AxioRankDocs
Integrations

Adobe Commerce

Verify the AI agents that reach your Adobe Commerce and Magento Open Source REST API, GraphQL, login, and checkout with the AxioRank Agent Verification extension. A thin client of the inbound verify endpoint, with monitor and enforce modes.

Most AxioRank integrations govern the calls your agents make outbound. The Adobe Commerce extension is on the inbound side: it verifies the AI agents reaching into a website surface you operate. It is a thin client of the verify endpoint, so each protected request is forwarded as one authenticated POST to /api/gateway/verify-request and the verdict is applied in Magento. There is no PHP SDK to install and no local model. It works on both Adobe Commerce and Magento Open Source 2.4.

An API verifier, not a full-page-cache crawler blocker

Full-page-cached pages, whether served by Varnish or the built-in cache, are returned before Magento loads, so the extension never sees them. That is by design: it governs the surfaces that actually reach PHP, the REST API (/rest), GraphQL (/graphql), customer login, catalog search, checkout, and any signed or bot-like request. To challenge crawlers on cached pages, verify at the edge (in front of the cache) instead.

Install

  1. Register a website surface in AxioRank under Settings, Surfaces (or with POST /api/surfaces) and copy its site key (axr_site_...), distinct from your agent key.

  2. Install and enable the extension:

    composer require axiorank/module-agent-verification
    bin/magento module:enable AxioRank_AgentVerification
    bin/magento setup:upgrade
    bin/magento setup:di:compile
  3. Open Stores, Configuration, AxioRank, Agent Verification and paste the site key, or define it in app/etc/env.php for better hygiene:

    'axiorank' => [
        'site_key' => 'axr_site_...',
    ],

    The environment variable AXIORANK_SITE_KEY works too, and an environment value always overrides the stored configuration.

  4. Leave the mode on Monitor, save, and use Test connection to confirm AxioRank is reachable.

What gets verified

The extension only forwards requests worth checking, so ordinary shopper page views never call out:

  • Any request carrying Web Bot Auth signature headers (always verified).
  • An enabled sensitive surface: REST (/rest), GraphQL (/graphql), customer login and account, catalog search, or checkout. Each is a toggle on the configuration page. The admin panel is available too, off by default.
  • Any request with a bot-like user agent, which catches crawlers that reach PHP on a cache miss.

Each verified request is scored and logged in your AxioRank dashboard with the agent identity, verification method, and risk, exactly like any other inbound surface request.

Monitor first, then enforce

A surface starts in monitor posture: AxioRank computes and logs the verdict, but nothing is blocked. Watch the audit log to see what would have been challenged or blocked, then set both the AxioRank surface and the extension to enforce. The extension acts only when the response's own enforced flag is true, so the surface posture stays authoritative:

  • block returns 403 (a JSON error on REST and GraphQL).
  • challenge returns 401.

Fail-open by design

Verification sits in the hot path of your own store, so it fails open. Only a rejected site key raises an admin notice; any timeout or transport failure resolves to an allow, so a verification outage never takes Adobe Commerce down.

Next steps

  • Inbound surfaces: the model behind the website surface.
  • Policies: scope inbound decisions by operation and agent.
  • Gateway API: the raw verify-request contract the extension speaks.

On this page