Skip to main content

Auth and rate limiting

UCP traffic to Shopify's MCP servers is classified into three tiers based on how your agent identifies itself. Each tier has different capabilities and rate-limiting allowances.

Anchor to Traffic tiersTraffic tiers

Each tier reflects how much Shopify knows about the agent making the request. Stronger identification means higher rate limits and access to more sensitive tools.

The following table summarizes what each tier can do. Subsequent sections describe how to qualify for each tier.

Auth typeCatalog toolsCart toolsCheckout toolscomplete_checkoutOrder tools
TokenYesYesYesWhen the token is granted permission to complete purchasesYes, with the read_global_api_orders scope
SignedYesYesYesNoNo
AnonymousYesYesYesNoNo

Rate-limit guidance:

  • Rate limits scale with identification. The Token tier gets the highest limits, Signed gets lower limits, and Anonymous gets the lowest.
  • Checkout MCP is rate-limited more strictly than Cart MCP at every tier. Use Cart MCP to iterate on line items, refine context, and estimate totals, and reserve Checkout MCP for buyers who are ready to purchase.
  • Order MCP is for on-demand reads. Reserve get_order for buyer-initiated views and reconciling missed webhooks. For proactive lifecycle updates, subscribe to Order webhooks.

Anchor to TokenToken

Agents authenticating with a credential issued through Dev Dashboard, such as a global API token, customer accounts token, or shop access token.

  • How to authenticate: JWT passed with Bearer token authentication. See Authenticate your agent for a working example.
  • What you can do: Access cart, checkout, and order tools at the highest rate limits. Call complete_checkout when your token has been granted the required permission to complete purchases on the shop's behalf. Call get_order when your token includes the read_global_api_orders scope. Order access is restricted to orders placed through your agent.

Anchor to SignedSigned

Agents that haven't created an API key but have implemented HTTP signatures per the UCP specification.

  • How to authenticate: HTTP Message Signatures per RFC 9421 using ECDSA P-256. Shopify verifies the signature against the public key published in your agent's well-known UCP profile. See the UCP signatures specification for how to construct signed requests.
  • What you can do: Access cart and checkout tools at lower rate limits than the Token tier. complete_checkout and order tools aren't available at this tier.

Anchor to AnonymousAnonymous

Agents that haven't identified themselves to Shopify.

  • How to authenticate: No credentials or signatures provided. Send the request without an Authorization header or signature headers.
  • What you can do: Access catalog, cart, and checkout build/edit tools at the lowest rate limits. complete_checkout and order tools aren't available at this tier.

Anchor to Next stepsNext steps

Authenticate your agent

Generate API credentials and fetch bearer tokens at runtime.

Define a profile

Host a UCP profile at a well-known URL for capability negotiation and signed-request verification.

Was this page helpful?