Agentic Commerce for WooCommerce

Your next customer is asking ChatGPT, not Google. They’re shopping by typing “find me a cordless drill under $80 that ships in 2 days” into a chat box — and quietly walking away from any store the AI can’t see. Right now, that’s most WooCommerce stores.

Agentic Commerce for WooCommerce (by xpay) makes your store visible to ChatGPT, Claude, Gemini and Perplexity in five minutes flat — no theme changes, no replatforming, no new payment processor. Your existing checkout stays exactly as it is; xpay just makes sure you’re the answer the AI gives.

📘 Full setup guide with screenshots: docs.xpay.sh/merchants/woocommerce
🌐 Plugin home: www.xpay.sh/merchants/woocommerce/
🔓 Source on GitHub: github.com/xpaysh/agentic-commerce-for-woocommerce

What it does

• Publishes a public, agent-readable product feed — your full catalog with live prices and stock, hosted on xpay’s CDN (no extra load on your origin).
• Adds AI-shopping JSON-LD — Product, Offer, AggregateOffer, BuyAction and ItemList schemas on product pages, shop archive and home page. Detects existing schema from Yoast / Rank Math / WooCommerce core and only fills the gaps.
• Serves the real AI shopping standards on your own domain — /llms.txt (llmstxt.org), schema.org Product/Offer/BuyAction JSON-LD on every product page, and an explicit robots.txt allowlist for AI user-agents. Optional watchlist emitters for /.well-known/oauth-protected-resource (RFC 9728, when UCP OAuth identity linking is on) and /.well-known/agent-card.json (A2A 1.0, off by default). The discovery layer is registry-based so new standards plug in cleanly.
• Allows the right bots — GPTBot, ChatGPT-User, OAI-SearchBot, ClaudeBot, Claude-User, Claude-SearchBot, PerplexityBot, Perplexity-User, Google-Extended, Applebot-Extended and CCBot. Never overrides your existing robots.txt rules.
• Cart deep-link — AI agents create a one-click “Buy” link that pre-fills your existing WooCommerce cart and lands the buyer on your existing checkout. Orders are tagged with _xpay_agent_attribution so you can attribute AI-driven revenue in your existing reporting.
• Live inventory — webhook-driven catalog refresh on every product / stock change (debounced 30s), plus an hourly safety-net poll.

What it doesn’t do

• It doesn’t touch your checkout. Stripe / WooPayments / PayPal / Square / whatever you already use — payment runs through them, unchanged. Your payout schedule is unchanged.
• It doesn’t see your customers. No buyer names, emails, addresses, IPs, payment cards, order line items, refunds, or PII of any kind passes through xpay. Ever. The plugin is non-custodial.
• It doesn’t require a new account or contract to start. Free until your first AI-attributable sale; pricing kicks in after that. See pricing.
• It doesn’t slow down your site. The JSON-LD block is tiny and cached; the catalog feed is served from xpay’s CDN, not your origin.

Five-minute install flow

1. Install the plugin from this directory or upload the zip. (detailed walk-through)
2. Activate. You’ll be taken to Settings → xpay.
3. Click Connect store. You’re redirected to app.xpay.sh, where you grant a read-only WooCommerce REST API key. (how to generate one)
4. Your catalog goes live on AI surfaces within about 10 minutes. The plugin’s built-in audit-readiness checklist (what each row means) turns green as each piece confirms.

Stuck on any step? Troubleshooting guide.

Compatibility

• WooCommerce 7.0+ on WordPress 6.2+ and PHP 7.4+.
• Declares compatibility with WooCommerce High-Performance Order Storage (HPOS) and Cart/Checkout Blocks.
• Works alongside Yoast SEO, Rank Math, WooCommerce Blocks, WooPayments, Stripe for WooCommerce, and the standard Storefront / Astra / Divi / Elementor themes.

Privacy and consent

• Anonymous lifecycle telemetry is off by default. On first activation a single admin notice asks once. Pick “No thanks” and the plugin never contacts our backend for analytics. Pick “Enable” and you can change your mind any time under Settings → xpay → Privacy. System-wide opt-out via define( 'XPAY_WC_TELEMETRY', false ); in wp-config.php.
• Full data disclosure at install.xpay.sh/woocommerce/privacy.html — every byte the plugin sends, when it sends it, how to opt out, how to request deletion. Plain-English version: docs.xpay.sh/merchants/woocommerce/privacy-telemetry.

Source code and contributing

The plugin source is published under GPLv2-or-later. Public repo and issue tracker: github.com/xpaysh/agentic-commerce-for-woocommerce. You can fork, modify, redistribute, and self-host without paying anything.

External services

This plugin connects to the following xpay-operated services to deliver its core function. Every endpoint and its purpose is documented; full payload disclosure is in the Privacy section.

1. agent-feed.xpay.sh — Public CDN that hosts your AI-readable catalog feed at https://agent-feed.xpay.sh/catalog/{your-slug}.json. The plugin does not contact this URL directly; the xpay backend writes it from your WooCommerce REST API after you click Connect store.

2. agent-commerce.xpay.sh — The agent-side API that AI shopping agents call to surface and buy from your products. The plugin contacts this host at the following paths: (a) POST /v1/onboard/woocommerce/wc-auth-callback is the WooCommerce OAuth callback target (WordPress itself calls this on your behalf, server-to-server, after you approve the one-click connect prompt); (b) GET /v1/onboard/woocommerce/status?nonce=… is polled by the xpay onboarding page while the handshake finishes; (c) POST /v1/merchants/{slug}/resync triggers a fresh catalog ingest after a product or stock change; (d) GET /v1/merchants/{slug} is called when Settings → xpay verifies the current connection state; (e) PATCH /v1/merchants/{slug}/products/{sku} pushes a single-product delta when a WooCommerce product/stock webhook fires; (f) DELETE /v1/merchants/{slug} is sent (non-blocking) when you click Disconnect so xpay marks your account as disconnected and archives the cached catalog. The hostname is also the publicly advertised target for POST /mcp/{slug} (the JSON-RPC commerce MCP endpoint AI agents talk to) — the plugin itself does not call this URL but lists it in the /.well-known/ucp manifest.

3. app.xpay.sh/onboard/woocommerce — The merchant-side onboarding page. When you click Connect store, the plugin redirects your browser here with three query-string parameters: your site URL, your administrator email address, and a one-time random nonce generated locally. No data is sent to xpay before you click the button. You sign in or sign up on xpay and grant the WooCommerce REST API permission there.

4. agent-commerce.xpay.sh/v1/events — Optional anonymous lifecycle telemetry. Disabled by default; only contacted if you explicitly opt in via the first-activation admin notice or Settings → xpay → Privacy. Full payload disclosure in the Privacy section.

5. audit.xpay.sh — Merchant-facing audit dashboard. The plugin emits a link to audit.xpay.sh/{your-slug} on the Settings page so you can review the live agent-readiness score xpay computed from your catalog; the plugin itself does not fetch from this host. Opening the link from your browser sends standard browser headers to xpay.

6. auth.xpay.sh — Public OAuth-protected-resource discovery target. The plugin publishes auth.xpay.sh as the authorization_servers[0] entry in /.well-known/oauth-protected-resource (an RFC 9728 metadata document AI agents fetch to learn where to obtain a token). The plugin does not contact this host server-to-server; it is referenced for agent-side discovery only.
7. install.xpay.sh/woocommerce/{terms,privacy}.html — Static legal documents linked from this readme and from the Settings privacy panel. The plugin itself does not fetch these URLs; clicking the links opens them in your browser.

Terms of use: install.xpay.sh/woocommerce/terms.html
Privacy policy: install.xpay.sh/woocommerce/privacy.html

Privacy

xpay is built non-custodially: we never see your customers, your orders, or any payment data. Concretely:

• Nothing leaves your site before you click Connect store. The Settings → xpay page is pure markup — no outbound HTTP, no analytics ping, no nonce pre-registration.

• Sent only after you click Connect store (required for the plugin to work): your site URL, your administrator email address, a one-time random nonce, your WooCommerce REST API consumer key/secret (so xpay can read the product catalog), and your public product fields (name, description, price, stock, image URLs, categories). No customer data. No order data. No payment data.

• Optionally sent if you opt in to anonymous telemetry (default OFF): lifecycle event names tagged with your site URL, plugin version, WP version, WC version, PHP version, locale. No customer data, no order data, no customer PII.

• Opt out of anonymous telemetry: Settings → xpay → Privacy → Turn off. Or define XPAY_WC_TELEMETRY to false in wp-config.php for a system-wide hard disable that overrides any UI choice.

• Request data deletion: email privacy@xpay.sh from your admin email with your merchant slug. We process within 7 business days.

Full data-handling disclosure: install.xpay.sh/woocommerce/privacy.html.