Developer Documentation

Ship an Agent-Ready storefront.

AgentsBloom is drop-in middleware that makes your storefront instantly machine-readable and autonomous-agent-ready with native support for WebMCP, ARD (Agentic Resource Discovery), and OKF (Open Knowledge Framework). Autonomous agents (ChatGPT, Claude, Perplexity) discover your APIs, register tools in the browser, and bypass CAPTCHAs — securely.

1. Introduction

AgentsBloom sits alongside your existing routes as middleware. When a human visits your site, they see your standard HTML. When an AI visits (or uses a browser extension), the SDK serves structured JSON and automatically registers WebMCP tools into the agent's context.

Core Capabilities

  • WebMCP Injection

    Injects <meta name="webmcp" content="active"> and registers tools via navigator.ai.registerTool.

  • ARD Discovery

    Auto-generates and serves /.well-known/agent-spec and /ai-catalog.json.

  • LLM Context

    Serves a structured /llms.txt to train navigating bots.

  • DDoS & CAPTCHA Defense

    Rate limits, Idempotency caching, and X-Agent-Signature validation for verified bots.

2. Installation & Quickstart (Custom Stacks)

For headless storefronts and custom web apps, use our NPM packages to wrap your API.

Next.js — @agentsbloom/next-sdk

The easiest way to integrate with Next.js applications using Edge Middleware.

1. Install the package

terminalbash
1npm install @agentsbloom/next-sdk

2. Add to middleware.ts

middleware.tsts
1import { withAgentsBloom } from "@agentsbloom/next-sdk";
2
3export const config = {
4 matcher: [
5 '/.well-known/:path*',
6 '/ai-catalog.json',
7 '/llms.txt',
8 '/api/agentsbloom/:path*'
9 ]
10};
11
12export default withAgentsBloom({
13 name: "My Agent-Ready Store",
14 description: "An e-commerce store optimized for human and machine AI agents.",
15 agentSecret: process.env.AGENTSBLOOM_SECRET, // Used for CAPTCHA bypassing
16 actions: {
17 search: {
18 method: "POST",
19 description: "Search the product catalog.",
20 params: { query: "string", limit: "number" }
21 },
22 checkout: {
23 method: "POST",
24 description: "Complete an order.",
25 params: { items: "array", payment_intent: "string" }
26 }
27 }
28});

Node.js / Express — @agentsbloom/sdk

For standard Express / Node.js environments, use our vanilla middleware.

server.tsts
1import express from 'express';
2import { agentsbloom } from '@agentsbloom/sdk';
3
4const app = express();
5
6app.use(agentsbloom({
7 apiKey: "sk_live_your_api_key",
8 agentSecret: process.env.AGENTSBLOOM_SECRET,
9 actions: { /* ... same as above ... */ }
10}));

3. Platform Integrations (No-Code & Express)

Skip the SDK when you run a standard CMS or e-commerce platform.

S

Express Shopify Integration

Our Shopify App uses Theme App Extensions (App Blocks) to inject WebMCP metadata into your storefront without editing liquid files.

  1. Install the AgentsBloom app from the Shopify App Store.
  2. Open Online Store → Themes → Customize.
  3. In the App Embeds tab, enable AgentsBloom AI Agent.
  4. Paste your Workspace API Key and click Save.
W

WordPress / WooCommerce Plugin

Hooks into wp_head and wp_footer to inject the WebMCP registry and/llms.txt endpoints automatically.

  1. Install agentsbloom.zip from your dashboard.
  2. Activate it via the WordPress Admin.
  3. In the new AgentsBloom menu, paste your Workspace API Key.

4. AI Discoverability (ARD & OKF)

Once installed, AgentsBloom automatically routes AI traffic by exposing standard discovery endpoints. You don't need to build these manually.

GET/.well-known/agent-spec
Master specification sheet for navigating agents — supported auth methods, rate limits, and available action routes.
GET/ai-catalog.json
Implements the ARD schema (agentic-resource-discovery.org), mapping your SDK actions into JSON schemas LLMs parse into tool calls.
GET/llms.txt
Raw markdown context optimized for OKF crawlers, summarizing your store and pointing bots to the catalog.

5. Security & Trust

CAPTCHA Bypassing (X-Agent-Signature)

Autonomous agents often get blocked by Cloudflare or standard CAPTCHAs. AgentsBloom lets verified agents bypass these checks securely using cryptographic signatures.

On write requests (POST, PUT, DELETE), agents must send:

  • X-Agent-Identifier — unique string identifying the agent session.
  • X-Agent-Signature — HMAC SHA-256 hash of the identifier, signed with your AGENTSBLOOM_SECRET.

Invalid or missing signatures return 403 Verification Failed or 401 Verification Required.

Rate Limiting (DDoS Protection)

In-memory IP rate limiting by default (30 requests per minute). Responses include:

  • X-RateLimit-Limit
  • X-RateLimit-Remaining
  • X-RateLimit-Reset

Over-limit requests return 429 Too Many Requests with a Retry-After header.

Idempotency

All write actions accept an Idempotency-Key header. Retries within 5 minutes replay the cached response (with X-Cache: Idempotent-Hit) instead of re-executing the action — so agents never trigger duplicate purchases.

6. Developer CLI

Use the AgentsBloom CLI to manage compliance locally or simulate agent behavior.

Installation

terminalbash
1npm install -g agentsbloom

Commands

agentsbloom loginAuthenticate your terminal.
agentsbloom sync ./catalog.jsonManually push a JSON product catalog.
agentsbloom test "do you have red shoes?"Simulate a conversation with your storefront agent locally.
Need a Workspace API key?

Head to Integrations to generate a sandbox key. Rotating is instant.