Our Methodology
Rankly evaluates merchant domains against both the Universal Commerce Protocol (UCP) by Google, Shopify, and partners, and the Agentic Commerce Protocol (ACP) by Stripe and OpenAI. We run 229+ automated checks across three validation layers and nine scoring dimensions.
Contents
Part I
Understanding UCP and ACP - the two standards powering agentic commerce.
The Universal Commerce Protocol (UCP) is an open standard co-developed by Google, Shopify, Etsy, Wayfair, Target, and Walmart, with endorsement from 30+ companies including Visa, Mastercard, PayPal, Stripe, and Klarna. Version 2026-01-23, Apache 2.0 licensed.
UCP is the discovery and protocol layer - it tells AI agents what a store can do and how to interact with it. Think of it as robots.txt for commerce capabilities.
/.well-known/ucp
Declares: version, services (REST/MCP/A2A/Embedded), capabilities
(checkout, fulfillment, discount, order), payment handlers, signing keys
Four actors: Platform (AI agent), Business (store), Credential Provider (wallet), Payment Service Provider (PSP).
Four transports:
REST
HTTP/OpenAPI endpoints
MCP
JSON-RPC 2.0 tool calls for LLMs
A2A
Agent-to-Agent via Agent Cards
Embedded
Iframe checkout (ECP) with postMessage
Six capabilities: dev.ucp.shopping.checkout, fulfillment, discount, order, ap2_mandate (cryptographic payment proofs), buyer_consent (GDPR/CCPA).
The Agentic Commerce Protocol (ACP) is an open standard by Stripe and OpenAI. Version 2026-01-30, Apache 2.0 licensed. OpenAI is the first platform to implement it as "Instant Checkout in ChatGPT".
ACP is the transaction layer - it handles checkout sessions, payment credential relay, and order webhooks. Where UCP says "here is what my store can do," ACP says "here is how to buy from my store."
Two specifications:
Agentic Checkout
5 REST endpoints: create, retrieve, update, complete, cancel checkout sessions
Delegate Payment
Tokenized payment credentials with allowance constraints, risk signals, and vault tokens
Checkout lifecycle: not_ready_for_payment → ready_for_payment → in_progress → completed
Capability negotiation: Agents declare supported interventions (3DS, biometric), display context (native, webview), and extensions (discount). Sellers return the intersection.
A store can have UCP without ACP (discovery only). ACP can work independently or be discovered through a UCP manifest. Both share the concept of checkout sessions, payment instruments, fulfillment options, and discount codes.
Part II
229+ checks across three validation layers.
Layer 1
Static Analysis
Manifest structure, version format (YYYY-MM-DD), required fields, TLS 1.3, reverse-domain naming, JWK signing keys, robots.txt for 5+ AI agents, Schema.org JSON-LD.
Layer 2
Semantic Validation
Service-capability matching, transport endpoint reachability, payment handler config completeness (gateway IDs, card brands), fulfillment config validity, discount extension schema.
Layer 3
Runtime Simulation
MCP tool invocation (search, cart, checkout), REST endpoint latency, ACP readiness assessment (checkout, payment, infrastructure), multi-agent bot access (GPTBot, ClaudeBot, Google-Extended, Applebot, Perplexity).
The UCP manifest at /.well-known/ucp is the entry point for all AI shopping agents. We validate:
For each declared transport, we verify the endpoint is reachable and responds correctly:
We validate each declared capability against the UCP spec:
Payment handlers define how instruments are collected and processed. We check:
ACP endpoints are server-to-server between agent platforms (OpenAI, Google) and sellers (onboarded via Stripe). They are not publicly accessible, so we cannot probe them directly. Instead, we assess readiness by checking for the signals and infrastructure that ACP requires:
The ACP checkout lifecycle (not_ready_for_payment → ready_for_payment → completed) is documented in the spec but cannot be tested without seller onboarding through Stripe. Our checks evaluate whether the store has the prerequisites in place.
ACP uses a delegate payment model where the agent platform (e.g., Stripe on behalf of OpenAI) processes payment. The seller never sees raw card numbers. We check for payment readiness signals:
ACP delegate payment creates tokenized credentials with allowance constraints (max_amount, currency, merchant_id, expires_at). Webhooks deliver order lifecycle events (order_create, order_update) with HMAC signatures. These flows require Stripe seller onboarding and cannot be tested externally.
We test robots.txt rules for major AI shopping agents:
GPTBot
ClaudeBot
Google-Extended
Applebot-Extended
PerplexityBot
We also check: Schema.org Product markup (JSON-LD), sitemap.xml accessibility, whether /.well-known/ucp is blocked in robots.txt, and structured data cross-referencing against product feeds.
We compare UCP and ACP implementations side-by-side:
Part III
How we calculate your Agentic Commerce Readiness Score.
Each check maps to one of nine weighted dimensions. The composite score ranges from 0 to 100.
Top 1% of merchants. Fully optimized for agentic commerce.
Fully agentic-ready. Minor optimizations possible.
Most agent interactions work. Some rough edges.
Significant gaps. Agents can partially interact.
Major remediation needed.
Not agentic-ready.
Part IV
Each scan runs six sequential phases:
1. Static Analysis - Manifest fetch, TLS check, robots.txt parsing, Schema.org extraction
2. Semantic Validation - Service-capability cross-referencing, payment handler config validation
3. ACP Readiness - Checkout capability, transport availability, HTTPS, payment handlers, cart API
4. Runtime Checks - Bot access simulation, endpoint latency, crawlability testing
5. AI Platform Checks - ChatGPT, Perplexity, Bing Copilot, Claude, Apple Intelligence compatibility
6. Scoring - Category aggregation, weighted scoring, grade assignment
Results are cached for 24 hours. The leaderboard updates via automated daily cron scans. Rate limiting: 1 rescan per domain per hour.
All scans are read-only. We never:
× Create checkout sessions or place orders
× Submit payment credentials or process transactions
× Modify cart state or inventory
× Write data to any store endpoint
× Bypass authentication or access gated endpoints
Our scanner uses User-Agent: RanklyBot/1.0 and respects robots.txt directives. All requests use HTTPS only.
How often are stores re-scanned?
The leaderboard updates daily via automated cron scans at 3 AM UTC. Manual rescans have a 1-hour cooldown per domain.
Do you test checkout by placing real orders?
No. We validate checkout readiness through manifest analysis, endpoint probing, and protocol compliance checks. No orders are placed, no payments processed.
What if a store has UCP but not ACP?
That is fine and common. ACP is not publicly available outside select partners and is not yet widely adopted. Many Shopify stores have UCP manifests with no ACP integration. Our ACP checks assess readiness signals (capabilities, payment handlers, infrastructure) rather than live endpoint testing. A store with excellent UCP can still score well.
How do you handle stores behind OAuth?
We test the publicly accessible endpoints only. Some stores (especially Shopify) gate checkout MCP tools behind OAuth, exposing only shopping tools publicly. We document this in the results.
What is the difference between your scanner and the playground?
The scanner runs 229+ automated checks and produces a scored report. The playground lets you manually interact with a store's MCP tools - search products, add to cart, and test checkout flows in real-time.