xpay✦ Agentic Commerce for Publishers

Description

Plugin landing page: https://www.xpay.sh/publishers/wordpress-plugin/ · Documentation: https://docs.xpay.sh/en/publishers/wordpress-plugin · Source code: https://github.com/xpaysh/xpay-agentic-commerce-for-publishers

Your readers are increasingly arriving from ChatGPT, Claude, Gemini and Perplexity. They are also still arriving the usual way. xpay✦ Agentic Commerce helps you serve both at once.

For human readers, the plugin loads a lightweight recommendation widget (a floating button + a footer drawer) on your connected site — install once, works on every page, no shortcode required. You can narrow the widget to a subset of paths or disable site-wide loading entirely in the settings. For inline placement inside a specific post, use the [xpay_recs] shortcode or the Recommendations Gutenberg block. The plugin never modifies your post content directly — recommendations live in a sandboxed iframe hosted at widget.xpay.sh, sets no third-party cookies, and uses no behavioural targeting.

For AI assistants and agents, the plugin publishes a single endpoint at /.well-known/agent-storefront.json that lists products contextually relevant to your site. Agents that fetch it can discover and (where the underlying merchants support it) transact, with the resulting referral attributed back to your site.

What it does

• Site-wide widget (floating button + footer drawer) — loads on every page of your connected site by default. Disable site-wide loading entirely, or narrow it to matching paths only, from Settings → xpay Agentic Commerce → “Where the widget loads”. URL patterns support * wildcards (PostHog-style).
• Inline placement — shortcode [xpay_recs] and a Gutenberg block for placing a product-card grid inside a specific post. Independent of the site-wide widget. The plugin never modifies post content via the_content — placement is always explicit.
• Privacy-first — the plugin sets no third-party cookies and emits no tracking pixels. The decision API receives only the public URL, post title, public categories and tags. Personalization is off unless you turn it on and a Consent API plugin reports positive consent.
• Agent storefront endpoint — publishes /.well-known/agent-storefront.json so AI assistants can list products contextually relevant to the page they are reading. Detects existing .well-known files and refuses to overwrite them.
• Optional llms.txt augmentation — append a clearly-delimited block to your llms.txt, only if you have opted in. Never replaces an existing llms.txt.
• Brand-safety controls — exclude product categories and merchant domains directly from the native settings screen.
• Amazon Associates — set your Amazon Associates tag. Any Amazon link the widget surfaces gets ?tag=<yours> appended. Amazon pays you directly.
• Native WordPress settings screen — all configuration happens inside a standard wp-admin settings page (Settings → xpay Agentic Commerce). No remote UI, no embedded admin iframe.

What it does not do

• It does not modify your post content. The plugin never hooks the_content or rewrites your post bodies. The site-wide widget lives in page chrome (floating button + drawer); inline placement requires an explicit shortcode or block.
• It does not collect visitor identifiers. The plugin sets no cookies on your site and emits no tracking pixels.
• It does not change your existing themes, posts or templates.
• It does not require a merchant relationship. Publishers can install and connect with no e-commerce site of their own.

External services

This plugin contacts services operated by xpay (xpay.sh).

1. publisher-api.xpay.sh — backend API.

• POST /storefront/decide — recommendation decision API. The widget iframe (front-end) calls this when it renders. Data sent: page URL, title, categories, tags, site_id. No visitor identifier.
• POST /storefront/beacon — load/click event endpoint. The widget iframe fires this anonymously when it mounts (load) and when a reader clicks a product card (click). Data sent: site_id, hostname, post URL, merchant domain (on click), user-agent string. No visitor identifier.
• POST /storefront/register — registration endpoint. Called once from the app.xpay.sh onboard page during one-click connect to mint a site_id.
• GET /storefront/agent-card/{site_id} — server-to-server call from your WordPress install to build the /.well-known/agent-storefront.json response.
• GET /storefront/sites — used by the publisher dashboard at app.xpay.sh, not by this plugin.

2. widget.xpay.sh — sandboxed iframe host for the front-end widget. Loaded only on posts where you place the [xpay_recs] shortcode or the Recommendations block, and only when consent allows. Data passed via URL parameters: site_id, post URL, title, public categories, public tags. No visitor identifier.

3. app.xpay.sh — publisher dashboard. Opened in a new tab from the settings page (a button labelled “Open xpay dashboard”). Never embedded.

The xpay terms of use and privacy policy: https://www.xpay.sh/legal/terms-of-use/ and https://www.xpay.sh/legal/privacy-policy/.

Privacy

• No third-party cookies, no tracking pixels. The plugin sets no cookies and emits no tracking pixels on your site.
• Page-context only, no visitor identifiers. The decision API and beacons receive only the public URL of the page, its public title, and its public categories and tags — the same data already in your HTML for search engines.
• Iframe sandbox isolation. The front-end widget renders inside a sandboxed iframe loaded from widget.xpay.sh. The host page and the iframe are separate browsing contexts that cannot read each other.
• WP Consent API integration. When the WP Consent API plugin is installed and reports a hard “no” for marketing consent, the widget iframe does not render.
• All settings stored locally. Your Amazon Associates tag, excluded categories, excluded domains and toggles are stored in WordPress wp_options. They are not copied to xpay’s backend.
• Cleanup on uninstall. Deleting the plugin removes every wp_options row it created and disables the agent storefront endpoint.

Where the recommended products come from

The recommendation engine uses a curated catalog of merchants from xpay’s own merchant network, with affiliate-network fallbacks. The agent storefront endpoint only lists products from agent-ready merchants, since those are the only ones an AI assistant can transact with.