February 5, 2026 · UCP

UCP Request Signing: Cryptographic Trust for Agentic Commerce

As AI agents prepare to handle real money, Google proposes cryptographic signing for UCP requests and responses — laying the foundation for verifiable, tamper-proof transactions.

Ilya Grigorik

Staff Developer Advocate, Google · Creator of UCP
@igrigorik · igvita.com

Why This Matters

When an AI agent claims to represent a user and requests a $500 purchase, how does the merchant verify that request is legitimate? When a merchant responds with pricing and inventory, how does the agent know the response hasn't been tampered with in transit?

These aren't theoretical concerns — they're the fundamental trust questions that must be solved before agentic commerce can scale. PR #156 proposes cryptographic signing as the answer.

The core problem: Without signing, a man-in-the-middle could intercept UCP traffic and modify prices, inventory levels, or even redirect payments. As agent commerce grows from demos to production, these attack vectors become increasingly valuable targets.

What's Being Proposed

Request Signing

Agents will be able to sign their requests using a private key, allowing merchants to verify:

Authenticity — The request genuinely originated from the claimed agent
Integrity — The request hasn't been modified in transit
Non-repudiation — The agent cannot later deny making the request

Response Signing

Merchants sign their responses, enabling agents to verify:

Source verification — The response came from the legitimate merchant endpoint
Data integrity — Pricing, availability, and terms haven't been altered
Audit trail — A cryptographic record of what was offered

Technical Approach

The proposal leverages existing HTTP signature standards (Signature-Input and Signature headers) rather than inventing new mechanisms. This is a pragmatic choice — HTTP Message Signatures (RFC 9421) are well-understood, have existing implementations, and integrate cleanly with CDNs and proxies.

Signature-Input: sig1=("@method" "@target-uri" "content-type" "content-digest");
  created=1707148200;keyid="agent-key-123";alg="ecdsa-p256-sha256"
Signature: sig1=:MEUCIQDXPzxCZ...base64...:

Implications for the Ecosystem

For Agent Developers

You'll need key management infrastructure. This likely means:

Key generation and rotation workflows
Secure key storage (HSMs for high-value agents)
Public key discovery mechanisms (likely via .well-known endpoints)

For Merchants

Signature verification adds processing overhead, but provides crucial protections:

Reject requests from unknown or untrusted agents
Rate-limit by cryptographic identity (not just IP)
Build reputation systems based on signed transaction history

For the Protocol

This is a breaking change (hence the feat! prefix), but it's optional — merchants can choose whether to require signatures. The gradual adoption path: start with signatures optional, then required for high-value transactions, eventually required for all commerce.

What Comes Next

Request signing is just the beginning. Once cryptographic identity is established, UCP can build:

Agent reputation — Trust scores based on signed transaction history
Delegated authority — Agents signing on behalf of users with limited scopes
Dispute resolution — Cryptographic proof of what was agreed upon
Regulatory compliance — Verifiable audit trails for financial regulators

Timeline: This PR is currently in review. Given its significance, expect extended discussion before merge. The feature will likely land in UCP 1.1 or 2.0, with a deprecation period for unsigned requests.

Key Takeaway

Cryptographic signing transforms UCP from a communication protocol into a trust protocol. Just as HTTPS enabled e-commerce by solving the "is this really Amazon?" problem, UCP signing solves the "is this really a legitimate agent with authority to transact?" problem.

The companies investing in signing infrastructure now will be positioned to participate in agentic commerce when it matters. Those who wait may find themselves locked out of high-value transactions that require cryptographic verification.