Six months ago, “an AI agent placed an order on your store” was a demo. In May 2026, it’s traffic. OpenAI’s Operator, Anthropic’s Computer Use, Perplexity’s shopping agent, and the first wave of MCP-driven checkout clients are all routing real shoppers — and real money — through WooCommerce stores that were never designed for non-human buyers.
The short version: agentic checkout doesn’t break WooCommerce — it breaks the assumptions wrapped around it. Cart-abandonment popups, hCaptcha walls, “are you human” friction, and JS-only product data are the four places most stores are leaking agent revenue right now.
What “agentic commerce” actually means
An agent is software acting on a shopper’s behalf with delegated payment authority. The shopper says “order me another 5kg bag of the dog food I bought in March, but only if it’s under $90 delivered by Friday”. The agent reads product pages, compares stores, fills the cart, and completes checkout — usually with a tokenised card or a wallet credential the shopper pre-authorised.
There are three flavours showing up in WooCommerce logs today:
- Browser-driven agents — Operator-style. They render your site in a real Chromium instance and click buttons.
- API-driven agents — they call your REST or GraphQL endpoints directly, skipping the front-end entirely.
- MCP-driven agents — they consume a Model Context Protocol server you publish, where products, stock, and checkout are exposed as tools.
The four leaks
1. Hidden product data
If your price, stock, and variant matrix are injected by JavaScript after the page loads, a non-headless agent reads an empty shell. Render the essentials server-side, or expose them in JSON-LD Product markup. Schema.org structured data is now the agent-readable contract — treat it as a first-class output, not an SEO afterthought.
2. Bot challenges that can’t tell the difference
hCaptcha, Cloudflare’s Turnstile, and most WAF rules were trained to block scrapers. They also block paying customers’ agents. The fix isn’t to disable them — it’s to whitelist signed agent traffic. The IETF’s Web Bot Auth draft and Cloudflare’s signed-agent program both give you a cryptographic way to say “this is Operator, not a scraper”. Wire it into your WAF rules now.
3. Checkout friction designed for humans
The exit-intent popup that recovers 4% of human carts costs you 100% of agent carts — the agent sees a modal it doesn’t know how to dismiss and gives up. Audit every fc_, woocommerce_cart_, and third-party popup script on checkout. Anything that requires a mouse gesture is now a revenue tax.
4. Payment methods agents can’t use
Apple Pay sheets, Klarna pop-ups, and 3DS challenges that demand a live phone are agent-hostile. The early winners are stores that accept agent-friendly rails: Stripe’s delegated authorization, Visa’s Trusted Agent Protocol, and PayPal’s agentic API. None of these are exotic — they’re plain REST plus a token. WooCommerce gateways for the first two shipped in Q1 2026.
What we’d do this quarter
- Measure agent traffic. Add a log column for user agents matching
OAI-SearchBot,ChatGPT-User,PerplexityBot,ClaudeBot,Operator,Browserbase. You probably can’t optimise for what you can’t see. - Publish JSON-LD product data on every PDP. WooCommerce does this partially; verify variants, stock, and price are all in the rendered HTML.
- Stand up an MCP product server. Expose
search_products,get_inventory, andcreate_quoteas tools. This is a weekend project for a competent backend dev and it puts you on the shortlist for agents that prefer structured tools over scraping. - Add one agent-compatible payment method. Stripe’s delegated auth is the lowest-lift starting point in WooCommerce.
- Whitelist signed agents in Cloudflare. Don’t broadly disable bot protection — sign-gate it.
The honest take: agentic traffic is still under 3% of revenue for most mid-market stores. The reason to do this work now is that the cost of catching up next year — once agents are routing 15–20% of repeat orders — is much higher than the cost of being early. Stores that ship in the next two quarters will accumulate the structured-data and signed-traffic reputation that’s hard to bolt on later.
What we’re seeing in production
Across the WooCommerce + NetSuite stores we operate, agent-originated checkout sessions tripled between January and April 2026. Conversion on those sessions is lower than human sessions (roughly 1.8% vs 2.6%) — and the gap is almost entirely explained by the four leaks above. The stores that fixed the JSON-LD and the popup interference closed about two-thirds of the gap within a month.
None of this requires a re-platform. It requires treating agents as a distinct traffic class with their own UX contract — the same way you eventually did for mobile.