Agentic checkout stopped being a 2027 roadmap item some time in November 2025. Atlas, Perplexity Pro, and Claude-with-browser are all completing Shopify purchases right now — modest volume, growing 40-60% month over month, and uneven across merchants based on how checkout-friendly the store is. This post is the end-to-end flow, plus the six failure modes that quietly lose the order before confirmation.
The seven-step agent flow
Every agent implementation we've reverse-engineered from server logs follows the same pattern: parse shopper intent, resolve merchant and product, verify availability and eligibility, add to cart, create checkout, authorize payment, return confirmation.
Step 1 — Intent parsing
The shopper says “buy me the Alora 72 standing desk in black, ship to my saved address.” The agent extracts the product reference (“Alora 72 standing desk”), the variant attribute (“black”), the shipping target (“saved address”), and an implicit quantity of one.
Step 2 — Merchant and product resolution
The agent uses its citation graph — the same graph that produces recommendations in regular ChatGPT/Perplexity/Claude answers — to identify the canonical URL. It will typically fetch /products/alora-72-desk.json (Shopify's public JSON endpoint) to confirm the product exists and read the variants array.
Step 3 — Availability and eligibility verification
The agent reads Offer.availability, Offer.price, and Offer.shippingDetails from your JSON-LD graph. If any signal the order can't complete (out of stock, ineligible ship-to region, price mismatch with a previously quoted value), the agent aborts before touching the cart.
Step 4 — Cart creation
A POST to /cart/add.js with the variant ID and quantity. On success the agent gets a cart token and proceeds. On failure (422 Unprocessable Entity or 403 Forbidden), this is where most lost-order failure modes happen — variant mismatch, WAF blocks, stale inventory.
Step 5 — Checkout token
POST to /checkouts.json with the shipping address, email, and phone from the shopper's saved profile. Shopify returns a checkout token and a payment-selection URL. The agent uses the token, not the URL.
Step 6 — Payment authorization and completion
The agent POSTs to /checkouts/{token}/complete with a tokenized payment — Shop Pay, PayPal, or a pre-authorized card wallet token. Shopify processes the charge and returns the order confirmation. 3DS challenges are handled by the wallet issuer, transparently to the agent.
Step 7 — Return to shopper
The agent posts the order number, total charged, and estimated delivery back into the chat thread. This is where attribution anchors — if your analytics is tracking agent user agents, this is the order that gets tagged as agent-initiated.
The six failure modes
Each of these costs 3-8% of agent-initiated revenue. Most Shopify merchants we audit have three or more active in production right now.
1. Variant ID mismatch
The agent picks a color variant (“black”) from your Product schema, but when it POSTs to /cart/add.js with that variant ID, Shopify returns 422 because the variant doesn't exist or uses a different option name. Root cause: your JSON-LD hasVariant array is incomplete or uses option labels that don't match the Shopify admin labels.
Fix: emit every variant in the hasVariant array with additionalProperty nodes for each option (Color, Size, Material) and make sure the option values match your admin labels exactly. Don't use friendly names in schema if your admin uses SKU codes or vice versa.
2. WAF blocks agent user agent
Shopify Plus stores with custom WAFs (Cloudflare, AWS WAF, CyberPanel firewalls, or third-party bot filters like DataDome) frequently block user agents containing “bot” or “crawler” — which means GPTBot, Atlas, and ClaudeBot all get 403'd. The agent can't even reach your product page.
Fix: whitelist known agent user agents (OAI-SearchBot, ChatGPT-User, PerplexityBot, ClaudeBot, GPTBot, Atlas) on all public endpoints. Apply rate limits generously — these are first-party-intent agents, not scrapers.
3. Age gate / region gate interstitial
Merchants in categories like supplements, alcohol, or CBD run a modal overlay on every page that requires a click-through to confirm age or region. The modal is JS-injected and requires a JS click to dismiss. Agents don't run JS on the fetch; they see a blank page.
Fix: move the gate to the PDP UI only, never to the cart or checkout endpoints. If legal requires a gated display, emit a Product.isAccessibleForFree: false hint and let the agent signal to the shopper that the purchase requires an age-verified session.
4. Stale inventory in schema
The most common silent-failure mode. Your schema cache says Offer.availability: InStock but the SKU actually went out of stock an hour ago. The agent passes Step 3 (verification), then hits 422 at Step 4 (cart add) and aborts. Net result: agent thinks your store is broken, picks a competitor.
Fix: wire a real-time inventory webhook (Shopify's inventory_levels/update webhook) into your schema regen pipeline. Schema should lag inventory by no more than 60 seconds.
5. Required custom field on checkout
You added a “VAT ID” or “gift message” field withrequired: true on checkout. Shopper went through normal browser checkout fine. Agent doesn't know about the field and doesn't have the data, so 422 at Step 6 with a missing-field error.
Fix: two options. Make the field optional (and chase it via email post-purchase if really needed), or emit a PropertyValueSpecification in your Offer schema telling agents the field is required and what format to provide. Agents handle the second pattern well when the schema is present.
6. Turnstile challenge on checkout
Cloudflare Turnstile (or equivalent) on the checkout endpoint forces a JS-solved anti-bot challenge. Agents stall indefinitely.
Fix: create an authenticated-agent bypass — a shared secret header that trusted agent UAs include, which tells Turnstile to skip the challenge. Pair with server-side rate limiting on that header so you don't open a scraper backdoor.
A two-week merchant audit
- Week 1 Day 1-2: pull server logs for the last 14 days, filter for agent user agents, tag each request with its endpoint and response code.
- Week 1 Day 3-4: for every non-200 response, identify which of the six failure modes applies.
- Week 1 Day 5: prioritize by failure-mode volume — fix the one dropping the most orders first.
- Week 2 Day 1-2: fix variant schema completeness (usually the #1 failure).
- Week 2 Day 3: fix WAF whitelist for known agent user agents.
- Week 2 Day 4: wire real-time inventory → schema regen.
- Week 2 Day 5: re-test with a scripted agent — a curl-based script that walks all seven steps against three representative PDPs.
What's next for agentic commerce
Shopify is shipping native agentic-checkout support in the Storefront API — batched cart-create-and-complete in a single call, agent-identity headers, and agent-specific return policies. OpenAI's Atlas roadmap includes multi-merchant basket fulfillment (one shopper command → five merchants' orders completed in parallel). Anthropic is rolling out Claude-native purchase flows in Claude Desktop.
The merchants who fix the six failure modes in Q2 2026 will be the ones those platforms route volume to by default. Everybody else will ship fine for a quarter, then discover that agent traffic has moved on to the stores that answered correctly the first time.