Why ACP Matters — and Why You Should Integrate Now

On September 29, 2025, OpenAI and Stripe launched something that quietly changed e-commerce: the Agentic Commerce Protocol (ACP). It lets AI agents browse products, build carts, and complete purchases — all inside a chat window. Etsy was the first live partner. Its stock jumped 16% that day.

Six months later, over 1 million Shopify merchants are ACP-eligible, Instacart has full grocery checkout inside ChatGPT, and the protocol has shipped four specification updates. ACP isn't an experiment anymore — it's an active sales channel. But integrating with it properly requires more than flipping a switch. Miss a step and your products won't surface, your checkout will break, or your payments will silently fail.

This post is the integration checklist. Every phase, every endpoint, every gotcha — from pre-planning to production monitoring.

Phase 1: Understand What You're Building

ACP is an open-source protocol (Apache 2.0) co-maintained by OpenAI and Stripe. It defines how AI agents interact with merchant systems to discover products, manage checkout sessions, process payments, and track orders. The consumer-facing product is Instant Checkout in ChatGPT — users ask for products, see options, and buy without leaving the conversation.

Architecturally, ACP sits between the agent (ChatGPT) and your commerce backend. You expose five RESTful endpoints. The agent calls them. Stripe handles payments via Shared Payment Tokens (SPTs) — time-limited, amount-bounded credentials that never expose raw card numbers. Your system remains the merchant of record.

ℹ️
Current scope (Feb 2026): Single-item purchases, US merchants and customers only. Multi-item carts and international expansion are on the roadmap. Spec versions: 2025-09-29 (initial), 2025-12-12 (fulfillment), 2026-01-16 (capability negotiation), 2026-01-30 (extensions and discounts).

Phase 2: Pre-Integration Planning

Before writing code, audit your readiness across three dimensions:

Platform compatibility. ACP requires an API-first architecture. If your commerce backend exposes product data, inventory, pricing, and order management via APIs, you're in good shape. If it's monolithic with manual data processes, you'll need to build an API layer first.

Payment processor. Stripe is the only fully supported payment service provider for ACP's Shared Payment Token spec. If you already process through Stripe, integration may require as little as one line of code. If not, you'll need to add Stripe as a processor — or wait for other PSPs to implement the Delegated Payment Spec.

Product data quality. This is where most integrations fail. Agents terminate execution if your commerce data schema is incomplete. Before anything else, audit your catalog for completeness — product IDs, titles, descriptions, pricing, images, variant mappings, shipping data, and availability status. Every field matters.

Phase 3: Product Feed Setup

Your product feed is how ChatGPT discovers your catalog. Get this wrong and your products simply won't appear.

Data CategoryRequired FieldsPriority
Core Identityproduct_id, title, description, price, availability, imagesRequired
Variant Mappingitem_group_id, variant_id, color, size, materialRequired
Logisticsweight, dimensions, shipping regions, delivery times, costsRequired
Product IdentifiersGTIN, UPC, MPNStrongly recommended
Trust Signalsreview_count, rating, return_policy, bestseller_statusRecommended
Rich Mediavideo_link, model_3d_link, additional_image_linkOptional

Feeds are delivered via encrypted HTTPS push to OpenAI's endpoint in CSV, JSON, TSV, or XML format. The recommended update frequency is every 15 minutes — stale inventory data causes checkout failures when agents try to purchase out-of-stock items. Full spec details are at developers.openai.com/commerce/specs/feed.

🚨
Critical: Variant ID mapping is the #1 source of checkout failures. Your variant_id must exactly match your inventory system's canonical keys. Label similarity (e.g., "Blue / Large") is NOT a substitute for structured variant identity. Enforce variant_id mapping at the inventory service layer.

Phase 4: Build the Five Required Endpoints

ACP's checkout interface is built on five RESTful endpoints. Every merchant must implement all five.

EndpointMethodPurpose
/checkout_sessionsPOSTCreate session with cart items, buyer context, pricing, shipping, tax
/checkout_sessions/{id}POSTUpdate session — quantity changes, shipping modifications, discount codes
/checkout_sessions/{id}GETRetrieve current cart state — items, totals, status
/checkout_sessions/{id}/completePOSTFinalize checkout, create order, charge payment token
/checkout_sessions/{id}/cancelPOSTCancel checkout, release held inventory

Every response must return a rich, authoritative cart state — line items with verified pricing, calculated taxes, available shipping options, applicable discounts, and a grand total. The agent relies entirely on your response to render the checkout UI. If you return incomplete data, the checkout will fail or display incorrect information.

All requests include an Idempotency-Key header with a 24-hour TTL. Your implementation must return identical results for duplicate requests — critical for handling network retries without creating duplicate orders.

Phase 5: Security and Authentication

ACP uses OAuth 2.1 with PKCE (S256 code challenge) for merchant authentication. ChatGPT manages tokens and sends them as Authorization: Bearer <token> on every request. Your server must validate every token — check issuer, audience, expiration, and scopes. Reject expired or malformed tokens with a 401 and a WWW-Authenticate challenge.

For webhooks (order_create, order_update), ACP uses HMAC-SHA256 signatures. Verify the Merchant-Signature header against your signing key and reject any webhook with a timestamp older than 5 minutes to prevent replay attacks.

⚠️
Never hardcode API keys. Use a secrets manager (AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault). Store signing certificates in your /.well-known/acp/manifest.json and keep them rotated.

You must also publish a service discovery manifest at /.well-known/acp/manifest.json declaring your supported protocol versions, active namespaces, and public signing certificates. This manifest must be accessible to OpenAI's crawlers — without it, your integration won't be discoverable. Full auth documentation is at developers.openai.com/apps-sdk/build/auth.

Phase 6: Payment Integration with Stripe SPTs

Payments flow through Shared Payment Tokens — Stripe's implementation of the Delegated Payment Spec. Here's the flow:

Step 1: The customer confirms they're ready to pay inside ChatGPT. Step 2: The agent requests an SPT from Stripe, scoped to your seller ID, a maximum amount, and an expiry window. Step 3: The agent sends a CompleteCheckoutRequest to your endpoint with the SPT, final cart, and shipping/billing addresses. Step 4: Your server creates a Stripe PaymentIntent using the SPT. Step 5: Stripe charges the token and returns success or failure. Step 6: You confirm the order to the agent, which displays the confirmation to the customer.

SPTs are intentionally restrictive — they're time-limited, amount-bounded, and scoped to a specific seller. They can't be reused, stored, or applied to a different merchant. This is the security model that makes agent-initiated payments safe without exposing raw card credentials.

Phase 7: Test Everything in Sandbox

OpenAI provides a sandbox environment where you must complete and document end-to-end tests before going to production. Here's the minimum test matrix:

Checkout session lifecycle: Create sessions with and without shipping addresses. Verify that shipping options and tax totals populate correctly once a valid address is provided. Test quantity changes, variant switches, and discount code applications through the update endpoint.

Payment flow: Create delegated payment tokens with valid payment method objects. Verify that PaymentIntent creation succeeds with the SPT. Test expired tokens, over-limit amounts, and invalid seller scopes — all should fail gracefully.

Idempotency: Send the same request twice with the same Idempotency-Key. Confirm identical responses and no duplicate orders. Webhooks: Verify signature validation, timestamp rejection, and proper processing of order_create and order_update events.

Document all test results with request/response logs. You'll need them for the production submission review. Full testing guide at developers.openai.com/commerce/guides/production.

Phase 8: Go Live — The Final Checklist

Production launch checklist:
• Enable Agentic Checkout in Stripe Dashboard
• Submit /.well-known/acp/manifest.json for OpenAI verification
• Verify crawler access to your manifest endpoint
• Confirm product feed delivery (15-min refresh cycle active)
• Monitor first 100 transactions for cart state accuracy
• Track webhook delivery success rates (target: 99.9%+)
• Set up alerts for failed payments and checkout abandonment
• Establish rollback procedures in case of integration issues
• Review OpenAI merchant policies for compliance

Once live, your products enter ChatGPT's organic discovery system. Ranking is based purely on relevance to user queries — there's no pay-to-play, and Instant Checkout items receive no ranking boost. Products are surfaced based on query match, quality signals, availability, and trust data from your feed.

Currently, merchants like Etsy, Glossier, SKIMS, Spanx, Coach, Kate Spade, and URBN brands (Anthropologie, Free People, Urban Outfitters) are live. Instacart shipped full grocery checkout in December 2025, covering 1,800+ retailers. The channel is growing fast.

The Bottom Line

ACP integration isn't a weekend project, but it's not a six-month initiative either. For merchants already on Stripe, the payment layer is nearly turnkey. The real work is in product data quality, endpoint reliability, and security implementation. Get those right, and you're adding a sales channel that puts your products in front of every ChatGPT user who asks for what you sell.

The spec is evolving quickly — four updates in five months — so build with flexibility. Subscribe to the GitHub repo and the community hub to stay current. The agents are already shopping. Make sure they can check out.

References

  1. OpenAI — Buy It in ChatGPT (ACP Launch)
  2. ACP Official Specification — GitHub
  3. OpenAI Commerce Developer Hub
  4. Stripe — Agentic Commerce Guide
  5. Stripe — Shared Payment Tokens
  6. OpenAI — Product Feed Spec
  7. OpenAI — Auth and OAuth 2.1
  8. OpenAI — Production Guide
  9. OpenAI — Instacart Partnership
  10. Stripe — Open Standard for Agentic Commerce
  11. Agentic Commerce Community Hub
  12. Stripe — ACP Protocol Reference