Agentic Commerce on Cloudflare
Agentic Commerce / Agent builders

For teams building AI agents

Build an agent that shops
on Cloudflare's runtime.

Agents that browse real merchant sites and transact on behalf of users need stateful memory, a capable LLM, tools, and a way to identify themselves cryptographically to the sites they visit. Cloudflare gives you all of it — SDK, models, runtime, browser, and signing primitives — as a coherent stack you can deploy with a single command.

Open the Agents SDK docs ↗ How to sign your requests ↓

The Cloudflare agent stack.

Each piece stands alone and they compose naturally. If you're starting from scratch, the Agents SDK is your front door; the others slot in as your agent grows.

  • Cloudflare Agents SDK ↗

    Stateful TypeScript agents on Durable Objects. Each agent gets a built-in SQL database, WebSocket connections, scheduled tasks, and hibernation. Deploy once, run globally.

    Start here

  • Workers AI ↗

    Run open-weight LLMs on Cloudflare's serverless GPU network. The Agents SDK defaults to Workers AI but supports OpenAI, Anthropic, Gemini, or any provider via a unified interface.

    Inference

  • AI Gateway ↗

    Observability, caching, rate-limiting, model fallback, and prompt/response logging for any AI provider. Put your agent's model calls behind it and gain production control without changing SDK code.

    Ops

  • Browser Rendering ↗

    Give your agent real Chrome — navigate, scrape, screenshot, fill forms, click through checkout. Essential for agents that drive real merchant sites rather than calling APIs.

    Actions

  • Workflows ↗

    Durable execution for multi-step agent tasks — automatic retries, persistent state that runs for minutes, hours, or days. Pair with the Agents SDK for long-running orchestration.

    Orchestration

  • Vectorize ↗

    Cloudflare's vector database. Give your agent retrieval over product catalogs, past conversations, or domain-specific context.

    Memory

Signing requests so merchants trust you.

Once your agent is ready to hit a merchant's site, it needs to sign every request per Visa's Trusted Agent Protocol (TAP) — RFC 9421 HTTP Message Signatures with an intent tag saying whether the agent is browsing or buying. Merchants running TAPKit (or equivalent) verify the signature at the edge before your request ever reaches their origin.

Start here

Use TAPKit's signer as your reference.

TAPKit ships tapkit sign — a working signer that emits byte-identical output to Visa's tap-agent and verifies against a live reference merchant. It's the fastest way to get your agent's signatures correct, then port the logic into your own codebase.

Open TAPKit → Reference merchant ↗

Plus the concepts you need to understand regardless of which signer you use:

Register your public key

Enrol with Visa's Agent Registry (and in future, other scheme registries). This is how merchants discover your public key to verify against.

Visa TAP repo ↗

Sign with the right tag

agent-browser-auth on browsing requests, agent-payer-auth at checkout. The tag explicitly signals intent — merchants verify the tag matches what their endpoint expects.

Test against a live merchant

TAPKit runs a deployed reference merchant that accepts signed requests. Aim your signer at it, see your signature verified, iterate until green. Same merchant the live demo on tapkit.dev runs against.

What else you'll need.

Cloudflare gives you the runtime and the signing primitives. A production agent that handles real money also needs:

  • Payment scheme onboarding

    Visa Intelligent Commerce (VIC) tokenisation, Token Requestor identity, step-up verification flows. Coordinated directly with Visa. Mastercard Agent Pay and others will follow similar patterns.

  • User identity and consent

    Passkeys (WebAuthn) for the consumer, per-transaction approval UX, card-on-file management. Typically handled in your agent's frontend; the Agents SDK's React hooks make this straightforward.

  • Cloudflare Signed Agents directory

    In addition to scheme-specific registries, Cloudflare's Web Bot Auth directory is the edge-level trust anchor for merchants. Submit your agent here so CF merchants can configure bot-management to welcome you.

  • Content Signals and llms.txt

    For content that's agent-consumable, publish an llms.txt at your domain. For agents on the receiving end, parse others' llms.txt to respect their preferences.

Ready to build?

Three commands to a running agent on Cloudflare's platform. No API keys required — the starter uses Workers AI by default.

Open the Agents SDK ↗ Back to the front door