Make Your Store Agent‑Ready in a Weekend: NLWeb + MCP + A2A AgentCard + AP2 (7 steps)

AI shopping agents moved from demos to distribution in 2025. Browser agents like Google’s Project Mariner and Amazon’s Nova Act are expanding access, while platform toolkits such as OpenAI AgentKit make production launches quicker. citeturn0search5turn0search2turn4search0

For merchants, the practical question is simple: how do I make my existing store discoverable to agents and safe to purchase from—fast? Below is a 7‑step, copy‑paste‑friendly playbook using four open building blocks: NLWeb for natural‑language interfaces, MCP for standardized tool access, A2A AgentCard for agent‑to‑agent discovery, and AP2 for agent payments. citeturn2search3turn1search3turn5search8turn3search6

What you’ll ship by Sunday night

• An NLWeb endpoint that lets agents query your content/catalog in natural language.
• An MCP server (or connector) exposing product search and order status safely.
• An AgentCard at /.well-known/agent.json listing your capabilities. citeturn5search0
• A pilot AP2 “human‑present, card” flow for secure agent checkout. citeturn3search6

Step 1 — Turn on NLWeb for your domain

NLWeb (Natural Language Web) lets your site behave like an app that agents can query semantically. Every NLWeb instance is also an MCP server, so you get agent compatibility by design. Start with Microsoft’s intro and sample templates; plan to host your endpoint on a subpath like /nlw. citeturn2search3

Security note: Microsoft patched an early NLWeb path‑traversal bug in July 2025; keep your implementation updated and avoid copying stale code. citeturn2news12

Step 2 — Expose product and order data via MCP

MCP (Model Context Protocol) is the emerging standard that agents use to call tools and read data across vendors. Implement minimal read‑only tools first—e.g., product_search, inventory_lookup, order_status—with OAuth where applicable. The current protocol version is 2025‑06‑18; follow the changelog’s security best practices (OAuth resource indicators, structured tool outputs). citeturn1search3turn1search2

Step 3 — Publish your A2A AgentCard

Agents discover other agents through an AgentCard, a small JSON manifest placed at a well‑known path. Publish it at https://yourdomain.com/.well-known/agent.json and list your skills (capabilities), authentication scheme, and endpoint. citeturn5search8turn5search0

{
  "name": "Acme Store Agent",
  "description": "Product discovery and orders for Acme",
  "endpoints": {"a2a": "https://api.acme.com/a2a"},
  "authentication": {"type": "oauth2", "scopes": ["catalog.read", "orders.read"]},
  "capabilities": {
    "skills": [
      {"id": "cap:product_get", "version": "0.1"},
      {"id": "cap:search", "version": "0.1"}
    ]
  },
  "extensions": [{
      "uri": "https://github.com/google-agentic-commerce/ap2/tree/v0.1",
      "params": {"roles": ["merchant"]}
  }]
}

The example uses a CAP‑style skill prefix and advertises AP2 support via the extension URI, which many client agents use for capability discovery. citeturn5search7turn3search7

Step 4 — Instrument a safe, measurable checkout with AP2

AP2 (Agent Payments Protocol) adds cryptographic mandates that prove user intent and agent involvement, giving issuers and merchants clear evidence for risk and disputes. Start with the v0.1 human‑present card sample to validate end‑to‑end flows locally, then gate production behind feature flags. citeturn3search6

AP2 is gaining visibility after Google’s September 16, 2025 announcement; the spec and samples are public. citeturn3search3turn3search5

Step 5 — Register for discovery

Point your AgentCard to internal catalogs or vetted registries so agents can find you. MCP’s official roadmap also references a Registry moving toward GA, useful for enterprise/private listings while public options mature. Combine this with thoughtful linking from your site (e.g., a footer link to /.well-known/agent.json). citeturn1search1

Step 6 — Add observability and evals

Use platform tracing/evals to measure task success, escalation rates, and AP2 mandate conversions. OpenAI AgentKit provides tracing and eval hooks you can leverage even if your core agent stack is mixed. Track: product_search to add‑to‑cart, mandate issued, mandate authorized, refund/dispute rate. citeturn4search1turn4search6

Step 7 — Pilot with a constrained surface

Keep scope tight: 100 SKUs, read‑only order status, and one payment method. Ship, watch logs, then expand. If you want a deeper primer on attribution and spoofing defenses, see our recent posts: Agent Attribution Playbook, Stop Agent Spoofing, and AgentOps SLOs.

Why these standards?

• NLWeb: Simple natural‑language interface for websites; each instance doubles as an MCP server. citeturn2search3
• MCP: Cross‑vendor, open protocol standardizing how agents call tools and fetch data; current spec date is 2025‑06‑18. citeturn1search3
• A2A + AgentCard: Lets agents discover and collaborate directly; the well‑known agent.json location is recommended. citeturn5search8
• AP2: Open protocol for agent‑initiated purchases with verifiable intent and liability clarity. citeturn3search6

Risk guards to bake in

• Keep NLWeb up to date to avoid known vulnerabilities; validate path handling and dependency versions. citeturn2news12
• Enforce OAuth scopes and least‑privilege across MCP tools; follow the June 2025 security guidance. citeturn1search2
• Separate read vs. write tools and require explicit user confirmation for write actions.
• Log AP2 mandate IDs in your analytics pipeline to attribute agent‑led revenue.

Execution cheat‑sheet (copy/paste)

1. Provision /nlw with NLWeb starter; wire to your catalog search and docs. citeturn2search3
2. Create an MCP server with product_search, inventory_lookup, order_status (OAuth). citeturn1search3
3. Publish /.well-known/agent.json with skills and AP2 extension. citeturn5search0turn3search7
4. Run AP2 human‑present card sample locally; issue/verify mandates. citeturn3search6
5. Enable AgentKit tracing/evals for KPI dashboards. citeturn4search1
6. List your AgentCard URL in your site footer and internal registries; monitor logs. citeturn5search8

Where this is heading

Vendors are converging on open protocols for the “agentic web.” Microsoft publicly backed MCP (and introduced NLWeb) at Build on May 19, 2025, and AP2 was announced with industry partners on September 16, 2025. Expect rapid tooling improvements and more agent directories through Q1–Q2 2026. citeturn2news14turn2search3turn3search3

Next up from HireNinja

Want the code scaffolding for Shopify/Woo? See: AP2 vs. ACP (30‑day checklist) and our Agent SEO playbook for distribution tips.

Call to action: Need help shipping this in a weekend? Book a free 30‑minute Agent Readiness consult with HireNinja—implementation, KPIs, and guardrails included.