Agent-Commerce Readiness: can AI agents buy from your site?
Updated 2026-07-11 · by Eoin Siegel
Agent-commerce readiness is whether an autonomous AI agent can discover what you sell, read your prices, and complete a payment on your site with no human in the loop. It is the transactional core of agent readiness: instead of checkout forms and card fields, the site answers HTTP requests with machine-readable payment challenges that an agent’s wallet can inspect, approve, and settle.
What is agent-commerce readiness?
Agent-commerce readiness is the subset of agent readiness that covers transactions. A site can be perfectly readable by agents — clean llms.txt, MCP tools, content negotiation — and still be impossible to buy from, because its checkout assumes a human: forms, card fields, CAPTCHAs, 3-D Secure prompts. Agent-commerce readiness asks a narrower question: if an agent decides your product or API is worth paying for, is there a machine-readable path from that decision to a settled payment?
How an agent pays a website
The core mechanism is HTTP status code 402 (“Payment Required”) — reserved since HTTP/1.1 and now in active use. The flow:
- The agent requests a paid resource —
POST /api/report. - The server responds
402with a payment challenge — the price, the accepted networks, and the address to pay. In x402 v1 (the widely deployed version) the challenge is the JSON body of the response; in v2 it moves into a base64-encodedPAYMENT-REQUIREDheader. - The agent (or its wallet) inspects the terms, decides whether to pay, and attaches a signed payment proof to a retry.
- The server verifies the proof — usually via a facilitator — and serves the resource with a
200.
Decoded, a v1 challenge body looks like this (simplified):
{
"x402Version": 1,
"accepts": [{
"scheme": "exact",
"network": "base",
"amount": "0.10",
"asset": "USDC",
"payTo": "0xYourWalletAddress",
"maxTimeoutSeconds": 60,
"resource": "/api/report"
}]
}
No API keys, no accounts, no checkout page — per-call payment negotiated entirely in HTTP headers.
The agent-commerce readiness checklist
- Return a real 402 with a decodable challenge. At least one paid endpoint should answer an unauthenticated request with HTTP 402 and a parseable challenge (x402
Payment-Requiredheader, or an MPP/L402WWW-Authenticateheader). If your “paid API” just returns 401 and a link to a signup page, agents are locked out. x402 guide. - Publish
/.well-known/x402.json. A widely used discovery convention (the official spec’s discovery mechanism is the facilitator Bazaar API) that tells agents which endpoints are paid, what they cost, and how to call them — before triggering any 402. The fields AgentGrade validates:x402Version,name,network,facilitator,payTo, and aservices[]array with method, path, description, and amount per endpoint. Bazaar & discovery guide. - Make paid services Bazaar-discoverable. Adding
"extensions": { "bazaar": { "discoverable": true } }with input/output schemas lists your endpoints in catalog indexes agents already search, instead of waiting for them to find you. - Declare prices in your OpenAPI spec. An
x-payment-infoblock on paid operations — protocols and price — lets an agent budget a task before making a single call. OpenAPI guide. - Expose purchase-adjacent actions as MCP tools. Checking availability, quoting a price, fetching an invoice — the steps around a purchase — should be callable tools, not pages. MCP guide.
- Don’t block the buyer. Bot walls, JavaScript-only pricing pages, and HTML error pages all break the flow before payment is reached. Serve structured JSON errors, keep pricing reachable without JavaScript, and allow agent User-Agents in robots.txt. Infrastructure guide.
The payment protocols
x402
The HTTP 402 standard coined by Coinbase and now stewarded by the x402 Foundation: a machine-readable challenge quoting price, network, asset, and recipient (a JSON body in v1; a base64-encoded PAYMENT-REQUIRED header in v2); settlement via stablecoins (typically USDC) through a facilitator. It is the protocol with a public discovery story: the Bazaar catalog, plus the community /.well-known/x402.json convention. Read the x402 guide.
MPP (Machine Payment Protocol)
A 402-based protocol using the WWW-Authenticate: Payment header, documented by Stripe with payment methods including stripe and tempo. Server-side integration is a middleware (npm install mppx) configured with a secret key and recipient address. Covered in the payments guide.
Stripe SPT (Shared Payment Tokens)
Stripe’s agentic-payments credential: scoped tokens granted for agent-initiated purchases. On the wire, an MPP 402 challenge quoting method="stripe" is what an SPT satisfies — the no-blockchain route for sites already on Stripe.
L402
The Lightning-network variant: 402 plus a macaroon and invoice in WWW-Authenticate: L402. Niche adoption, mostly Bitcoin-native services.
Why this matters now
The demand side is arriving faster than most sites’ supply side. Adobe Analytics measured a 4,700% year-over-year jump in generative-AI traffic to US shopping sites by July 2025, with a further 393% increase in Q1 2026 (a separate Adobe Analytics report). eMarketer forecasts AI platforms will process roughly $20.9 billion of US retail ecommerce in 2026, and Morgan Stanley projects up to $385 billion in agentic-commerce impact by 2030. The sites capturing that spend are the ones an agent can pay without asking its user to open a browser.
Agent-commerce readiness tools
AgentGrade’s scanner runs the checklist above as part of its 70+ checks — the Machine Payments and Bazaar Discovery groups probe your live 402 responses, decode the challenges, validate /.well-known/x402.json field by field, and check price declarations in your OpenAPI spec. Each failing check comes with a fix hint and a code example.
- Run a scan — full report in under a minute, no signup.
GET /api/scan?url=…— the same scan as JSON, for scripts and agents.npx agentgrade-cli yoursite.com— terminal report.- AgentGrade Scan GitHub Action — fail a pull request if a deploy drops your score below a threshold.
- The Agentic Web Index — see which payment rails the top 100 sites expose.
Frequently asked questions
What is agent-commerce readiness?
Agent-commerce readiness is whether an autonomous AI agent can discover what a site sells, read its prices, and complete a payment programmatically — with no forms, card fields, or human checkout steps. It is the transactional subset of agent readiness, built on HTTP 402 payment challenges that an agent’s wallet can inspect and settle.
Do I need cryptocurrency to be agent-commerce ready?
No. x402 settles in stablecoins like USDC, but a 402 challenge can also quote card payment: an MPP challenge can list a stripe method that an agent satisfies with a Stripe Shared Payment Token, settling on ordinary card rails with no blockchain involved. The readiness signals — a decodable 402 challenge, published prices, discovery files — are protocol-neutral. What matters is that an agent can find your terms and pay by machine, whichever rail you choose.
What is x402?
x402 is an HTTP-based payment protocol coined by Coinbase. A server answers a paid request with status 402 and a machine-readable challenge quoting the price, network, asset, and recipient address — a JSON body in x402 v1, a base64-encoded PAYMENT-REQUIRED header in v2. The agent attaches a signed payment proof and retries. It enables per-call micropayments without API keys or accounts.
How do agents discover paid endpoints?
Through the Bazaar — the official catalog, indexed via facilitators — and through /.well-known/x402.json, a widely used community convention listing each paid endpoint with its method, path, description, and price. Prices can also be declared per-operation in an OpenAPI spec via x-payment-info, so agents can budget before calling.
What is the difference between x402 and Stripe SPT?
Both paths answer paid requests with HTTP 402. x402 quotes stablecoin terms (v1 body / v2 PAYMENT-REQUIRED header) and settles on-chain via a facilitator. An SPT is a scoped Stripe credential: it satisfies the stripe method of a Machine Payments Protocol challenge (WWW-Authenticate: Payment) and settles on ordinary card rails — no wallet or chain on that route. MPP itself is multi-rail: the same challenge can also quote stablecoin methods like tempo. Sites can offer several rails in one challenge and let the agent pick.
Can an agent just use my normal checkout page?
Usually not reliably. Human checkouts assume a browser session: rendered JavaScript, form state, CAPTCHA, and 3-D Secure challenges designed to verify a person. Agents can sometimes drive them with browser automation, but it is slow and brittle. A 402-based rail gives agents a first-class path and keeps your human checkout unchanged.
How do I test my site’s agent-commerce readiness?
Run a scan at agentgrade.com. The Machine Payments and Bazaar Discovery check groups probe your endpoints for live 402 responses, decode the payment challenges, validate /.well-known/x402.json field by field, and verify OpenAPI price declarations — with a fix hint and code example for every failing check.