← Articles

UCP Authorization & Abuse Signals: Platform Attestations for Commerce Security

Breaking Change UCP Security Commerce

March 14, 2026 · PR #203 · Ilya Grigorik

The Problem: Platforms See What Businesses Can't

When an AI agent submits a checkout request on behalf of a user, the business receiving that request faces an information asymmetry problem. The platform — whether it's Microsoft Copilot, Google's Shopping Agent, or another commerce AI — observes rich transaction context: IP address, user agent, device fingerprints, behavioral patterns, authentication signals. The business sees none of this directly.

This matters for fraud prevention, rate limiting, and abuse detection. Without access to environmental signals, businesses can't make informed authorization decisions. They're forced to either:

Accept elevated fraud risk by approving transactions blindly
Impose friction by requiring explicit verification on every transaction
Rely on post-hoc detection, catching abuse only after damage is done

None of these options work at scale for agentic commerce.

The Solution: Platform-Attested Signals

PR #203 introduces a signals contract that enables businesses to request environmental data from platforms, and for platforms to provide cryptographically attested observations. The key design principles:

Signals are platform attestations. Values MUST reflect direct observations by the platform, not relayed buyer claims. This is what makes them trustworthy for authorization decisions.

How It Works

The flow operates in two directions:

Businesses request signals via info messages on responses, using risk and abuse codes to indicate what data they need
Platforms provide signals on subsequent requests, with values that reflect their direct observations of the transaction environment

This creates a dynamic, capability-based system. Businesses declare what they need; platforms provide what they can observe. Extensions can define proprietary signals for specialized use cases.

Example Signal Categories

The specification defines signal categories that platforms may support:

Network signals: IP address, geolocation, proxy detection
Device signals: User agent, device fingerprint, screen characteristics
Behavioral signals: Session duration, interaction patterns, velocity checks
Authentication signals: Auth method strength, account age, verification status

Why This Is a Breaking Change

The feat! prefix indicates breaking changes. Specifically:

The info message schema for cart and checkout responses changes to accommodate signal requests
New reserved code ranges for risk and abuse messages
Implementations that process info messages must handle the new structure

For platform developers, this requires implementing signal observation and attestation capabilities. For businesses, it requires parsing signal requests and incorporating provided signals into authorization logic.

Technical Details

The PR adds 181 lines and removes 63, indicating substantial new functionality with some consolidation of existing code. Key additions:

// Business requests signals via info message
{
  "code": "risk",
  "signals": ["ip_address", "device_fingerprint", "auth_method"]
}

// Platform provides signals on next request
{
  "signals": {
    "ip_address": {"value": "...", "confidence": 0.95},
    "device_fingerprint": {"value": "...", "confidence": 0.87}
  }
}

What This Enables

With signals in place, businesses can implement sophisticated authorization strategies:

Velocity limiting: Rate limit by IP or device fingerprint, not just account
Risk scoring: Combine multiple signals for dynamic risk assessment
Fraud detection: Identify suspicious patterns across sessions
Compliance: Enforce geographic restrictions with platform-attested location

Critically, this works without requiring user-facing authentication. The platform observes; the business decides.

Context: Building the Trust Layer

This PR complements other recent UCP security work:

Eligibility claims (PR #250) — cryptographic proof of customer eligibility
Request signing — RFC 9421 signatures for message integrity
Attribution signals — conversion tracking for agentic commerce

Together, these form the trust infrastructure that enables businesses to accept AI-driven transactions with confidence. Without them, agentic commerce remains a demo. With them, it becomes enterprise-ready.

The Bottom Line

Ilya Grigorik continues to drive the critical security infrastructure that UCP needs for production adoption. Authorization and abuse signals solve a real problem — the information asymmetry between platforms and businesses — in a way that respects privacy while enabling trust.

The breaking change is worth it. You can't have secure agentic commerce without platform attestations.

Follow the implementation: PR #203 on GitHub