| Internet-Draft | well-known MCP Commerce Profile | June 2026 |
| Soden & Walker | Expires 5 December 2026 | [Page] |
This document defines an informational profile for the Server Card
document retrieved from the /.well-known/mcp.json Well-Known
URI defined by the Model Context Protocol (MCP) project. The profile
adds an optional commerce extension to the Server Card, carried in the
Server Card's _meta object under the reverse-DNS key
com.beaconspec/commerce, for commercial businesses operating
MCP servers. The extension carries
business identity, geographic location, industry classification,
offering type, and advertised capability categories. The
purpose of the profile is to give AI agents enough machine-readable
information about a commercial MCP server to filter, select, and
bootstrap an interaction without first opening an MCP session against
every candidate server.¶
Discussion of this draft takes place on the IETF DISPATCH mailing list (https://mailarchive.ietf.org/arch/browse/dispatch/). Source for this draft and an issue tracker can be found at https://github.com/beaconspec/mcp-commerce-profile.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 5 December 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The Model Context Protocol (MCP, see [MCP-SPEC]) provides a standardized mechanism by which Large Language Model (LLM) applications can invoke tools and retrieve context from external services. As of the 2025-11-25 specification release, MCP is hosted under the Linux Foundation (LF Projects, LLC) and governed by a Core Maintainer group.¶
A Specification Enhancement Proposal (SEP-1649) currently under
review within the MCP project proposes a standardized discovery
mechanism, the /.well-known/mcp.json endpoint, that
allows an MCP client to retrieve a Server Card describing an MCP
server's capabilities prior to establishing a session. This document
does not duplicate or conflict with that work. It defines an
optional commerce extension layered on top of the Server Card,
addressed at the specific use case of discovering and transacting
with commercial businesses through an AI agent.¶
The profile exists to enable interactions of the following form. An end user asks a digital assistant: "find me a pair of size 10 running shoes under $20 near me, and order a pair if you find something in stock." A well-implemented assistant decomposes this into three steps:¶
tools/list) to obtain the precise inventory and
order-placement tools.¶
Without a shared vocabulary for business-level metadata, step 1 either fragments across vendor-specific directories or forces the assistant to open MCP sessions against every candidate to inspect tool descriptions, both of which are expensive and slow. This profile defines the shared vocabulary.¶
This profile depends on the Server Card schema defined by SEP-1649 [MCP-SERVER-CARDS] as a baseline. Where SEP-1649 specifies how an MCP client connects to a server (transport, identity of the server, MCP-level authorization), this profile does not re-specify those mechanisms. It only adds business-level information about the entity operating the server.¶
This profile is not a competitor to Schema.org's
LocalBusiness vocabulary
([SCHEMA-ORG-LB]). Schema.org describes
businesses for human-facing web pages. This profile describes
businesses for agent-facing MCP discovery. Publishers may
publish both; an optional field of this profile carries a
Schema.org type for cross-referencing.¶
This profile is not a replacement for, nor a competitor to, the llms.txt convention (https://llmstxt.org). llms.txt is for passive LLM context; this profile is for active agent discovery and invocation. The two are complementary.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
/.well-known/mcp.json, as defined by the core MCP
specification (referenced here as [MCP-SERVER-CARDS]). The same
document may also be served at
/.well-known/mcp/server-card.json, the location proposed
by [MCP-SERVER-CARDS-2127].¶
_meta object under the key
com.beaconspec/commerce.¶
_meta
object.¶
The Commerce Profile is carried within the Server Card's
_meta object, the metadata extension mechanism defined by
the MCP base specification [MCP-META]. The profile
occupies a single member whose key is
com.beaconspec/commerce.¶
This profile is independent of the path at which the Server Card is
published. A Profile Publisher SHOULD serve the same
Server Card document at both /.well-known/mcp.json (the
canonical location) and /.well-known/mcp/server-card.json
(the location proposed by [MCP-SERVER-CARDS-2127]), so
that clients following either convention can discover it. Because the
Commerce Profile travels inside the Server Card's _meta
object, it is carried unchanged regardless of which path a client
retrieves.¶
The key uses the reverse-DNS prefix form that MCP defines for
_meta members. Per [MCP-META], only prefixes
whose second label is modelcontextprotocol or mcp
are reserved for the MCP project; com.beaconspec is
controlled by Beacon Spec, so com.beaconspec/commerce is a
conformant third-party key.¶
Implementations that do not understand the
com.beaconspec/commerce member MUST ignore
it, which is the default handling for unrecognized _meta
members.¶
The value of the com.beaconspec/commerce member
MUST be a JSON object. The object
MUST conform to the schema defined in
Section 3.¶
The version field within the commerce object
carries the version of this Commerce Profile that the document
conforms to. Versions follow Semantic Versioning 2.0.0
[SEMVER], formatted as the string
"MAJOR.MINOR.PATCH". This document defines version
"1.0.0".¶
Major-version increments indicate backward-incompatible schema changes. Minor-version increments indicate backward-compatible additions. Patch-version increments indicate editorial clarifications without schema change.¶
Unless otherwise stated, all fields in the commerce object
are OPTIONAL. Fields explicitly marked
"REQUIRED" below MUST be present in
every commerce block.¶
A string in Semantic Versioning 2.0.0 format. MUST
equal "1.0.0" for documents conforming to this profile.¶
An ISO 8601 timestamp ([RFC3339]) indicating when
the commerce block was last modified. Marketplace
implementations SHOULD use this field to skip
re-indexing unchanged entries.¶
The business name as it should be displayed to end users. This may differ from the legal entity name. UTF-8 string, recommended maximum length 200 characters.¶
A short paragraph describing the business in plain language, for presentation to end users by AI agents. UTF-8 string, recommended maximum length 1000 characters.¶
An object identifying the single hosted endpoint an AI client connects to, and the protocol spoken there. It has two members:¶
type (REQUIRED)"mcp" (a Model Context Protocol server) or
"api" (a plain HTTPS REST API described by an OpenAPI
document). A commerce listing exposes exactly one hosted
endpoint. The server self-describes its catalog on connection:
for mcp, via the MCP initialize and
tools/list exchange; for api, via its OpenAPI
document.¶
url (REQUIRED)url
MUST begin with https://.¶
A commerce listing addresses a live, hosted endpoint, not a package to be installed. Where the SEP-1649 Server Card already specifies an MCP endpoint for the same server, the values SHOULD be consistent.¶
A non-empty array of strings. Each string is a NAICS 2022 industry classification code (the North American Industry Classification System, jointly maintained by the United States Census Bureau, Statistics Canada, and INEGI Mexico; see [NAICS]).¶
Real businesses commonly span multiple codes; the array shape is intentional. Codes MUST be six-digit strings. Numeric encoding is not permitted, because leading zeros are significant.¶
NAICS is North American by origin but widely used as a key in customer-relationship-management, sales, and business-to-business systems globally. International classification systems (ISIC, NACE) are out of scope for this version of the profile.¶
A string equal to a Schema.org LocalBusiness subtype
identifier (e.g., "Plumber", "HVACBusiness",
"Restaurant"). Provided as a complement to NAICS for AI
agents that consume Schema.org JSON-LD natively. See
[SCHEMA-ORG-LB].¶
A controlled-vocabulary string identifying what the business fundamentally offers. MUST be one of:¶
"product""service""content""mixed"A controlled-vocabulary string identifying whether the business serves a defined geographic region or operates online without location dependence. MUST be one of:¶
"local"geo field
MUST be present.¶
"online-only"geo field MAY be
omitted.¶
"hybrid"geo
field MUST be present.¶
An object with at minimum the following fields:¶
country (REQUIRED, string)"US",
"DE", "JP").¶
city (REQUIRED, string)region (OPTIONAL, string)postalCode (OPTIONAL, string)contactemail and phone string
members. For human-escalation paths when an AI agent cannot
resolve a transaction.¶
currency"USD"). Indicates the
primary currency in which prices are quoted. Independent of
geo.country (a US-based site may quote in
"USD" while serving customers worldwide).¶
languagesprivacyPolicyUrl, termsOfServiceUrl
displayNamebusinessName.¶
logoUrlThis profile defines a publication format. It does not define a federation protocol between marketplaces and AI clients. Integration of marketplaces with end-user AI clients (such as chat-based assistants, IDE-integrated coding agents, or operating system-level digital assistants) is currently client-specific and is outside the scope of this document.¶
Marketplaces MAY populate their indexes by any means consistent with the policies of the sites they index. Two common patterns are recognized:¶
/.well-known/mcp.json to the marketplace
via a marketplace-specific submission form or API.¶
/.well-known/mcp.json from a known set of origins on a
schedule.¶
Marketplaces that accept submissions SHOULD verify that the submitter controls the origin from which the Server Card is served before listing the entry. This document defines two compatible challenge methods. The marketplace issues a one-time token and the submitter satisfies the challenge by either method (the submitter chooses based on their available control surfaces):¶
/.well-known/mcp/marketplaceValidation.txt on the
origin. The marketplace fetches this URL and matches the body
against the issued token. Mirrors the HTTP-01 challenge type of
[RFC8555].¶
_mcp-marketplace-validation.example.com). The
marketplace resolves the record and matches it against the
issued token. Mirrors the DNS-01 challenge type of
[RFC8555].¶
Marketplaces SHOULD re-fetch the Server Card on a
schedule consistent with the lastUpdated field, and
SHOULD reject or de-list entries whose ownership
challenge can no longer be satisfied.¶
Documents conforming to this profile are public by definition;
they describe a business's intent to be discovered by AI agents.
Profile Publishers MUST NOT place secrets,
end-user data, or session credentials in the commerce
block.¶
AI agents that consume Commerce Profile data MUST treat it as self-asserted by the publisher and not, in itself, a statement of identity verification. Trust establishment is out-of-band and not specified by this document. The ownership-of-origin challenges defined in Section 4 establish that the submitter controlled the origin at submission time; they do not establish anything about the legal identity, regulatory status, or solvency of the business behind the origin.¶
AI agents SHOULD surface
privacyPolicyUrl and termsOfServiceUrl (when
present) to end users before initiating an irreversible
transaction (for example, a payment) on the user's behalf.¶
This document requests no new IANA registrations on its own
authority. The path /.well-known/mcp.json is registered
under the procedure described by SEP-1649; this profile defines
a _meta member inside the document served at that path.¶
Editor's note for IANA reviewer: should circumstances require a
sub-suffix registration for the artifact at
/.well-known/mcp/marketplaceValidation.txt defined in
Section 4, the authors are
prepared to file a separate registration request consistent with
[RFC8615].¶
A reference example Server Card with a populated
commerce block is published in the source repository
for this draft at
https://github.com/beaconspec/mcp-commerce-profile/blob/main/examples/.well-known/mcp.json.
A normative JSON Schema is published at
https://github.com/beaconspec/mcp-commerce-profile/blob/main/schema/commerce-profile-v1.0.0.json.¶
The authors thank the authors of SEP-1649 for the core Server Card specification on which this profile depends.¶