UCP Embedded Checkout Protocol (EP)
Before writing code
Fetch live spec: Web-search site:ucp.dev specification checkout-embedded or fetch https://developers.google.com/merchant/ucp/guides/checkout/embedded for the exact JSON-RPC method definitions, handshake flow, and security requirements.
Conceptual Architecture
When Embedded Checkout Is Used
When a checkout reaches requires_escalation status, the agent cannot resolve the issue via API alone. The checkout response includes a continue_url — the Platform opens this URL in an iframe or webview so the buyer can interact with the merchant's checkout UI directly.
Communication Protocol
The iframe communicates with the host (Platform) using JSON-RPC 2.0 over postMessage. Both sides send and receive structured messages.
Key JSON-RPC Methods
| Method | Direction | Purpose |
|---|---|---|
ec.ready | Merchant → Host | Handshake; merchant declares which capabilities it delegates to the host |
ec.start | Merchant → Host | Checkout UI is visible and ready |
ec.payment.credential_request | Merchant → Host | Merchant asks host to acquire a payment credential |
ec.line_items.change | Merchant → Host | Cart was modified in the UI |
ec.buyer.change | Merchant → Host | Buyer details were updated |
ec.complete | Merchant → Host | Order was placed successfully |
ec.messages.change | Merchant → Host | Errors or warnings updated |
ec.payment.instruments_change_request | Merchant → Host | Merchant requests updated payment instruments |
ec.payment.change | Merchant → Host | Payment state was updated |
ec.fulfillment.address_change_request | Merchant → Host | Merchant requests updated fulfillment address |
Handshake Flow
- Host loads
continue_urlin a sandboxed iframe - Merchant sends
ec.readywith adelegatearray listing capabilities it wants the host to handle (e.g.,["payment.credential", "fulfillment.address_change"]) - Host acknowledges and provides delegated capabilities
- Merchant sends
ec.startwhen UI is fully rendered
URL Parameters
The continue_url may include:
ec_version: Protocol versionec_auth: Session validation tokenec_delegate: Comma-separated delegated actions
Security Requirements
- CSP with
frame-ancestors <host_origin>— merchant page must allow being framed only by the Platform - Strict
postMessageorigin validation on both sides - iframe
sandboxattribute:allow-scripts allow-forms allow-same-originwithcredentialless - HTTPS required for all URLs
- Silent tokenization is strictly PROHIBITED when the trigger originates from the Embedded Checkout
W3C DOMException Error Codes
Embedded Checkout methods may reject with W3C DOMException error codes:
abort_error— The operation was abortedsecurity_error— The operation violates security constraintsnot_supported_error— The requested capability is not supportedinvalid_state_error— The object is in an invalid state for this operationnot_allowed_error— The operation is not allowed in the current context
Implementation Guidance
Business (iframe content):
- Render checkout UI at the
continue_url - Implement the JSON-RPC sender/receiver over postMessage
- Send
ec.readyon load,ec.startwhen visible - Delegate payment credential acquisition to the host when possible
- Send
ec.completewith order details when checkout finishes
Platform (host):
- Open
continue_urlin a sandboxed iframe - Listen for postMessage events, parse JSON-RPC
- Handle
ec.payment.credential_requestby invoking the payment provider - Handle
ec.completeto update the agent's checkout state - Validate message origins strictly
Fetch the exact current method signatures from the live spec before implementing.