ACP 2026-04-17 facilitator

bridge-hello

Reference app for @ar-agents/agentic-commerce-bridge. Five demo products, a mock MercadoPago provider, and the full Agentic Commerce Protocol surface — ready to point any agent-discoverable client (ChatGPT, Claude, Gemini) at.

Discovery

ACP clients hit /.well-known/acp.json to negotiate version + capabilities (RFC 8615). Live response:

{
  "protocol": {
    "name": "acp",
    "version": "2026-04-17",
    "supported_versions": [
      "2026-04-17",
      "2026-01-30",
      "2025-12-12",
      "2025-09-29"
    ],
    "documentation_url": "https://github.com/ar-agents/ar-agents/tree/main/packages/agentic-commerce-bridge"
  },
  "api_base_url": "https://example.invalid",
  "transports": [
    "rest"
  ],
  "capabilities": {
    "services": [
      "checkout"
    ]
  }
}

ACP endpoints

All five mounted under /api/acp/*:

POST/api/acp/checkout_sessions
POST/api/acp/checkout_sessions/{id}
GET/api/acp/checkout_sessions/{id}
POST/api/acp/checkout_sessions/{id}/complete
POST/api/acp/checkout_sessions/{id}/cancel

Agent-readable product feed

Buyer agents (ChatGPT, Claude, Gemini) discover this storefront’s catalog via /.well-known/agentic-feed.json and paginate through /api/feed/products. The feed is ACP 2026-04-17-compatible, ETag-cached, and powered by @ar-agents/mercadolibre/feed. When MELI_ACCESS_TOKEN + MELI_SELLER_ID are configured, it streams the seller’s live MELI catalog; otherwise it serves a synthesized demo feed of the products above.

GET/.well-known/agentic-feed.json
GET/api/feed/products?cursor=&limit=

Catalog

Demo mode Five mock products priced in ARS. Set MELI_ACCESS_TOKEN in your env and the catalog auto-switches to live MELI lookups via @ar-agents/mercadolibre — one of the round-out toolbox packages shipped alongside the bridge.

yerba_amanda

Yerba mate Amanda 1kg

$ 4.500,00 · 50 disponibles

termos_stanley

Termo Stanley Classic 1.4L

$ 89.000,00 · 10 disponibles

alfajores_havanna

Alfajores Havanna mixtos x12

$ 18.500,00 · 100 disponibles

vino_malbec

Vino Malbec Reserva 750ml

$ 12.000,00 · 25 disponibles

bombilla_alpaca

Bombilla de alpaca pico de loro

$ 8.500,00 · 40 disponibles

Mercado Libre Agent Toolkit

@ar-agents/mercadolibre — the SDK MELI stopped shipping

The official mercadolibre/nodejs-sdk was archived in February 2022. @ar-agents/mercadolibre is the typed, AI-SDK-native replacement: 14 agent tools, 75 tests, OAuth single-use refresh-token coalescing, /myfeeds two-day replay, claim-defense pattern, reputation thermometer, and a margin-guarded promo opt-in helper.

itemsget / multi-get / create / update / pause / close / relist / search / scroll-iterate
categoriespredict + technical-spec planning in one call
questionslist / answer / blacklist + heuristic spam classifier
orderssearch / get / billing-info / packs (cart vs single)
claimssearch / evidences / messages + the 2-day SLA defendClaim helper
shipmentshistory + label blob (ZPL / PDF) + shipping options
reputationthermometer alerts + async-iterator monitor
promotionscandidates + auto-opt-in with margin floor
webhooksparse + 2-day /myfeeds replay
/ai-sdk14 Vercel AI SDK 6 tools ready for Experimental_Agent
/testingmockFetch() builder + makeMeliClient() factory

Try it: create a session

curl -X POST http://localhost:3017/api/acp/checkout_sessions \
  -H "Content-Type: application/json" \
  -H "API-Version: 2026-04-17" \
  -H "Idempotency-Key: $(uuidgen)" \
  -d '{
    "currency": "ars",
    "line_items": [
      { "id": "yerba_amanda", "quantity": 1 },
      { "id": "alfajores_havanna", "quantity": 2 }
    ],
    "buyer": { "email": "tere@example.com" }
  }'

Read a session

curl http://localhost:3017/api/acp/checkout_sessions/<id> \
  -H "API-Version: 2026-04-17"

Cancel a session

curl -X POST http://localhost:3017/api/acp/checkout_sessions/<id>/cancel \
  -H "Content-Type: application/json" \
  -H "API-Version: 2026-04-17" \
  -H "Idempotency-Key: $(uuidgen)" \
  -d '{ "reason": "buyer changed mind" }'

Complete a session (with mocked MP payment)

For the demo, use the /api/demo/seedroute to seed an "approved" MP payment that the bridge will validate against. (See README.)

curl -X POST http://localhost:3017/api/acp/checkout_sessions/<id>/complete \
  -H "Content-Type: application/json" \
  -H "API-Version: 2026-04-17" \
  -H "Idempotency-Key: $(uuidgen)" \
  -d '{
    "buyer": { "email": "tere@example.com" },
    "payment_data": {
      "handler_id": "mercadopago",
      "instrument": {
        "type": "card",
        "credential": { "type": "mp_payment_id", "token": "9001" }
      }
    }
  }'

AP2 v0.2 mandate verifier

Live AP2 mandate playground

Powered by @ar-agents/ap2 — first faithful TypeScript implementation of the FIDO Alliance Agent Payments Protocol v0.2 (single-hop + multi-hop dSD-JWT chains). Click Issue a demo mandate to mint a fresh ES256-signed Closed Checkout Mandate, then Verify to walk the full canonical verification trail (parse → resolve disclosures → compute sd_hash → verify signatures → confirm checkout_hash).

What does "verify" check?

SD-JWT VC compact serialization parses cleanly (RFC 9901).
Issuer JWS signature (ES256, P-256) matches the agent's public JWK.
Selective disclosures resolve to the issuer payload; _sd digests match.
sd_hash = base64url(sha-256(presentation up to last ~)).
For Closed Checkout Mandates: checkout_hash = base64url(sha-256(checkout_jwt)).
Inner checkout_jwt signature matches the merchant's public JWK and is signed with a non-deterministic algorithm (ECDSA family) — Ed25519 is forbidden per spec to defeat rainbow-table attacks.
For multi-hop chains: each hop's signature verifies under the previous hop's cnf.jwk; aud + nonce bound to terminal hop only.