API-first vs protocol-first for agentic commerce.

A decision matrix and migration path for digital leaders choosing between API-first (REST/GraphQL) and protocol-first (MCP/UCP/ACP/A2A) approaches to agentic commerce, with no-replatforming guidance.

eLLMo Team

January 6, 2026•15 min read

Agentic Commerce API Design Protocol Standards MCP UCP ACP A2A Revenue Strategy

Executive Summary

Agentic commerce moves transactions from web pages to AI agents. The question for digital leaders is not if agents will buy. It's how your stack exposes product truth and checkout in a way agents can reliably discover, validate, and execute. This post lays out when to stay API-first (REST/GraphQL) and when to add protocol-first adapters (MCP, UCP, ACP, A2A), with a decision matrix and a pragmatic, no-replatforming migration path.

Key takeaways:

API-first remains essential for your apps and partners.
Protocol-first adds interoperable semantics that agents expect: discoverability, capability negotiation, consent, audit, and end-to-end transaction flows.
A layered approach lets you keep existing systems while making product knowledge and checkout executable by AI agents.

Quick Definitions

API-first

Designing services primarily as REST/GraphQL endpoints for human-facing apps and partner integrations.

Protocol-first

Implementing open, agent-native protocols that encode common semantics (discovery, capabilities, consent, commerce flows) so many agents can interoperate without one-off integrations.

MCP (Model Context Protocol)

Standardizes how AI applications integrate external data/tools with clear capability negotiation and lifecycle. MCP's architecture is inspired by Language Server Protocol to foster ecosystem-wide interoperability.

Reference: MCP Specification

MCP Lifecycle

MCP GitHub

UCP (Universal Commerce Protocol)

Defines commerce objects and flows (catalog, checkout sessions, handlers) with support for transports like REST/JSON-RPC and interoperability with MCP/A2A/AP2.

Reference: UCP.dev

Google Developers: Under the Hood: UCP

ACP (Agentic Commerce Protocol)

An open standard specifying how agents and businesses coordinate checkout/transactions programmatically; initially advanced by Stripe and OpenAI.

Reference: AgenticCommerce.dev

ACP GitHub

A2A (Agent2Agent)

Protocol for typed, secure, cross-vendor agent messaging and collaboration; Linux Foundation project with broad ecosystem support.

Reference: A2A Specification

Google: A2A Announcement

A2A GitHub

AP2 (Agent Payments Protocol)

A payment authorization protocol to securely transact on behalf of users in agent flows.

Reference: AP2 Specification

Decision Matrix: API-first vs Protocol-first

Use this matrix to evaluate when API-first (REST/GraphQL) is sufficient versus when protocol-first adapters (MCP/UCP/ACP/A2A) add strategic value:

Criteria	API-first (REST/GraphQL)	Protocol-first (MCP/UCP/ACP/A2A)
Time-to-market	Fast for known clients; reuses existing contracts	Ramp includes protocol semantics and capability negotiation
Interoperability	One-off integrations; custom mappings	Multi-agent by design; shared semantics and discovery
Consent & audit	App-managed auth/logging	Protocol-level consent prompts, capability scoping, session lifecycle, auditable actions
Transaction complexity	Works, but orchestration lives in client	Encodes flows: discovery → validation → checkout → payment (UCP/AP2), multi-agent handoffs (A2A)
Catalog semantics	Custom schemas; uneven quality	Standardized schemas and handlers; intent-aligned responses
Ecosystem reach	Your apps and direct partners	Agents, answer engines, and ecosystems that speak MCP/UCP/A2A
Integrator overhead	Each agent requires bespoke work	Implement once per protocol; agents discover capabilities

Practical guidance:

If you need speed and you control the client: lead with REST/GraphQL.
If you need many agents to "just work" across discovery and checkout: add protocol-first adapters.

How the Protocols Fit Together (Layered Architecture)

Think of these protocols as complementary layers, not competitors:

MCP (tooling/data access): Lets AI applications discover and invoke your capabilities under a negotiated lifecycle (initialize, capabilities, operations) with explicit user consent gates. MCP standardizes how AI models access external tools and data sources, enabling rich, real-time context sharing beyond simple data exchange.
UCP (commerce semantics): Defines portable commerce objects and flows (e.g., checkout-sessions, line_items, handlers), supporting agent discovery and consistent checkout mechanics. UCP enables AI agents like ChatGPT, Gemini, and Alexa to seamlessly discover, negotiate, and transact with merchants through standardized discovery, product profiles, checkout sessions, and payment handlers.
ACP (agentic checkout flows): Specifies how agents and businesses coordinate to complete purchases programmatically; compatible with platform payments and agent ecosystems. ACP facilitates programmatic purchases where AI agents act as intermediaries on behalf of users, handling request evaluation, payment signals, and custom logic for transaction approval.
A2A (agent collaboration): Establishes typed messages and roles so agents can delegate tasks across systems and vendors securely. A2A enables secure, interoperable communication and collaboration between independent AI agents across platforms, supporting capability discovery, negotiation, context maintenance, and failure handling in multi-agent workflows.
AP2 (payments): Authorizes payment on behalf of a user in agent contexts, complementing checkout flows. AP2 works in concert with ACP to enable secure, verifiable agent-led transactions.

Think in layers:

Keep your API layer (REST/GraphQL) as your canonical interface for internal apps and legacy partners.
Add a protocol gateway layer that exposes protocol semantics for agents.
Enforce consent, policy, and audit at the protocol layer so all agent interactions are governed.

Migration Path: REST/GraphQL → MCP/UCP/A2A

This is a step-by-step guide to migrating from API-first to protocol-first without replatforming your existing systems.

Stand up a protocol gateway (adapter layer)

Deploy a thin service that translates protocol calls into your existing REST/GraphQL. Start read-only: product discovery, availability, policy lookups. Goals: zero downtime, no schema rewrites in core systems.

Map schemas and capabilities

Map UCP commerce objects to your models (catalog, variants, prices, inventory, fulfillment constraints). Define MCP-exposed "resources" and "tools" backed by your APIs. Keep tools minimal and safe by default. Document capability boundaries (e.g., read PDP data; create checkout session; no cancellations initially).

Implement consent and least-privilege

Require explicit consent prompts for data access and any "write" operations at the MCP layer. Scope capabilities per agent profile; deny-by-default for risky operations until proven. Log all agent actions with correlation IDs for audit.

Pilot with discovery and validation

Enable agents to answer "What should I buy?" through MCP resources and UCP-compatible discovery. Return structured attributes agents can reason over (ingredients, materials, sizes, compliance tags). Hold off on payment while you observe accuracy and latency.

Add checkout sessions via UCP/ACP

Implement UCP checkout-sessions as a translation to your order/cart APIs. Support line_items, shipping estimates, discounts, and taxes deterministically. Integrate ACP-compatible flows where supported to coordinate checkout with agent platforms.

Enable payments with AP2

Add AP2-compatible payment handlers to authorize on-behalf-of-user payments. Keep a human-in-the-loop policy for higher-risk categories (age-restricted, high AOV) during ramp.

Harden and expand

Introduce A2A for inter-agent delegation where your flows cross vendors (e.g., financing, fulfillment partners). Add rate limits, anomaly detection, refund/return hooks, post-purchase status updates. Monitor conversion, exception rates, and policy violations; iterate capability exposure.

What "No Replatforming" Looks Like

Your CMS/PIM/OMS/Payments remain in place. The adapter translates protocol semantics to your existing APIs. Over time, you can native-ize portions (e.g., emit UCP-native events) as business value proves out.

Governance, Consent, and Policy Hooks

Effective protocol implementation requires governance controls at multiple layers:

Consent surfaces: Use protocol prompts for high-impact actions (creating checkouts, applying stored payment instruments). MCP's elicitation mechanism enables explicit user consent gates before sensitive operations.
Capability scoping: Expose only the minimum tools/resources agents need; version your capability set. Start with read-only operations and expand based on telemetry and trust signals.
Policy enforcement: Blocklists for SKUs, constraints for regions/age, dynamic risk scoring for high-value orders. Enforce merchant policies, regulatory compliance, and approval workflows during agent interactions.
Audit & observability: Session lifecycle logs, idempotency keys, replay detection, full request/response capture for forensics. Log all agent actions with correlation IDs and maintain immutable audit trails.
Data isolation: Maintain tenant isolation across all protocol surfaces; ensure model- or host-side caches do not leak cross-tenant context. Enforce Row Level Security (RLS) policies at the protocol gateway layer.

Risks and Anti-patterns to Avoid

1:1 endpoint wrapping without semantics

Anti-pattern: Mirroring every REST endpoint under MCP/UCP. Agents need intent-aligned objects and flows, not CRUD-by-proxy. Instead, design protocol interfaces that match agent mental models (discovery, validation, checkout) rather than exposing raw database operations.

Overexposure of tools

Anti-pattern: Offering unrestricted tool execution. Start least-privilege and expand based on telemetry. Begin with read-only capabilities and gradually enable write operations only after establishing trust signals and observing usage patterns.

Unbounded autonomy

Anti-pattern: Allowing autonomous purchase flows without consent gates, guardrails, or spend caps. Implement explicit consent prompts for high-value transactions, enforce spending limits, and require human approval for risky categories (age-restricted products, high AOV orders).

Inconsistent catalog truth

Anti-pattern: Allowing agents to retrieve stale or conflicting product data. Establish a single, verified source of product truth. Ensure real-time synchronization between protocol surfaces and source systems (CMS/PIM), and implement cache invalidation strategies to prevent stale data exposure.

No post-purchase surface

Anti-pattern: Completing checkout but not exposing returns, cancellations, status updates. Agents need full lifecycle coverage. Implement post-purchase endpoints for order status, returns, exchanges, and support workflows so agents can provide complete customer service.

Capability Checklist for Agentic Readiness

Your roadmap to AI-first commerce

Catalog

Normalized attributes, availability, pricing, compliance tags, media. Rich, structured product information enabling AI understanding beyond keywords: attributes, variants, policies, compatibility, certifications, and usage guidance.

Policies

Shipping, returns, warranty, region restrictions, age gating. Interfaces for enforcing merchant policies, regulatory compliance, and approval workflows during agent interactions.

Checkout

Line items, discounts, shipping methods, taxes, idempotent sessions. Middleware to manage checkout sessions, payment handler negotiation, discount application, and fulfillment triggers compatible with UCP, ACP, and agent-specific requirements.

Payments

AP2-compatible handler(s); fallback options; dispute/chargeback handling. Secure payment authorization on behalf of users in agent contexts, with proper fraud detection and risk management.

Consent & Security

Per-agent capability policies, explicit prompts, RBAC, rate limits, audit logs. Require explicit consent for high-impact actions, scope capabilities per agent profile, and maintain comprehensive audit trails.

Observability

Latency SLOs, error budgets, exception tracing, policy violation alerts. Monitor conversion, exception rates, and policy violations; track agent interactions with correlation IDs and maintain real-time dashboards.

To stay up to date, follow us on LinkedIn and sign up to our mailing list via our mailing list.

Frequently Asked Questions

Q: When should we stay API-first?

If your primary clients are your own apps or a small set of partners and you control the UX, API-first may be sufficient. Add protocol adapters later for incremental agent reach. API-first remains essential for internal applications and direct partner integrations where you have full control over the client implementation.

Q: Which protocol should we start with?

Start where your near-term goals sit:

Discovery/validation: MCP for resources/tools exposure, paired with UCP-compatible catalog semantics.
Checkout: UCP/ACP for sessions and transaction orchestration.
Payments: AP2 when you're ready for on-behalf-of-user transactions.
Cross-vendor delegation: A2A as flows span multiple agents or providers.

Q: Do we need to rewrite our commerce stack?

No. A protocol gateway can translate protocol messages to existing REST/GraphQL. Revisit native protocol support only where it simplifies operations or improves reliability. Your CMS/PIM/OMS/Payments remain in place; the adapter translates protocol semantics to your existing APIs.

Q: How do these protocols interact?

MCP exposes capabilities to AI applications with consent and lifecycle management. UCP and ACP encode commerce flows. A2A enables inter-agent messaging. AP2 secures payments. They are complementary layers, not competitors. Think of them as a stack: MCP for discovery and tool access, UCP/ACP for commerce semantics and checkout, A2A for multi-agent coordination, and AP2 for secure payment authorization.

The agentic commerce era is not theoretical or distant. The protocols are here. The agents are operational. The question is no longer whether to participate, but how quickly you can make your catalog agent-ready.

Your most defensible advantage is authoritative, structured, and distributable product knowledge. The window for organic positioning is open, but narrowing as more brands adopt agentic protocols and AI platforms introduce paid placements. Make your catalog agent-ready now. The assistants and your future customers are already asking.