Adobe Commerce
Verify the AI agents that reach your Adobe Commerce and Magento Open Source REST API, GraphQL, login, and checkout with the AxioRank Agent Verification extension. A thin client of the inbound verify endpoint, with monitor and enforce modes.
Most AxioRank integrations govern the calls your agents make outbound. The
Adobe Commerce extension is on the inbound side: it verifies the AI agents
reaching into a website surface you operate. It is a
thin client of the verify endpoint, so each protected request is forwarded as one
authenticated POST to /api/gateway/verify-request and the verdict is applied in
Magento. There is no PHP SDK to install and no local model. It works on both
Adobe Commerce and Magento Open Source 2.4.
An API verifier, not a full-page-cache crawler blocker
Full-page-cached pages, whether served by Varnish or the built-in cache, are
returned before Magento loads, so the extension never sees them. That is by
design: it governs the surfaces that actually reach PHP, the REST API
(/rest), GraphQL (/graphql), customer login, catalog search, checkout, and
any signed or bot-like request. To challenge crawlers on cached pages, verify
at the edge (in front of the cache) instead.
Install
-
Register a
websitesurface in AxioRank under Settings, Surfaces (or withPOST /api/surfaces) and copy its site key (axr_site_...), distinct from your agent key. -
Install and enable the extension:
composer require axiorank/module-agent-verification bin/magento module:enable AxioRank_AgentVerification bin/magento setup:upgrade bin/magento setup:di:compile -
Open Stores, Configuration, AxioRank, Agent Verification and paste the site key, or define it in
app/etc/env.phpfor better hygiene:'axiorank' => [ 'site_key' => 'axr_site_...', ],The environment variable
AXIORANK_SITE_KEYworks too, and an environment value always overrides the stored configuration. -
Leave the mode on Monitor, save, and use Test connection to confirm AxioRank is reachable.
What gets verified
The extension only forwards requests worth checking, so ordinary shopper page views never call out:
- Any request carrying Web Bot Auth signature headers (always verified).
- An enabled sensitive surface: REST (
/rest), GraphQL (/graphql), customer login and account, catalog search, or checkout. Each is a toggle on the configuration page. The admin panel is available too, off by default. - Any request with a bot-like user agent, which catches crawlers that reach PHP on a cache miss.
Each verified request is scored and logged in your AxioRank dashboard with the agent identity, verification method, and risk, exactly like any other inbound surface request.
Monitor first, then enforce
A surface starts in monitor posture: AxioRank computes and logs the verdict,
but nothing is blocked. Watch the audit log to see what
would have been challenged or blocked, then set both the AxioRank surface and the
extension to enforce. The extension acts only when the response's own
enforced flag is true, so the surface posture stays authoritative:
blockreturns403(a JSON error on REST and GraphQL).challengereturns401.
Fail-open by design
Verification sits in the hot path of your own store, so it fails open. Only a rejected site key raises an admin notice; any timeout or transport failure resolves to an allow, so a verification outage never takes Adobe Commerce down.
Next steps
- Inbound surfaces: the model behind the
websitesurface. - Policies: scope inbound decisions by operation and agent.
- Gateway API: the raw
verify-requestcontract the extension speaks.
Shopify
Verify the AI agents that browse and buy on your Shopify store with the AxioRank Agent Verification app. A thin client of the inbound verify endpoint, with monitor and enforce modes and order-level enforcement.
Datadog
Stream the AxioRank governed audit log into Datadog and install the AxioRank tile for a prebuilt log pipeline, two dashboards, and four monitors. Watch agent governance next to the rest of your stack.