Agentic Commerce Protocol for Magento 2

October 10, 2025 ยท View on GitHub

95% OpenAI ACP Spec Compliant | Pre-Production | Awaiting Platform Access

Enable ChatGPT purchases directly from your Magento 2 store using the Agentic Commerce Protocol (ACP) - an open standard by OpenAI and Stripe.

โš ๏ธ Status: This module is spec-compliant and fully tested with unit/integration tests, but has NOT been tested with actual OpenAI ChatGPT platform access. We are awaiting approval from OpenAI's merchant program. Use at your own risk until platform testing is complete.

License: MIT Magento 2.4.6+ PHP 8.1+

๐Ÿš€ Features

โœ… OpenAI ACP Specification Compliance (95%)

Checkout Session API:

  • Enhanced response schema with line_items, total_details, fulfillment_options
  • All monetary values as integers (cents) per spec
  • Correct status enums: not_ready_for_payment, ready_for_payment, completed, cancelled
  • Order tracking with order_url and confirmation_email_sent
  • Shipping method selection via fulfillment_option_id

Product Feed:

  • Spec-compliant fields: id, title, link, brand, images, inventory_quantity
  • Configurable product variants with individual pricing
  • Multiple image support (full gallery)
  • Real-time inventory levels
  • Per-product control flags (acp_enable_search, acp_enable_checkout)
  • CLI feed generation (bin/magento acp:feed:generate)
  • Automated feed regeneration (cron every 6 hours)
  • Static file support for large catalogs (10k+ products)

Security Headers:

  • Idempotency-Key validation (Redis-backed, 24hr cache)
  • Request-Id tracking for correlation
  • Timestamp validation (5min tolerance, prevents replay attacks)
  • Signature HMAC SHA256 validation (optional, configurable)
  • API-Version compatibility checking

Core Functionality

  • โœ… Full REST API (5 endpoints: create, get, update, complete, cancel)
  • โœ… Real Magento Quote integration (pricing, taxes, discounts, inventory)
  • โœ… Stripe Delegated Payment with official SDK
  • โœ… Webhook notifications (order.created, order.updated)
  • โœ… Multi-currency support
  • โœ… Database persistence with proper ResourceModel pattern
  • โœ… Automated session cleanup cron job

Security & Enterprise Features

  • โœ… Bearer token API authentication
  • โœ… Idempotency key duplicate prevention
  • โœ… Timestamp-based replay attack prevention
  • โœ… HMAC signature validation (configurable)
  • โœ… Encrypted secret storage
  • โœ… ACL permissions
  • โœ… Comprehensive audit logging

Developer Experience

  • โœ… 39 Tests (31 unit + 8 integration) covering critical paths
  • โœ… Monetary conversion accuracy tests
  • โœ… Security validation tests
  • โœ… End-to-end API flow tests
  • โœ… PSR-12 compliant code
  • โœ… Proper Magento service contracts
  • โœ… Full dependency injection
  • โœ… Type-safe (strict_types everywhere)

๐Ÿ“‹ Requirements

  • Magento: 2.4.6+
  • PHP: 8.1+
  • Composer: 2.x
  • Redis: For caching (idempotency keys)
  • Stripe Account: For payment processing

๐Ÿ“ฆ Installation

composer require run-as-root/module-agentic-commerce-protocol
bin/magento module:enable RunAsRoot_AgenticCommerceProtocol
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento cache:flush

Manual Installation

git clone https://github.com/run-as-root/ACP-for-Magento-2.git
mkdir -p app/code/RunAsRoot/AgenticCommerceProtocol
cp -r ACP-for-Magento-2/* app/code/RunAsRoot/AgenticCommerceProtocol/
bin/magento module:enable RunAsRoot_AgenticCommerceProtocol
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento cache:flush

โš™๏ธ Configuration

Navigate to Stores > Configuration > Agentic Commerce Protocol

1. General Settings

  • Enable Module: Turn on/off the ACP functionality
  • API Key: Generate secure key for OpenAI authentication
  • Test Mode: Enable verbose logging for development
  • Session Retention: Days to keep completed sessions (default: 30)

2. Security Settings (NEW)

  • Enable Signature Validation: HMAC SHA256 request signing
  • Signature Secret: Shared secret for signature verification
  • Timestamp Tolerance: Replay attack window (default: 300 seconds)

3. Product Feed

  • Enable Product Feed: Allow ChatGPT product discovery
  • Include Categories: Filter by category (empty = all)
  • Maximum Products: Limit feed size (default: 1000)

4. Webhook Settings

  • Enable Webhooks: Send order events to OpenAI
  • Endpoint URL: OpenAI webhook receiver
  • Signing Secret: HMAC signature for webhooks

5. Stripe Payment

  • Enable Stripe: Use Stripe for payment processing
  • Secret Key: Your Stripe API key (sk_live_* or sk_test_*)
  • Test Mode: Use Stripe test environment

๐Ÿ”Œ API Endpoints

Checkout Session API (Requires Authentication)

All endpoints require these headers:

Authorization: Bearer <api-key>
Idempotency-Key: <unique-request-id>
Request-Id: <correlation-id>
Timestamp: <unix-timestamp>

Create Session

POST /rest/V1/acp/checkout_sessions
Content-Type: application/json

{
  "items": [
    {"sku": "24-MB01", "quantity": 2}
  ]
}

Update Session

POST /rest/V1/acp/checkout_sessions/{id}

{
  "buyer": {
    "email": "customer@example.com",
    "first_name": "John",
    "last_name": "Doe"
  },
  "fulfillment_address": {
    "first_name": "John",
    "last_name": "Doe",
    "address_line1": "123 Main St",
    "city": "New York",
    "state": "NY",
    "postal_code": "10001",
    "country": "US"
  },
  "fulfillment_option_id": "flatrate_flatrate"
}

Get Session

GET /rest/V1/acp/checkout_sessions/{id}

Complete Session

POST /rest/V1/acp/checkout_sessions/{id}/complete

{
  "payment_data": {
    "token": "pm_stripe_token_here"
  }
}

Cancel Session

POST /rest/V1/acp/checkout_sessions/{id}/cancel

Product Feed (Public)

GET /acp/feed

Returns JSON feed with all visible products in ACP format.

๐Ÿ”ง CLI Commands

Generate Static Product Feed

bin/magento acp:feed:generate

# Options:
bin/magento acp:feed:generate --store=1 --output=custom_feed.json

Generates a static JSON feed file in var/acp/feed.json for improved performance with large catalogs.

Benefits:

  • Pre-generate feeds for 10k+ product catalogs
  • Reduce real-time server load
  • Automated regeneration via cron (every 6 hours)
  • Custom output paths for multi-store setups

๐Ÿงช Testing

Run Unit Tests (31 tests)

cd Test/Unit
../../../vendor/bin/phpunit

Run Integration Tests (8 tests)

cd magento
bin/magento dev:tests:run integration RunAsRoot_AgenticCommerceProtocol

Test Coverage:

  • โœ… Monetary conversion accuracy
  • โœ… Security header validation
  • โœ… Response schema compliance
  • โœ… End-to-end checkout flows
  • โœ… Idempotency and replay protection

๐Ÿ—๏ธ Architecture

Follows Magento 2 best practices:

Structure:

Model/
โ”œโ”€โ”€ Response/              # ACP response builders
โ”‚   โ”œโ”€โ”€ CheckoutSessionResponseBuilder.php
โ”‚   โ”œโ”€โ”€ LineItemBuilder.php
โ”‚   โ”œโ”€โ”€ TotalDetailsBuilder.php
โ”‚   โ””โ”€โ”€ FulfillmentOptionsBuilder.php
โ”œโ”€โ”€ Auth/                  # Security validators
โ”‚   โ”œโ”€โ”€ HeaderValidator.php
โ”‚   โ”œโ”€โ”€ IdempotencyManager.php
โ”‚   โ”œโ”€โ”€ SignatureValidator.php
โ”‚   โ””โ”€โ”€ TimestampValidator.php
โ”œโ”€โ”€ CheckoutSessionManagement.php
โ”œโ”€โ”€ Order/OrderManagement.php
โ””โ”€โ”€ Feed/ProductFeedGenerator.php

Plugin/
โ”œโ”€โ”€ ApiAuthenticationPlugin.php
โ””โ”€โ”€ CheckoutSessionResponsePlugin.php

Test/
โ”œโ”€โ”€ Unit/                  # 31 unit tests
โ””โ”€โ”€ Integration/          # 8 integration tests

Patterns Used:

  • Service Contracts (Api/)
  • Dependency Injection (constructor)
  • Plugin/Interceptor pattern
  • Repository pattern
  • Builder pattern (responses)
  • Strategy pattern (validators)

๐Ÿค Contributing

  1. Fork the repository
  2. Create feature branch (git checkout -b feature/awesome-feature)
  3. Write tests for new functionality
  4. Ensure all tests pass
  5. Commit with clear message (git commit -m 'feat: add awesome feature')
  6. Push and open Pull Request

Quality Standards:

  • โœ… Unit tests required for new code
  • โœ… Integration tests for API changes
  • โœ… PSR-12 coding standards
  • โœ… Type hints and strict_types
  • โœ… PHPStan level 8 compliance

๐Ÿ“„ License

MIT License - see LICENSE file

๐Ÿ”— Resources

๐Ÿ’ฌ Support

Issues & Questions: GitHub Issues

Maintainer: run_as_root GmbH info@run-as-root.sh

Version: 1.5 (OpenAI Certification Ready)

๐ŸŽฏ OpenAI Certification Status

Current Compliance: 95% (Spec-Compliant, Awaiting Platform Testing)

Completed:

  • โœ… All required response fields per ACP spec
  • โœ… Correct monetary value format (cents)
  • โœ… Proper status enums
  • โœ… Complete header validation
  • โœ… Product feed spec compliance
  • โœ… Security features (idempotency, replay protection)
  • โœ… 39 comprehensive tests (unit + integration)

Status:

  • โœ… Code complete and spec-compliant
  • โœ… Unit and integration tests passing
  • โณ Awaiting OpenAI platform access for live testing
  • โณ Merchant application submitted, pending approval

NOT YET TESTED WITH:

  • โŒ Actual ChatGPT Instant Checkout interface
  • โŒ Real OpenAI API calls
  • โŒ OpenAI conformance test suite

Timeline:

  1. โณ Awaiting OpenAI merchant program approval
  2. Platform testing & conformance tests (est. 2-3 weeks)
  3. Bug fixes from platform testing (est. 1-2 weeks)
  4. Final certification submission
  5. Production deployment

Application: https://chatgpt.com/merchants