AxioRankDocs
Integrations

WooCommerce

Verify the AI agents that add to cart, check out, and call your WooCommerce store's API with the AxioRank for WooCommerce extension. A thin client of the inbound verify endpoint that blocks unverified agents in real time, before the order is created.

Most AxioRank integrations govern the calls your agents make outbound. The WooCommerce extension is on the inbound side: it verifies the AI agents reaching a website surface you operate, your cart, checkout, and store API. It is a thin client of the verify endpoint, so each checked request is forwarded as one authenticated POST to /api/gateway/verify-request and the verdict drives what happens. There is no theme code to write and no local model.

A real inline block, because it runs on your server

Unlike a hosted marketplace app, a WooCommerce extension runs as PHP in your store's own request path. So it enforces synchronously: an unverified agent is stopped at the checkout, add to cart, or the REST API, before the order is created, using WooCommerce's recommended rest_authentication_errors hook. You can still choose the softer hold or cancel response if you would rather the order exist first.

Install

  1. Register a website surface in AxioRank under Inbound, Surfaces (or with POST /api/surfaces) for your store's domain and copy its site key (axr_site_...), distinct from your agent key.
  2. Install AxioRank for WooCommerce from the WooCommerce Marketplace.
  3. In WooCommerce, open the AxioRank screen, paste the site key, and save. To keep the key out of the database, define it in wp-config.php instead: define( 'AXIORANK_SITE_KEY', 'axr_site_...' );
  4. Press Test connection, then leave the mode on Monitor.

What gets verified

The extension only checks the traffic worth checking, so ordinary human shopping never calls out:

  • Any request carrying Web Bot Auth signature material (always verified).
  • Every checkout, block or classic, so each order carries an agent verdict.
  • Add to cart, the WooCommerce REST API (wc/v3), and customer login, when the request is signed or its user-agent looks like a bot. Each is a toggle.

Each check is scored and logged in your AxioRank dashboard, and written onto the order, with the agent identity, verification method, and risk.

Order attribution

Every verified checkout is attributed. The extension writes the verdict to the order (_axr_wc_status, _axr_wc_agent, _axr_wc_decision, _axr_wc_risk), adds an order note, and shows an AI agent column on the orders screen so you can see at a glance which orders came from a verified agent, an unverified one, or an impostor. Order access is through the WC_Order API, so it is HPOS-safe.

Monitor first, then enforce

A surface starts in monitor posture: AxioRank computes and logs the verdict and writes it to the order, but nothing is blocked. Watch the audit log and the AI agent column, then set both the AxioRank surface and the extension to enforce. Enforcement acts only when the response's own enforced flag is true, so the surface posture stays authoritative. When you enforce, you pick the response to an unverified agent:

  • Block at checkout (default): reject the checkout inline before the order is created. Also blocks a flagged add to cart, REST call, or login.
  • Hold the order: let the order through, then set flagged orders to on-hold.
  • Cancel the order: let the order through, then cancel flagged orders.
  • Tag only: never block, just record the verdict on the order.

Fail-open by design

Verification sits in your checkout path, so it fails open. Only a rejected site key raises a notice; any timeout or transport failure resolves to an allow, so a verification outage never blocks a sale.

What is sent to AxioRank

For each checked request, the extension sends the basics needed to verify identity: the requested path, the method, the stated user-agent, the IP address, and the headers that carry the agent's signature. It never sends cookies, passwords, card details, or the contents of the cart or order.

Next steps

  • Inbound surfaces: the model behind the website surface.
  • Policies: scope inbound decisions by operation and agent.
  • Gateway API: the raw verify-request contract the extension speaks.

On this page