UCP capability specification
Vendor capability for the Universal Commerce Protocol. Schema: /schemas/ucp/com-agentscore-identity-v1.json
A vendor capability that declares a UCP merchant runs the AgentScore identity gate before transactional endpoints settle.
UCP itself defines product discovery, capability negotiation, checkout, and post-purchase handoff, but does not define identity verification. The com.agentscore.identitycapability fills that gap. When advertised on a UCP profile, it tells the agent: this merchant runs KYC, sanctions screening, age verification, and jurisdiction checks via the AgentScore API. Agents that don't recognize the capability still see all the standard UCP capabilities (catalog, cart, checkout) and can transact through whichever capabilities the merchant supports without identity gating; agents that do recognize it can pre-flight the identity check and recover gracefully when verification is needed.
The capability is keyed under com.agentscore.identity (reverse-DNS, namespace authority agentscore.com) inside the UCP profile's capabilities map. It uses UCP's multi-parent extends to inherit from both the cart and checkout capability roots, so an agent that reads either parent picks up the AgentScore policy contract automatically.
Example binding inside ucp.capabilities:
"com.agentscore.identity": [
{
"version": "2026-04-08",
"spec": "https://www.agentscore.com/specification/identity",
"schema": "https://www.agentscore.com/schemas/ucp/com-agentscore-identity-v1.json",
"extends": ["dev.ucp.shopping.checkout", "dev.ucp.shopping.cart"],
"config": {
"require_kyc": true,
"require_sanctions_clear": true,
"min_age": 21,
"allowed_jurisdictions": ["US"]
}
}
]The schema for the binding's config object lives at /schemas/ucp/com-agentscore-identity-v1.json. All fields are optional; the merchant declares which AgentScore checks the gate enforces.
Fields:
require_kyc (boolean): gate denies if the operator/account behind the agent is not Stripe-Identity-verified.require_sanctions_clear (boolean): gate denies if the operator/account is flagged by OpenSanctions screening (OFAC, UN, EU, UK, etc.).min_age (integer): gate denies if the verified age (from KYC) is below this threshold. Common values: 18, 21.allowed_jurisdictions (array of ISO-3166-1 alpha-2): country codes the gate accepts. Empty/absent allows any. Mutually exclusive with blocked_jurisdictions.blocked_jurisdictions (array of ISO-3166-1 alpha-2): country codes the gate denies. Empty/absent denies none. Mutually exclusive with allowed_jurisdictions.End-to-end flow when an agent encounters a merchant that advertises the capability:
/.well-known/ucp, sees com.agentscore.identity in capabilities, and notes the config requirements (KYC, age, jurisdiction).POST /v1/assess ahead of time to confirm the identity will pass the merchant's policy. Returns allow or a denial reason.X-Operator-Token or X-Wallet-Address) on the request to the merchant's transactional endpoint.agentscoreGate in Node, AgentScoreGate in Python) calls AgentScore /v1/assess with the merchant's policy. On allow, the request flows through; on deny, the gate returns a 4xx with structured recovery instructions.When the gate denies, the response body carries a structured agent_instructions block describing the recovery action. Agents act from the response; no inference required.
Denial codes and their recovery actions:
missing_identity → probe_identity_then_session (try wallet on signing rails → stored opc_... → session flow)identity_verification_required → deliver_verify_url_and_poll (auto-minted session in body, agent opens verify_url + polls poll_url)wallet_signer_mismatch → resign_or_switch_to_operator_token (body carries claimed_operator, actual_signer_operator, expected_signer, linked_wallets)token_expired → deliver_verify_url_and_poll (auto-minted session, identical UX to bootstrap)wallet_not_trusted → contact_support (UNFIXABLE: sanctions_flagged / age_insufficient / jurisdiction_restricted; KYC re-verification won't change the outcome)