How AI agents actually find and trust your site

A practical 2026 guide to becoming discoverable, payable, and verifiable for ChatGPT, Claude, and Gemini.

Six months ago, "AI traffic to your site" meant search engine bots crawling for SEO. By mid-2026 it means something fundamentally different: autonomous agents reasoning about your business on behalf of a user, or, increasingly, on behalf of another agent. Adobe Analytics measured a 4,700% year-over-year jump in generative-AI traffic to US retail sites between July 2024 and July 2025. ChatGPT alone now has roughly 700 million weekly users, many of them asking what to buy, where to book, what to read. The shift is real, and most sites are invisible to it.

Being "agent-discoverable" is now a distinct discipline from being SEO-discoverable. The mechanics are different. The trust model is different. And the monetisation path is different, none of the established stack (Google Ads, online travel agencies, social) routes here yet. Here's the practical guide, written for a builder who wants to know what to actually ship.

How do AI agents actually discover your site?

Most agentic-commerce guides will tell you to ship llms.txt first. That advice is half right and worth questioning. Based on public server logs and SE Ranking's study across 300,000 domains, the major LLM crawlers (OpenAI, Anthropic, Google) barely fetch llms.txt today. Adoption sits around 10% and there is no measurable citation lift from it yet. The signals agents actually read in production are Schema.org structured data and Model Context Protocol (MCP) servers.

Here's the honest priority order, what crawlers actually consume, not what the hype repeats:

1. Schema.org structured data: particularly Product, Place, Service, and Hotel types. Agents read schema markup far more reliably than visual page layout. If your hotel page has prices buried in a JavaScript carousel, an agent won't find them; if the same prices live in a Schema.org/Hotel block with priceRange and availability, every major LLM picks them up. This is the single highest-leverage signal in 2026 for organic agent discovery.

2. MCP servers and Agent Cards: the protocol layer that lets agents query your site as a tool rather than scrape it. Anthropic's MCP exposes your inventory and pricing as structured endpoints. Google's A2A protocol defines Agent Cards - JSON descriptors of your business's offerings, parameterised for machine consumption. DirectBooker's MCP server, which feeds direct hotel rates to ChatGPT and Claude, is the live proof: five of the top ten global hotel chain, including BWH Hotels and Radisson Hotel Group, with 250 million+ loyalty members between them, have signed onto it precisely to bypass the online travel agencies they previously had no choice but to route through.

3. llms.txt a Markdown file at your site root proposed by Jeremy Howard (Answer.AI) in September 2024, since adopted by Anthropic, Cloudflare, and Vercel for their own docs. The major LLM crawlers don't fetch it heavily yet, but the IDE agents (Cursor, Cline) and MCP integrations do consume it. Ship it anyway. It's a 30-minute job, costs nothing, and gives you a place to put canonical structured information about your site for the agents that DO read it.

If you ship these three signals this month, you've moved from "invisible" to "agent-discoverable", measured against what crawlers actually consume in 2026, not what the hype says.

How do agents decide whether to trust your site?

Discovery is the easy half. The hard half is identity: how does an agent know your site is who it claims to be, and how do you know which agent is permitted to transact?

Three emerging standards now sit at this layer:

• ERC-8004: an Ethereum attestation standard for agent identity. Went live on Ethereum mainnet on January 29, 2026, backed by the Ethereum Foundation's dAI team; Base deployments are next. The on-chain agent ecosystem has effectively standardised on it.
• Cloudflare Web Bot Auth: adopted in October 2025 as the authentication foundation for both Visa Trusted Agent Protocol and Mastercard Agent Pay, with Adyen, Checkout.com, Circle, Shopify, and Worldpay in the feedback group. The card networks have effectively standardised on it for the off-chain side.
• GoDaddy Agent Name Service (ANS): a DNS-equivalent for agents, in early rollout. GoDaddy is positioning to play the same authority role for agent-domain mapping that they played for human-domain names.

The umbrella term for this layer is KYA: Know Your Agent, borrowed from the KYC/KYB vocabulary of regulated finance. KYA closes the liability chain: if an agent is compromised, the merchant needs to know whose authorisation it was operating under, what the spending limits were, and which counterparty issued the mandate. The shipped primitives: Visa Trusted Agent Protocol (public spec on GitHub, co-developed with Cloudflare), Mastercard Agent Pay (tokenized agent identities), and Skyfire's KYAPay on-chain, are no longer hypothetical. The card networks have effectively standardised on Web Bot Auth + mandate verification.

For site owners: until standards consolidate fully across on-chain and card networks, build with verifiable identity hooks (signed JWTs, mandate validation, mandate-chain audit logging) and the architectural skeleton will plug into whichever wins.

How do agents actually pay you? Four protocol stacks converging

Once an agent has found you and trusts you, it needs to pay you. Four protocol stacks are converging on this layer, and each solves a different shape of transaction:

UCP (Universal Commerce Protocol): full-lifecycle merchant-to-agent API led by Google, Shopify, and the Universal Commerce Protocol Council (founded April 2026; Amazon, Meta, Microsoft, Salesforce, and Stripe as members). UCP covers product discovery, capability negotiation, cart building, and order tracking, the surrounding lifecycle inside which checkout (ACP) and settlement (x402) sit.

ACP (Agentic Commerce Protocol): co-developed by OpenAI and Stripe. ACP powers the "Buy it in ChatGPT" / Instant Checkout flow live with Etsy since February 2026, with 1M+ Shopify merchants (Glossier and SKIMS named publicly) rolling out through 2026. ACP runs on card rails and assumes a human-in-loop confirmation inside the chat interface.

AP2 (Agent Payments Protocol): originally developed by Google and donated to the FIDO Alliance in Q2 2026 for community governance, with a Mastercard-co-developed "Verifiable Intent" standard layered into the mandate spec. AP2 wraps the authorisation layer: who is permitted to transact, with what limits, on whose behalf. Backed by 60+ founding organisations including Mastercard, Adyen, PayPal, and Revolut. Complementary to ACP and x402, not competing.

x402: Coinbase's revival of HTTP 402 ("Payment Required") for machine-native stablecoin micropayments. The only protocol of the four built for true agent-to-agent and pay-per-request flows. The x402 ecosystem reached 69,000 active agents and 165 million transactions on-chain by late April 2026, with cumulative settlement value in the low tens of millions of dollars per Chainalysis, averaging around 30 cents per call, which is the headline economics for machine-to-machine commerce. AWS Bedrock AgentCore Payments preview launched May 7, 2026, built with Coinbase and Stripe. Coinbase's x402 Bazaar lists 10,000+ agent-discoverable services.

The honest mental model: UCP for the full agent-to-merchant lifecycle (discovery, cart, order tracking); ACP for "human confirms in chat" purchases on card rails; AP2 for the authorisation wrapper across all four stacks; x402 for the machine-native, per-call, stablecoin-settled flows that agent-to-agent commerce needs.

For the merchant-side view of how these four protocols compose into checkout architecture, see 'Who owns the checkout? Merchant-controlled agentic commerce"

For European merchants, the settlement leg matters as much as the protocol. USDC and EURC via Circle are MiCA-compliant. EURAU, issued by AllUnity (the BaFin-licensed JV of DWS, Flow Traders, and Galaxy), is Germany's first fully reserved, MiCAR-compliant Euro stablecoin. Bluerails provides the European x402 facilitator stack with AllUnity as the regulated EU settlement layer, so merchants get the production-grade error handling, retries, receipts, and KYA logging that the bare x402 protocol leaves to the implementer, plus settlement that doesn't require the merchant to become a CASP themselves.

What an agent actually sees on your site

The clearest way to understand "agent-discoverable" is to look at what Claude or ChatGPT sees when it queries a hotel page. Here's a typical hotel listing today:

<div class="rate-grid">
  <span class="price-tag-display" data-r="abc">€180/night</span>
  <button data-action="reserve" data-rate="abc">Reserve</button>
  <!-- carousel JS · 12 nested divs · no structured data -->
</div>

‍


The agent gets no machine-readable price, no availability state, no booking endpoint. It can guess, but it can't transact. Now the same hotel after shipping the stack:

HTTP/1.1 402 Payment Required
Accept-Payment: x402/usdc
Price: 180.00 EUR

Schema.org/Hotel: {
  "name": "Casa do Vento, Lisbon",
  "availability": "InStock",
  "priceCurrency": "EUR",
  "price": "180.00"
}
Agent-Card: /agents/casa-do-vento.json

‍


The first version is invisible to ChatGPT and Claude. The second is bookable. That's the gap most European hotels, and publishers, and tour operators; are sitting in today.

What does the 7-step implementation look like?

To make your site agent-payable today, in priority order:

1. Add Schema.org markup to every product, room, article, or service page (the single highest-leverage discovery signal).
2. Stand up an MCP server exposing your inventory and pricing.
3. Publish an A2A Agent Card describing your service capabilities and pricing.
4. Publish llms.txt at the site root, IDE agents and MCP integrations do read it.
5. Configure robots.txt to allow named AI crawlers: OAI-SearchBot, ChatGPT-User, ClaudeBot, Claude-User, Claude-SearchBot, PerplexityBot, Perplexity-User. Note: Google-Extended is a training opt-out signal, not an agent crawler, include only if you also want Gemini training inclusion.
6. Wire an x402 endpoint to a production facilitator (handling retries, receipts, refunds).
7. Plan for KYA - log mandate signatures and counterparty identifiers from day one.

Steps 1–5 are 1-day work. Steps 6–7 are 1–2 weeks if you start from scratch, or under an hour if you route through a facilitator that ships these as a managed integration.

Frequently asked questions

How does an AI agent find my website?

Through three signals in order of weight: Schema.org structured data on your product or service pages (the highest-leverage signal in 2026), an MCP server exposing your inventory as structured endpoints, and an A2A Agent Card describing your service. llms.txt is the fourth signal, IDE agents and MCP integrations read it, but major LLM crawlers don't fetch it heavily yet.

What is KYA (Know Your Agent)?

KYA is the verification layer that lets a merchant know which agent is permitted to transact, who authorised it, and what the spending limits are. The shipped primitives in 2026 are ERC-8004 (on-chain agent identity on Ethereum mainnet since January 29, 2026), Cloudflare Web Bot Auth (adopted by Visa Trusted Agent Protocol and Mastercard Agent Pay), and the broader card-network mandate-verification standards layered on top.

Do I need to implement all four protocols (UCP, ACP, AP2, x402)?

Most European merchants in 2026 should at minimum expose UCP-compatible Schema.org markup and an x402 endpoint via a production facilitator. ACP support matters if you sell to ChatGPT users; AP2 mandate verification matters once agent-to-agent transactions move significant volume. A facilitator like Bluerails handles all four protocol surfaces from a single integration.

Should I block AI crawlers in robots.txt?

No, unless your business model is content licensing rather than agent commerce. Allow OAI-SearchBot, ChatGPT-User, ClaudeBot, Claude-User, Claude-SearchBot, PerplexityBot, and Perplexity-User. Google-Extended is a training opt-out signal, not an agent crawler, include only if you also want Gemini training inclusion.

What does a European merchant do differently?

Two things: settle in a MiCA-compliant stablecoin (USDC and EURC via Circle, or EURAU via AllUnity for EU-native, BaFin-EMI-issued settlement), and pick a facilitator that handles the regulatory routing so non-EU stablecoin caps don't get hit. Everything else (Schema.org, MCP, A2A, llms.txt, robots.txt) is the same as a US merchant.

What's next

McKinsey projects agentic commerce will orchestrate $3–5 trillion in global retail spend by 2030. The companies that ship Schema.org, MCP, an A2A Agent Card, and a production-grade x402 facilitator in 2026 will be the ones agents reach in 2027. Everyone else will be invisible, at scale.

The European agent-commerce stack is forming this year. MiCA is the regulatory anchor; AllUnity's EURAU is the EU settlement instrument; UCP, ACP, AP2, and x402 are the four converging protocol stacks; vertical merchant directories - Bluerails' hotel and publisher registry, with more coming soon, are the discovery surface.

If you want to see where your site stands today, Bluerails' Agent Score scanner runs the checklist above: URL in, score out, plus the UCP, ACP, and x402 endpoint code (with Schema.org markup, llms.txt, and Agent Card scaffolding) generated for you, with AllUnity settlement plumbed underneath.

‍