A

Protocol

HIGH

/.well-known/ucp is publicly fetchable with no auth

The `/.well-known/ucp` URL returns a 200 to unauthenticated requests. Agents fetch `/.well-known/ucp` without credentials — a 401 or 403 means they never see the profile.

What this check looks for

Google's UCP guide and the UCP overview both treat the profile as a public artefact: agents fetch it without credentials. A 401/403 (or any non-2xx) response means the merchant has accidentally gated the file behind WAF rules, basic auth, or a frontend authenticator. We require a 2xx status on the canonical URL.

Which AI surfaces it affects

  • Google AI Mode (UCP)100
  • Microsoft Copilot70
  • ChatGPT (ACP)30
  • Meta AI30
  • Perplexity20

Weighted against the live specs — ACP 2026-04-17, UCP 2026-04-08.

How to fix it

Allow unauthenticated access to /.well-known/ucp

Shopify

A few minutes
  1. If you're auditing a password-protected Shopify storefront (Settings → Online Store → Preferences → Password), the profile inherits the password. Either remove the storefront password or proxy `/.well-known/ucp` from an unauthenticated edge route.

BigCommerce

A few minutes
  1. BigCommerce's storefront-preview-mode authentication wraps the entire site. For production profiles, ensure storefront-preview-mode is off, or serve UCP from an edge route that bypasses the auth wrapper.

WooCommerce

Developer
  1. If you're using a maintenance-mode / coming-soon plugin (Elementor maintenance mode, WP Maintenance), whitelist `/.well-known/ucp` in the plugin's bypass list.
  2. Check your `.htaccess` and Nginx config for basic-auth or IP-allow rules that include the `/.well-known/` directory.

Custom / headless

Developer
  1. Allow `/.well-known/ucp` through any authentication middleware.
  2. Confirm the response carries `HTTP/1.1 200 OK` to an unauthenticated GET.
GET /.well-known/ucp HTTP/1.1
Host: example.com

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: public, max-age=3600

{ "version": "2026-04-08", ... }

The spec it's pinned to

  • Google UCP merchant profile — public fetchability

    Google's UCP merchant profile guide requires `/.well-known/ucp` to be publicly fetchable. A profile gated behind authentication (401/403) is unreachable for AI Mode and other agent surfaces.

  • UCP overview — discoverable profiles

    The UCP overview frames the profile as the merchant's public declaration. Gating it behind auth defeats the discovery contract.

Google UCP merchant profile guide

Does your store pass this check?

Run the full audit — 82 checks across five AI shopping surfaces. Most tools only check whether you get mentioned; we check whether an agent can buy from you.

Related protocol checks

← All 82 checks