Cart Capability - REST Binding
Cart Capability - REST Binding
Section titled “Cart Capability - REST Binding”This document specifies the REST binding for the Cart Capability.
Protocol Fundamentals
Section titled “Protocol Fundamentals”Discovery
Section titled “Discovery”Businesses advertise REST transport availability through their UCP profile at
/.well-known/ucp.
{ "ucp": { "version": "2026-01-11", "services": { "dev.ucp.shopping": { "version": "2026-01-11", "spec": "https://ucp.dev/2026-01-11/specification/overview", "rest": { "schema": "https://ucp.dev/2026-01-11/services/shopping/rest.openapi.json", "endpoint": "https://business.example.com/ucp/v1" } } }, "capabilities": [ { "name": "dev.ucp.shopping.checkout", "version": "2026-01-11" }, { "name": "dev.ucp.shopping.cart", "version": "2026-01-11" } ] }}Base URL
Section titled “Base URL”All UCP REST endpoints are relative to the business’s base URL, which is
discovered through the UCP profile at /.well-known/ucp. The endpoint for the
cart capability is defined in the rest.endpoint field of the business profile.
Content Types
Section titled “Content Types”- Request:
application/json - Response:
application/json
All request and response bodies MUST be valid JSON as specified in RFC 8259.
Transport Security
Section titled “Transport Security”All REST endpoints MUST be served over HTTPS with minimum TLS version 1.3.
Operations
Section titled “Operations”| Operation | Method | Endpoint | Description |
|---|---|---|---|
| Create Cart | POST | /carts | Create a cart session. |
| Get Cart | GET | /carts/{id} | Get a cart session. |
| Update Cart | PUT | /carts/{id} | Update a cart session. |
| Cancel Cart | POST | /carts/{id}/cancel | Cancel a cart session. |
Create Cart
Section titled “Create Cart”Example
Section titled “Example”=== “Request”
```jsonPOST /carts HTTP/1.1UCP-Agent: profile="https://platform.example/profile"Content-Type: application/json
{ "line_items": [ { "item": { "id": "item_123" }, "quantity": 2 } ], "context": { "address_country": "US", "address_region": "CA", "postal_code": "94105" }}```=== “Response”
```jsonHTTP/1.1 201 CreatedContent-Type: application/json
{ "ucp": { "version": "2026-01-11", "capabilities": [ {"name": "dev.ucp.shopping.checkout", "version": "2026-01-11"}, {"name": "dev.ucp.shopping.cart", "version": "2026-01-11"} ] }, "id": "cart_abc123", "line_items": [ { "id": "li_1", "item": { "id": "item_123", "title": "Red T-Shirt", "price": 2500 }, "quantity": 2, "totals": [ {"type": "subtotal", "amount": 5000}, {"type": "total", "amount": 5000} ] } ], "currency": "USD", "totals": [ {"type": "subtotal", "amount": 5000}, {"type": "total", "amount": 5000, "display_text": "Estimated total (taxes calculated at checkout)"} ], "continue_url": "https://business.example.com/checkout?cart=cart_abc123", "expires_at": "2026-01-16T12:00:00Z"}```=== “Error Response”
All items out of stock — no cart resource is created:
```jsonHTTP/1.1 200 OKContent-Type: application/json
{ "ucp": { "version": "2026-01-11", "status": "error" }, "messages": [ { "type": "error", "code": "out_of_stock", "content": "All requested items are currently out of stock", "severity": "unrecoverable" } ], "continue_url": "https://merchant.com/"}```Get Cart
Section titled “Get Cart”Example
Section titled “Example”=== “Request”
```jsonGET /carts/{id} HTTP/1.1UCP-Agent: profile="https://platform.example/profile"```=== “Not Found”
```jsonHTTP/1.1 200 OKContent-Type: application/json
{ "ucp": { "version": "2026-01-11", "status": "error", "capabilities": [ {"name": "dev.ucp.shopping.cart", "version": "2026-01-11"} ] }, "messages": [ { "type": "error", "code": "not_found", "content": "Cart not found or has expired", "severity": "unrecoverable" } ], "continue_url": "https://merchant.com/"}```Update Cart
Section titled “Update Cart”Example
Section titled “Example”=== “Request”
```jsonPUT /carts/{id} HTTP/1.1UCP-Agent: profile="https://platform.example/profile"Content-Type: application/json
{ "id": "cart_abc123", "line_items": [ { "item": {"id": "item_123"}, "id": "li_1", "quantity": 3 }, { "item": {"id": "item_456"}, "id": "li_2", "quantity": 1 } ], "context": { "address_country": "US", "address_region": "CA", "postal_code": "94105" }}```Cancel Cart
Section titled “Cancel Cart”Example
Section titled “Example”=== “Request”
```jsonPOST /carts/{id}/cancel HTTP/1.1UCP-Agent: profile="https://platform.example/profile"Content-Type: application/json
{}```HTTP Headers
Section titled “HTTP Headers”Specific Header Requirements
Section titled “Specific Header Requirements”- UCP-Agent: All requests MUST include the
UCP-Agentheader containing the platform profile URI using Dictionary Structured Field syntax (RFC 8941). Format:profile="https://platform.example/profile". - Idempotency-Key: Operations that modify state SHOULD support
idempotency. When provided, the server MUST:
- Store the key with the operation result for at least 24 hours.
- Return the cached result for duplicate keys.
- Return
409 Conflictif the key is reused with different parameters.
Protocol Mechanics
Section titled “Protocol Mechanics”Status Codes
Section titled “Status Codes”| Status Code | Description |
|---|---|
200 OK | The request was successful. |
201 Created | The cart was successfully created. |
400 Bad Request | The request was invalid or cannot be served. |
401 Unauthorized | Authentication is required and has failed or has not been provided. |
403 Forbidden | The request is authenticated but the user does not have the necessary permissions. |
409 Conflict | The request could not be completed due to a conflict (e.g., idempotent key reuse). |
422 Unprocessable Entity | The profile content is malformed (discovery failure). |
424 Failed Dependency | The profile URL is valid but fetch failed (discovery failure). |
429 Too Many Requests | Rate limit exceeded. |
500 Internal Server Error | An unexpected condition was encountered on the server. |
503 Service Unavailable | Temporary unavailability. |
Error Responses
Section titled “Error Responses”- Protocol errors: Return appropriate HTTP status code (401, 403, 409, 429,
503) with JSON body containing
codeandcontent. - Business outcomes: Return HTTP 200 with UCP envelope and
messagesarray.
Security Considerations
Section titled “Security Considerations”Authentication
Section titled “Authentication”Authentication is optional and depends on business requirements. When authentication is required, the REST transport MAY use:
- Open API: No authentication required for public operations.
- API Keys: Via
X-API-Keyheader. - OAuth 2.0: Via
Authorization: Bearer {token}header, following RFC 6749. - Mutual TLS: For high-security environments.