Specification Overview
Version Information
- Protocol Version:
2026-01-11 - This document based on: Official specification/overview.md
Keywords Notice
The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, OPTIONAL in this specification are to be interpreted as described in RFC 2119 and RFC 8174.
Namespace Governance
UCP uses reverse domain encoding for governance authority:
Naming Format
{reverse-domain}.{service}.{capability}| Component | Description | Example |
|---|---|---|
{reverse-domain} | Authority identifier | dev.ucp, com.example |
{service} | Service/vertical category | shopping, common |
{capability} | Specific capability name | checkout, identity_linking |
Authority Mapping
| Namespace | Authority | Spec URL Requirement |
|---|---|---|
dev.ucp.* | ucp.dev | https://ucp.dev/... |
com.example.* | example.com | https://example.com/... |
Validation Requirement: Platforms MUST verify that the capability spec URL origin matches the namespace authority.
Naming Examples
| Name | Authority | Service | Capability |
|---|---|---|---|
dev.ucp.shopping.checkout | ucp.dev | shopping | checkout |
dev.ucp.common.identity_linking | ucp.dev | common | identity_linking |
com.example.payments.installments | example.com | payments | installments |
Service (Service) Definition
Service defines the API surface and transport bindings:
| Field | Required | Description |
|---|---|---|
version | Yes | Service version (YYYY-MM-DD format) |
spec | Yes | Service documentation URL |
rest.schema | Required for REST binding | OpenAPI 3.x spec URL |
rest.endpoint | Required for REST binding | REST endpoint URL |
mcp.schema | Required for MCP binding | OpenRPC spec URL |
mcp.endpoint | Required for MCP binding | MCP endpoint URL |
a2a.endpoint | Required for A2A binding | Agent Card URL |
embedded.schema | Required for Embedded binding | OpenRPC spec URL |
Endpoint Resolution Rules
OpenAPI paths are appended directly to the endpoint:
endpoint: https://business.example.com/ucp/v1
path: /checkout-sessions
result: POST https://business.example.com/ucp/v1/checkout-sessionsCapability Definition
Capability is a functional feature within a Service:
| Field | Required | Description |
|---|---|---|
name | Yes | Capability name (reverse domain format) |
version | Yes | Capability version (YYYY-MM-DD format) |
spec | Yes | Specification document URL |
schema | Yes | JSON Schema URL |
extends | No | Parent capability name (for extensions) |
Extension Definition
Extension is an optional capability enhancement module:
{
"name": "dev.ucp.shopping.fulfillment",
"version": "2026-01-11",
"spec": "https://ucp.dev/specification/fulfillment",
"schema": "https://ucp.dev/schemas/shopping/fulfillment.json",
"extends": "dev.ucp.shopping.checkout"
}Profile Structure
Business Profile
Published at https://business.example.com/.well-known/ucp:
{
"ucp": {
"version": "2026-01-11",
"services": {
"dev.ucp.shopping": {
"version": "2026-01-11",
"spec": "https://ucp.dev/specification/overview",
"rest": {
"schema": "https://ucp.dev/services/shopping/rest.openapi.json",
"endpoint": "https://business.example.com/ucp/v1"
}
}
},
"capabilities": [
{
"name": "dev.ucp.shopping.checkout",
"version": "2026-01-11",
"spec": "https://ucp.dev/specification/checkout",
"schema": "https://ucp.dev/schemas/shopping/checkout.json"
},
{
"name": "dev.ucp.shopping.fulfillment",
"version": "2026-01-11",
"spec": "https://ucp.dev/specification/fulfillment",
"schema": "https://ucp.dev/schemas/shopping/fulfillment.json",
"extends": "dev.ucp.shopping.checkout"
}
]
},
"payment": {
"handlers": [...]
},
"signing_keys": [...]
}Platform Profile
{
"ucp": {
"version": "2026-01-11",
"capabilities": [...]
},
"payment": {
"handlers": [...]
},
"signing_keys": [...]
}Platform Declaration Mechanism
HTTP Transport
Use UCP-Agent header (Dictionary Structured Field syntax):
UCP-Agent: profile="https://agent.example/profiles/shopping-agent.json"MCP Transport
Use _meta.ucp field:
{
"jsonrpc": "2.0",
"method": "create_checkout",
"params": {
"_meta": {
"ucp": {
"profile": "https://agent.example/profiles/shopping-agent.json"
}
},
"line_items": [...]
},
"id": 1
}Capability Negotiation Protocol
Platform Requirements
- Profile Declaration: Include Profile URI in each request
- Discovery: Pre-fetch and cache Business Profile
- Namespace Validation: Verify
specURL origin matches namespace authority - Schema Resolution: Fetch and compose schemas for negotiated capabilities
Business Requirements
- Profile Resolution: Fetch and validate platform Profile URI when receiving requests with one
- Capability Intersection: Calculate intersection of platform and business capabilities
- Extension Validation: Remove extensions whose parent capability is not in the intersection
- Response Requirements: Include
ucpfield in each response (versionandcapabilities)
Capability Intersection Algorithm
Input: Platform capability list, Business capability list
Output: Active capability list
Steps:
1. Calculate intersection: Keep capabilities with matching names
2. Prune orphaned extensions: Remove extensions whose parent capability is not in the intersection
3. Repeat step 2 until no capabilities are removedCapability Declaration in Response
{
"ucp": {
"version": "2026-01-11",
"capabilities": [
{"name": "dev.ucp.shopping.checkout", "version": "2026-01-11"},
{"name": "dev.ucp.shopping.fulfillment", "version": "2026-01-11"}
]
},
"id": "checkout_123",
"line_items": [...]
}Error Handling
When negotiation fails, the business MUST return an error response:
{
"status": "requires_escalation",
"messages": [{
"type": "error",
"code": "version_unsupported",
"message": "Version 2026-01-11 is not supported.",
"severity": "requires_buyer_input"
}]
}Payment Architecture Overview
Trust Model
| Relationship | Description |
|---|---|
| Business ↔ Credential Provider | Pre-existing legal and technical relationship |
| Platform ↔ Credential Provider | Platform interfaces with credential provider |
| Platform ↔ Business | Platform passes tokens or instructions to business |
Payment Lifecycle
1. Negotiate → Business advertises handlers
2. Acquire → Platform executes handler logic
3. Complete → Platform submits opaque credentialTransport Protocols
UCP supports the following transport protocols:
| Transport | Spec Format | Description |
|---|---|---|
| REST | OpenAPI 3.x | Primary transport, HTTP/1.1 or higher |
| MCP | OpenRPC | Direct LLM agent invocation |
| A2A | Agent Card | Agent-to-agent collaboration |
| Embedded | OpenRPC | Embedded business UI |
REST Requirements
- Content-Type:
application/json - Methods: Standard HTTP verbs (POST, GET, etc.)
- Status Codes: Standard HTTP status codes
Standard Capabilities
| Capability Name | ID | Description |
|---|---|---|
| Checkout | dev.ucp.shopping.checkout | Checkout session management |
| Identity Linking | dev.ucp.common.identity_linking | OAuth 2.0 identity linking |
| Order | dev.ucp.shopping.order | Order lifecycle notifications |
Security and Authentication
Transport Security
All UCP communication MUST use HTTPS.
Request Authentication
- Platform → Business: SHOULD use standard headers (e.g.,
Authorization: Bearer <token>) - Business → Platform (Webhook): MUST use signature verification
Data Privacy
Sensitive data MUST comply with PCI-DSS and GDPR requirements.
Transaction Integrity
For scenarios requiring cryptographic proof, UCP supports the AP2 Mandates Extension, providing:
- Business cryptographic signatures of checkout terms
- Platform cryptographic proof of user authorization
Version Control
Version Format
Use date-based versioning: YYYY-MM-DD
Version Negotiation
IF platform version ≤ business version:
Business MUST handle the request
ELSE:
Business MUST return version_unsupported errorBackward Compatibility
Compatible Changes (no new version needed):
- Adding optional fields
- Adding optional parameters
- Adding new endpoints
Breaking Changes (require new version):
- Removing or renaming fields
- Changing field types
- Making optional fields required
Independent Component Versions
- UCP protocol is independent of capability versions
- Each capability has independent version control
- Transport protocols may define their own version handling