New URL-pattern targeting for the site-wide widget: narrow to specific paths or disable entirely from Settings.<\/p>","0.4.1":"
Connect-return now accepts both new and legacy query parameters from the onboard page. Plugin-check warnings cleared.<\/p>","0.4.0":"
Renamed plugin (new slug). Native settings screen replaces the embedded iframe. Auto-inject removed \u2014 use shortcode or block to place the widget.<\/p>","0.3.6":"
Pre-WP.org-submit polish. No behavioural change.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3572002,"resolution":"128x128","location":"assets","locale":"","width":256,"height":256},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3572002,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3572002,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3572002,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":{"xpay\/recommendations":{"$schema":"https:\/\/schemas.wp.org\/trunk\/block.json","apiVersion":3,"name":"xpay\/recommendations","title":"Recommendations","description":"Contextual product recommendations for this post.","category":"widgets","icon":"products","keywords":["recommendations","products","affiliate","xpay"],"textdomain":"xpay-agentic-commerce-for-publishers","supports":{"html":false,"align":["wide","full"]},"attributes":{"title":{"type":"string","default":""},"limit":{"type":"number","default":3},"layout":{"type":"string","default":"cards"}},"editorScript":"file:.\/index.js"}},"tagged_versions":["0.4.3"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"Native WordPress settings screen with brand-safety, Amazon Associates and emitter toggles.","2":"Recommendations block in the editor.","3":"Front-end recommendation widget rendered by the shortcode."}},"plugin_section":[],"plugin_tags":[369,267091,2353,239487,3669],"plugin_category":[35,53],"plugin_contributors":[265642],"plugin_business_model":[],"class_list":["post-324227","plugin","type-plugin","status-publish","hentry","plugin_tags-affiliate","plugin_tags-agentic","plugin_tags-ai","plugin_tags-llms","plugin_tags-recommendations","plugin_category-advertising","plugin_category-ratings-and-reviews","plugin_contributors-xpaysh","plugin_committers-xpaysh"],"banners":{"banner":"https:\/\/ps.w.org\/xpay-agentic-commerce-for-publishers\/assets\/banner-772x250.png?rev=3572002","banner_2x":"https:\/\/ps.w.org\/xpay-agentic-commerce-for-publishers\/assets\/banner-1544x500.png?rev=3572002","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/xpay-agentic-commerce-for-publishers\/assets\/icon-128x128.png?rev=3572002","icon_2x":"https:\/\/ps.w.org\/xpay-agentic-commerce-for-publishers\/assets\/icon-256x256.png?rev=3572002","generated":false},"screenshots":[],"raw_content":"\n
Plugin landing page:<\/strong> https:\/\/www.xpay.sh\/publishers\/wordpress-plugin\/ \u00b7 Documentation:<\/strong> https:\/\/docs.xpay.sh\/en\/publishers\/wordpress-plugin \u00b7 Source code:<\/strong> https:\/\/github.com\/xpaysh\/xpay-agentic-commerce-for-publishers<\/p>\n\n Your readers are increasingly arriving from ChatGPT, Claude, Gemini and Perplexity.<\/strong> They are also still arriving the usual way. xpay\u2726 Agentic Commerce helps you serve both at once.<\/p>\n\n For human readers, the plugin loads a lightweight recommendation widget (a floating button + a footer drawer) on your connected site \u2014 install once, works on every page, no shortcode required. You can narrow the widget to a subset of paths or disable site-wide loading entirely in the settings. For inline placement inside a specific post, use the For AI assistants and agents, the plugin publishes a single endpoint at This plugin contacts services operated by xpay (xpay.sh).<\/p>\n\n 1. 2. 3. The xpay terms of use and privacy policy: https:\/\/www.xpay.sh\/legal\/terms-of-use\/ and https:\/\/www.xpay.sh\/legal\/privacy-policy\/.<\/p>\n\n The recommendation engine uses a curated catalog of merchants from xpay's own merchant network, with affiliate-network fallbacks. The agent storefront endpoint only lists products from agent-ready merchants, since those are the only ones an AI assistant can transact with.<\/p>\n\n\n Detailed step-by-step with screenshots:<\/p>\n\n The plugin itself enqueues no front-end scripts unless a post actually contains the shortcode or block. The widget iframe loads lazily \u2014 one network round-trip, async after the page is interactive. The agent endpoint is served server-side without touching the front-end.<\/p><\/dd>\n The widget renders as editorial product cards with affiliate-link buy buttons, not as advertising, and only appears where you explicitly place it. Most ad networks permit such widgets in parallel. Always verify against your specific ad-network agreement before going live.<\/p><\/dd>\n Two reasons. (1) The widget UI iterates quickly at Yes \u2014 this plugin has no dependency on WooCommerce. It is designed for content publishers without their own store.<\/p><\/dd>\n After you enable it in settings, your site serves Yes. Deleting the plugin removes all settings, transients and the agent storefront endpoint. No data is left in your database.<\/p><\/dd>\n\n<\/dl>\n\n\n[xpay_recs]<\/code> shortcode or the Recommendations Gutenberg block. The plugin never modifies your post content directly \u2014 recommendations live in a sandboxed iframe hosted at widget.xpay.sh<\/code>, sets no third-party cookies, and uses no behavioural targeting.<\/p>\n\n\/.well-known\/agent-storefront.json<\/code> that lists products contextually relevant to your site. Agents that fetch it can discover and (where the underlying merchants support it) transact, with the resulting referral attributed back to your site.<\/p>\n\nWhat it does<\/h4>\n\n
\n
*<\/code> wildcards (PostHog-style).<\/li>\n[xpay_recs]<\/code> and a Gutenberg block for placing a product-card grid inside a specific post. Independent of the site-wide widget. The plugin never modifies post content via the_content<\/code> \u2014 placement is always explicit.<\/li>\n\/.well-known\/agent-storefront.json<\/code> so AI assistants can list products contextually relevant to the page they are reading. Detects existing .well-known<\/code> files and refuses to overwrite them.<\/li>\nllms.txt<\/code> augmentation<\/strong> \u2014 append a clearly-delimited block to your llms.txt<\/code>, only if you have opted in. Never replaces an existing llms.txt<\/code>.<\/li>\n?tag=<yours><\/code> appended. Amazon pays you directly.<\/li>\nWhat it does not do<\/h4>\n\n
\n
the_content<\/code> or rewrites your post bodies. The site-wide widget lives in page chrome (floating button + drawer); inline placement requires an explicit shortcode or block.<\/li>\nExternal services<\/h4>\n\n
publisher-api.xpay.sh<\/code><\/strong> \u2014 backend API.<\/p>\n\n\n
POST \/storefront\/decide<\/code> \u2014 recommendation decision API. The widget iframe (front-end) calls this when it renders. Data sent: page URL, title, categories, tags, site_id<\/code>. No visitor identifier.<\/li>\nPOST \/storefront\/beacon<\/code> \u2014 load\/click event endpoint. The widget iframe fires this anonymously when it mounts (load) and when a reader clicks a product card (click). Data sent: site_id<\/code>, hostname, post URL, merchant domain (on click), user-agent string. No visitor identifier.<\/li>\nPOST \/storefront\/register<\/code> \u2014 registration endpoint. Called once from the app.xpay.sh<\/code> onboard page during one-click connect to mint a site_id<\/code>.<\/li>\nGET \/storefront\/agent-card\/{site_id}<\/code> \u2014 server-to-server call from your WordPress install to build the \/.well-known\/agent-storefront.json<\/code> response.<\/li>\nGET \/storefront\/sites<\/code> \u2014 used by the publisher dashboard at app.xpay.sh<\/code>, not by this plugin.<\/li>\n<\/ul>\n\nwidget.xpay.sh<\/code><\/strong> \u2014 sandboxed iframe host for the front-end widget. Loaded only on posts where you place the [xpay_recs]<\/code> shortcode or the Recommendations block, and only when consent allows. Data passed via URL parameters: site_id<\/code>, post URL, title, public categories, public tags. No visitor identifier.<\/p>\n\napp.xpay.sh<\/code><\/strong> \u2014 publisher dashboard. Opened in a new tab from the settings page (a button labelled \"Open xpay dashboard\"). Never embedded.<\/p>\n\nPrivacy<\/h4>\n\n
\n
widget.xpay.sh<\/code>. The host page and the iframe are separate browsing contexts that cannot read each other.<\/li>\nwp_options<\/code>. They are not copied to xpay's backend.<\/li>\nwp_options<\/code> row it created and disables the agent storefront endpoint.<\/li>\n<\/ul>\n\nWhere the recommended products come from<\/h4>\n\n
\n
site_id<\/code> written into your settings.<\/li>\n[xpay_recs]<\/code> shortcode or insert the Recommendations<\/strong> block in the editor. The widget renders only where you place it.<\/li>\n\n
\n
Does this plugin slow down my site?<\/h3><\/dt>\n
Does it conflict with my ad network (Mediavine, Raptive, Ezoic)?<\/h3><\/dt>\n
Why is the front-end widget rendered in an iframe?<\/h3><\/dt>\n
widget.xpay.sh<\/code> \u2014 iframing means we don't ship a WordPress plugin update every time the UI improves. (2) The iframe is a separate browsing context: the host page can't read into it, and it can't read into the host page. That's strong privacy isolation for a third-party recommendation widget.<\/p><\/dd>\nDoes it work without WooCommerce?<\/h3><\/dt>\n
How does the agent storefront endpoint work?<\/h3><\/dt>\n
https:\/\/your-site.example\/.well-known\/agent-storefront.json<\/code> with a list of products an AI assistant can recommend. The list is generated server-side. The plugin will not overwrite an existing file at that path \u2014 if one is detected the emitter stays silent until you remove the conflict.<\/p><\/dd>\nCan I remove the plugin cleanly?<\/h3><\/dt>\n
0.4.3<\/h4>\n\n
\n
*<\/code> and ?<\/code> are supported via fnmatch, matched against the request path.<\/li>\nxpayacp_*<\/code> and legacy asp_*<\/code> query parameters from the xpay onboard page.<\/li>\n$_GET<\/code> index checks refactored to explicit branches so static analysers can verify each access.<\/li>\n$xpayacp_options<\/code> and $xpayacp_opt<\/code> variables in uninstall.php<\/code> properly prefixed.<\/li>\n<\/ul>\n\n0.4.0<\/h4>\n\n
\n
xpay-agentic-commerce-for-publishers<\/code>. The previous working name overlapped with Automattic's Storefront theme.<\/li>\nwidget.xpay.sh\/embed\/admin\/settings<\/code> iframe has been removed; no remote UI is loaded into wp-admin.<\/li>\n[xpay_recs]<\/code> shortcode or the Recommendations block. Existing sites with the auto-inject toggle previously on must add the shortcode or block where they want the widget.<\/li>\n\/page-context<\/code> REST endpoint.<\/strong> The widget iframe now signs its page-context<\/code> requests with an HMAC derived from the per-site secret minted at activation. The endpoint no longer accepts unauthenticated reads.<\/li>\nadmin-post.php<\/code> handler with an explicit manage_options<\/code> capability check.<\/li>\nxpayacp_<\/code> \/ XPAYACP_<\/code>.<\/li>\n<\/ul>\n\n0.3.6<\/h4>\n\n
\n
\/llms.txt<\/code> body is now composed from pre-escaped values.<\/li>\nindex.php<\/code> silence files to every plugin subdirectory.<\/li>\n<\/ul>\n\n0.3.5<\/h4>\n\n
\n
wp_register_script<\/code> \/ wp_enqueue_script<\/code> \/ script_loader_tag<\/code>.<\/li>\n0.3.4<\/h4>\n\n
\n
docs.xpay.sh\/en\/publishers\/wordpress-plugin\/*<\/code>.<\/li>\n<\/ul>\n\n0.3.0<\/h4>\n\n
\n
0.2.0<\/h4>\n\n
\n
0.1.0<\/h4>\n\n
\n
\/.well-known\/agent-storefront.json<\/code> emitter with detect-existing safety check.<\/li>\nllms.txt<\/code> append (off by default).<\/li>\n