bank transfer,
cash on delivery, anything you already have configured. The agent creates an
ACP session, which the plugin converts into a standard pending WooCommerce order.
The customer receives an order link and completes payment using whatever gateway
your store already uses.
* **Recommendation:** Most stores should start with Model B (no Stripe required)
and add Model A later if and when they want fully autonomous agent purchases
without a human checkout step.
### What data does this expose to agents?
By default, public product data only (name, price, description, images). An agent
can additionally read its **own** orders if it holds the `read:orders` scope — but
only orders it created itself through the ACP checkout flow. Agents never see other
agents’ orders or orders placed by human customers through normal checkout.
### How do I let agents read orders?
Order access is scoped to ownership and safe by default: an agent (OAuth client)
can only ever read orders it created itself via the ACP checkout flow. It can never
read another agent’s orders or orders placed by human customers through normal checkout.
To read its own orders, an agent must request the `read:orders` scope at registration;
dynamic client registration only ever grants `read:products` by default, so `read:
orders` must always be requested explicitly. No server-side opt-in or `wp-config.
php` constant is required.
### Is the OAuth flow secure?
Yes. Client secrets are hashed with `password_hash()`. Access tokens are RS256-signed
JWTs with `iat`, `exp` (max 2h), `aud`, `iss`, and `jti` claims. Admin endpoints
require WP nonce + `manage_woocommerce`.
### How do I rotate the JWKS keypair?
Open the AI Readiness dashboard. If JWKS rotation is needed, click the “Rotate JWKS
keypair now” button. Old key remains valid for a 24h grace period.
### WordPress 7.0 native MCP
On WordPress 7.0 this plugin registers its tools as WordPress Abilities, making
them available through the core MCP Adapter to clients such as Claude Desktop, Claude
Code, Cursor, and VS Code. Those clients authenticate with standard WordPress application
passwords — no OAuth setup is required on their side. The plugin’s own OAuth MCP
server remains active alongside the core adapter and continues to serve headless
or autonomous agents that manage their own credentials.
The AI Readiness dashboard shows a “Protocol exposure” card with two settings:
MCP exposure controls which MCP path is active: “both” (default — core adapter and
plugin server run side by side), “core” (plugin’s own MCP server is disabled, traffic
goes to the WP core adapter only), or “plugin” (core adapter integration is disabled,
plugin MCP server only).
ACP exposure controls ACP checkout availability: “auto” (default — plugin ACP is
active when WooCommerce native ACP is off, deferred when on), “plugin” (plugin ACP
is always active regardless of WC native state), or “off” (ACP checkout is fully
disabled).
Both settings can be overridden programmatically with the filters agtc_mcp_exposure_mode
and agtc_acp_exposure_mode, which receive the stored option value and should return
one of the accepted mode strings.
### How do I get my products into Google Shopping?
The plugin publishes a Google-spec product feed at `https://yourstore.com/merchant-
feed/google.xml`. In Google Merchant Center, go to **Products Feeds**, add a new
feed, and choose the **scheduled fetch** option pointing at that URL. Google then
fetches the feed on its own schedule — the plugin never contacts Google. The feed
carries title, description, price, availability, image, and brand/GTIN when set;
adding a brand and GTIN to each product improves listing quality and match rate.
The dashboard’s FEED-001 check flags products missing those attributes.
## Reviews
There are no reviews for this plugin.
## Contributors & Developers
“SDX AI Readiness Toolkit for WooCommerce” is open source software. The following
people have contributed to this plugin.
Contributors
* [ shan ](https://profiles.wordpress.org/suhanduman/)
[Translate “SDX AI Readiness Toolkit for WooCommerce” into your language.](https://translate.wordpress.org/projects/wp-plugins/sdx-ai-readiness-toolkit)
### Interested in development?
[Browse the code](https://plugins.trac.wordpress.org/browser/sdx-ai-readiness-toolkit/),
check out the [SVN repository](https://plugins.svn.wordpress.org/sdx-ai-readiness-toolkit/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/sdx-ai-readiness-toolkit/)
by [RSS](https://plugins.trac.wordpress.org/log/sdx-ai-readiness-toolkit/?limit=100&mode=stop_on_copy&format=rss).
## Changelog
#### 0.3.0
* Security: plugin-owned key derivation (MasterKey) replacing reuse of WordPress
auth salts
* Security: AES-256-GCM at-rest encryption for sensitive stored data
* Security: MCP tool scope enforcement; order tools scoped to the agent’s own orders
* New: Google Merchant Center product feed at `/merchant-feed/google.xml` + dashboard
feed-readiness audit
* New: WordPress 7.0 native MCP integration — tools registered as Abilities for
the core MCP Adapter
* New: selectable MCP exposure (both/core/plugin) and ACP exposure (auto/plugin/
off) with dashboard controls and filters
* Changed: minimum WordPress raised to 7.0
#### 0.2.0
* New: ACP checkout module with Stripe payment_intent + WC native coexistence
* New: Outbound webhook dispatcher with Ed25519 signing
* New: Severity-grouped dashboard with remediation cards and one-click auto-fix
buttons
* New: `/admin/fix` REST endpoint with nonce + capability check
* Fix: PHP 8.5 deprecation warnings (`setAccessible`, `curl_close`)
* Fix: JwtVerifier enforces `iat` claim and 2h max token lifetime
#### 0.1.0
* Initial release: Core, MCP, UCP, Discovery hints
## Meta
* Version **0.3.0**
* Last updated **12 hours ago**
* Active installations **Fewer than 10**
* WordPress version ** 7.0 or higher **
* Tested up to **7.0**
* PHP version ** 7.4 or higher **
* Tags
* [AI](https://wordpress.org/plugins/tags/ai/)[mcp](https://wordpress.org/plugins/tags/mcp/)
[ucp](https://wordpress.org/plugins/tags/ucp/)[woocommerce](https://wordpress.org/plugins/tags/woocommerce/)
* [Advanced View](https://wordpress.org/plugins/sdx-ai-readiness-toolkit/advanced/)
## Ratings
No reviews have been submitted yet.
[Your review](https://wordpress.org/support/plugin/sdx-ai-readiness-toolkit/reviews/#new-post)
[See all reviews](https://wordpress.org/support/plugin/sdx-ai-readiness-toolkit/reviews/)
## Contributors
* [ shan ](https://profiles.wordpress.org/suhanduman/)
## Support
Got something to say? Need help?
[View support forum](https://wordpress.org/support/plugin/sdx-ai-readiness-toolkit/)