HubACP Documentation

Welcome to the complete guide for HubACP - ChatGPT Commerce for WooCommerce. Transform your WooCommerce store into an AI-ready commerce platform that enables ChatGPT to browse products and complete purchases through conversational commerce.

What is HubACP?

HubACP provides a secure REST API compatible with OpenAI's Agentic Commerce Protocol (ACP). It enables ChatGPT and other AI agents to:

  • Browse your product catalog - Search, filter, and discover products in real-time
  • Create shopping carts - Add items and manage checkout sessions
  • Calculate shipping & taxes - Get accurate costs based on customer location
  • Complete purchases - Process payments and create WooCommerce orders
  • Receive order updates - Real-time webhooks for order events (Pro only)

Getting Started

HubACP enables ChatGPT to interact with your WooCommerce store through a secure REST API. This guide will help you get up and running in 5 minutes.

Requirements

  • PHP 8.1+ - Required for modern security features
  • WordPress 6.5+ - Latest version recommended
  • WooCommerce 8.0+ - Must be active and configured
  • SSL Certificate - HTTPS required for production (security)
  • OpenAI Merchant Account - Free registration required

Quick Start (5 Minutes)

  1. Install HubACP - Download and activate the plugin
  2. Run Setup Wizard - Beautiful animated wizard guides you through setup
  3. Register with OpenAI - Get approved as a merchant (free)
  4. Generate API Credentials - Create your signing secret
  5. Test Integration - Use built-in diagnostic tools to verify everything works

Installation

Option 1: Install from WordPress.org (Free Version)

  1. Log in to your WordPress admin panel
  2. Navigate to Plugins → Add New
  3. Search for "HubACP"
  4. Click Install Now and then Activate

Option 2: Manual Installation

  1. Download the plugin ZIP file from WordPress.org
  2. Navigate to Plugins → Add New → Upload Plugin
  3. Choose the downloaded ZIP file and click Install Now
  4. Click Activate Plugin

Option 3: Pro Version ($99/year)

The Pro version unlocks unlimited products in the feed and priority support. All checkout, payment, and webhook features are available in the Free version too!

  1. Purchase Pro license via Freemius secure checkout
  2. Download the Pro version ZIP file
  3. Navigate to Plugins → Add New → Upload Plugin
  4. Upload and activate (Pro overrides Free version)
  5. License activates automatically - no manual key entry needed

First-Time Setup Wizard

On first activation, HubACP launches a beautiful setup wizard that guides you through:

  • Step 1: Welcome - Introduction to HubACP capabilities
  • Step 2: OpenAI Registration - Link to merchant approval form
  • Step 3: API Configuration - Generate and copy your signing secret
  • Step 4: Next Steps - Quick links to test and configure

The wizard features smooth animations, real-time validation, and AJAX-powered setup (8-10 seconds).

Configuration

Admin Pages

HubACP adds a top-level menu with modern navigation:

  • Dashboard - Overview, onboarding checklist, quick start guide, stats (Pro)
  • Settings - Technical configuration with 8 tabs (submenu)

Settings Tabs

Access via HubACP → Settings:

  1. Webhooks - Configure OpenAI webhook URL (Free & Pro)
  2. Shipping - Set delivery time estimates (Free & Pro)
  3. Feed - Product feed settings (Free & Pro)
  4. Diagnostics - 9 built-in testing tools (Free & Pro)
  5. Payments - Choose payment mode (Pro only)
  6. 👤 Account - Manage license and billing via Freemius (Free & Pro)
  7. 🚀 Upgrade to Pro - Modal checkout experience (Free only)
  8. 💬 Support - Priority email support (Pro only)

Onboarding Checklist (Dashboard)

Interactive checklist tracks your setup progress:

  • Step 1: Plugin Activated (auto-complete)
  • Step 2: OpenAI Merchant Approval (manual checkbox)
  • Step 3: Webhook Secret Configured (validated)
  • Step 4: OpenAI Webhook URL Set (optional)
  • Step 5: Integration Tested (diagnostics required)

Progress shows "X of 5 complete" with visual bar. Celebration animation when 100% complete!

Generate Signing Secret

In HubACP → Settings → API Configuration, generate your webhook signing secret.

Example Signing Secret 
whsec_abc123def456ghi789jkl012mno345pqr678

🔐 Security Critical

Your signing secret is used for HMAC-SHA256 authentication (same as Stripe). Store it securely using environment variables. Never commit to version control or expose in client-side code.

Configure OpenAI Webhook URL

Provide your store's webhook endpoint to OpenAI:

Your Store's Webhook URL 
https://yourstore.com/wp-json/acp/v1/webhooks

Diagnostic Tools

Test your integration without writing code (Settings → Diagnostics):

  1. Test REST API - Verify API connectivity
  2. Test Signature Verification - Verify HMAC algorithm
  3. Test Create Checkout - Create test session
  4. Test Update Checkout - Update with address
  5. Test Complete Checkout - Complete and create order
  6. Test Webhook - Send test webhook
  7. Clear Caches - Clear shipping/product caches
  8. View API Logs - Debug API requests
  9. System Info - PHP version, extensions, permissions

API Overview

HubACP provides 8 REST API endpoints compatible with OpenAI's Agentic Commerce Protocol. The API follows REST principles with predictable URLs, standard HTTP methods, and JSON responses.

Base URL

https://yourstore.com/wp-json/acp/v1/

All Endpoints

Method Endpoint Description Plan
GET /acp/v1 API information Free/Pro
GET /acp/v1/feed Product catalog feed Free/Pro
GET /acp/v1/products List products (paginated) Free/Pro
GET /acp/v1/products/{id} Get product details Free/Pro
POST /acp/v1/checkout-sessions Create checkout session Free/Pro
POST /acp/v1/checkout-sessions/{id} Update session Free/Pro
POST /acp/v1/checkout-sessions/{id}/complete Complete checkout Free/Pro
GET /acp/v1/checkout-sessions/{id} Get session state Free/Pro
POST /acp/v1/checkout-sessions/{id}/cancel Cancel session Free/Pro

Free vs Pro Features

🆓 Free Version

  • Display up to 2 products in ChatGPT
  • Full checkout integration
  • Complete payment processing
  • Real-time webhooks
  • All security features (HMAC-SHA256)
  • Setup wizard & diagnostic tools
  • Community support (72h response)

🚀 Pro Version ($99/year)

  • Unlimited products in ChatGPT feed
  • All Free features included
  • Priority email support (24h response)
  • Automatic plugin updates
  • Analytics dashboard (coming soon)

Authentication

HubACP uses HMAC-SHA256 signature authentication - the same enterprise-grade security standard used by Stripe, GitHub, and other payment platforms.

Required Headers

HTTP Request Headers 
X-ACP-Signature: 
X-ACP-Timestamp: 
Content-Type: application/json

Security Features

  • HMAC-SHA256 Signatures - Cryptographically verify every request
  • Timestamp Validation - 5-minute tolerance window prevents replay attacks
  • Rate Limiting - Protection against abuse
  • Idempotency Keys - Prevent duplicate orders from retries
  • Signature Verification - All webhooks signed with HMAC

Generating Request Signature

All API requests must include a signature of: timestamp.request_body

Bash Example (using OpenSSL) 
#!/bin/bash

SECRET="your_webhook_signing_secret"
TIMESTAMP=$(date +%s)
BODY='{"items":[{"id":"123","quantity":1}]}'

# Generate signature
SIGNATURE=$(echo -n "${TIMESTAMP}.${BODY}" | \
  openssl dgst -sha256 -hmac "$SECRET" | \
  cut -d' ' -f2)

# Make request
curl -X POST "https://yourstore.com/wp-json/acp/v1/checkout-sessions" \
  -H "X-ACP-Signature: $SIGNATURE" \
  -H "X-ACP-Timestamp: $TIMESTAMP" \
  -H "Content-Type: application/json" \
  -d "$BODY"
JavaScript/Node.js Example 
const crypto = require('crypto');

const SECRET = process.env.HUBACP_SECRET;
const timestamp = Math.floor(Date.now() / 1000);
const body = JSON.stringify({ items: [{ id: "123", quantity: 1 }] });

// Generate HMAC signature
const payload = `${timestamp}.${body}`;
const signature = crypto
  .createHmac('sha256', SECRET)
  .update(payload)
  .digest('hex');

// Make API request
const response = await fetch('https://yourstore.com/wp-json/acp/v1/checkout-sessions', {
  method: 'POST',
  headers: {
    'X-ACP-Signature': signature,
    'X-ACP-Timestamp': timestamp.toString(),
    'Content-Type': 'application/json'
  },
  body: body
});
Python Example 
import hmac
import hashlib
import json
import time
import os

SECRET = os.getenv('HUBACP_SECRET')
timestamp = str(int(time.time()))
body = json.dumps({"items": [{"id": "123", "quantity": 1}]})

# Generate HMAC signature
payload = f"{timestamp}.{body}"
signature = hmac.new(
    SECRET.encode(),
    payload.encode(),
    hashlib.sha256
).hexdigest()

# Make API request
headers = {
    'X-ACP-Signature': signature,
    'X-ACP-Timestamp': timestamp,
    'Content-Type': 'application/json'
}

response = requests.post(
    'https://yourstore.com/wp-json/acp/v1/checkout-sessions',
    headers=headers,
    data=body
)

⚠️ Timestamp Validation

Requests with timestamps older than 5 minutes are rejected to prevent replay attacks. Ensure your system clock is synchronized with NTP.

API Endpoints

Products API

GET /wp-json/acp/v1/products

Retrieve a paginated list of products from your catalog.

Query Parameters

Parameter Type Description
search string Search query for product name or description
category string Filter by category slug
page integer Page number (default: 1)
per_page integer Items per page (default: 20, max: 100)
orderby string Sort by: date, title, price (default: date)
order string Sort order: asc, desc (default: desc)

Example Request

GET /wp-json/acp/v1/products?search=shirt&per_page=10
X-WCP-API-Key: wcp_abc123def456ghi789

Example Response

{
  "products": [
    {
      "id": 123,
      "name": "Classic Cotton T-Shirt",
      "slug": "classic-cotton-tshirt",
      "price": "29.99",
      "regular_price": "39.99",
      "sale_price": "29.99",
      "on_sale": true,
      "stock_status": "instock",
      "stock_quantity": 50,
      "description": "Comfortable 100% cotton t-shirt",
      "short_description": "Classic everyday tee",
      "images": [
        {
          "src": "https://your-store.com/wp-content/uploads/tshirt.jpg",
          "alt": "Classic T-Shirt"
        }
      ],
      "categories": ["Clothing", "T-Shirts"],
      "variations": []
    }
  ],
  "pagination": {
    "total": 150,
    "pages": 15,
    "current_page": 1,
    "per_page": 10
  }
}

Checkout Sessions API

POST /wp-json/acp/v1/checkout-sessions

Create a new checkout session with cart items. Available in both Free and Pro versions.

Request Body

{
  "items": [
    {
      "product_id": 123,
      "quantity": 2,
      "variation_id": null
    }
  ],
  "customer": {
    "email": "customer@example.com",
    "first_name": "John",
    "last_name": "Doe"
  },
  "idempotency_key": "unique-request-id-123"
}

Example Response

{
  "session_id": "cs_abc123",
  "status": "pending",
  "items": [...],
  "subtotal": "59.98",
  "tax": "5.40",
  "shipping": "0.00",
  "total": "65.38",
  "expires_at": "2025-01-15T18:30:00Z"
}
POST /wp-json/acp/v1/checkout-sessions/{id}/shipping

Calculate shipping options for a checkout session.

Request Body

{
  "shipping_address": {
    "first_name": "John",
    "last_name": "Doe",
    "address_1": "123 Main St",
    "city": "New York",
    "state": "NY",
    "postcode": "10001",
    "country": "US"
  }
}

Example Response

{
  "shipping_methods": [
    {
      "id": "flat_rate",
      "label": "Flat Rate",
      "cost": "10.00",
      "delivery_time": "3-5 business days"
    },
    {
      "id": "express",
      "label": "Express Shipping",
      "cost": "25.00",
      "delivery_time": "1-2 business days"
    }
  ]
}
POST /wp-json/acp/v1/checkout-sessions/{id}/complete

Finalize the checkout and create a WooCommerce order.

Request Body

{
  "payment_method": "stripe",
  "payment_intent_id": "pi_xyz123",
  "billing_address": {
    "first_name": "John",
    "last_name": "Doe",
    "address_1": "123 Main St",
    "city": "New York",
    "state": "NY",
    "postcode": "10001",
    "country": "US",
    "email": "customer@example.com",
    "phone": "+1234567890"
  },
  "shipping_method_id": "flat_rate"
}

Example Response

{
  "order_id": 456,
  "order_number": "456",
  "status": "processing",
  "total": "75.38",
  "customer": {...},
  "items": [...],
  "created_at": "2025-01-15T15:30:00Z"
}

Webhooks

Webhooks provide real-time notifications when events occur in your WooCommerce store. Perfect for keeping ChatGPT synchronized with order status changes. Available in both Free and Pro versions.

Supported Events (6 Types)

Event Description When Triggered
order.created A new order has been created Immediately after checkout completion
order.updated An order status has changed Any status transition
order.processing Order is being processed Status changed to "processing"
order.completed Order has been fulfilled Status changed to "completed"
order.cancelled Order has been cancelled Status changed to "cancelled"
order.refunded Refund has been issued Full or partial refund processed

Webhook Features

  • Automatic Retry - Exponential backoff with 5 retry attempts
  • Signed Payloads - HMAC-SHA256 signature on every webhook
  • Event Logging - Complete delivery history in WP admin
  • OpenAI ACP Compliant - Follows official specification
  • Background Processing - Uses WC Action Scheduler (non-blocking)

Webhook Payload

{
  "event": "order.created",
  "timestamp": "2025-01-15T15:30:00Z",
  "data": {
    "order_id": 456,
    "order_number": "456",
    "status": "processing",
    "total": "75.38",
    "customer": {
      "email": "customer@example.com",
      "first_name": "John",
      "last_name": "Doe"
    },
    "items": [...]
  }
}

Verifying Webhook Signatures

All webhooks include both X-Signature and X-ACP-Signature headers. Always verify to ensure authenticity.

Node.js Example 
const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return signature === expectedSignature;
}

// Express.js webhook endpoint
app.post('/webhooks/hubacp', express.raw({ type: 'application/json' }), (req, res) => {
  const signature = req.headers['x-acp-signature'] || req.headers['x-signature'];
  const payload = req.body.toString('utf8');

  if (!verifyWebhook(payload, signature, process.env.HUBACP_SECRET)) {
    return res.status(401).json({ error: 'Invalid signature' });
  }

  const event = JSON.parse(payload);
  console.log('Received event:', event.type, 'for order', event.data.order_id);

  // Process webhook asynchronously
  processWebhookAsync(event);

  // Respond immediately
  res.status(200).json({ received: true });
});

Automatic Retry Policy

If your endpoint returns non-2xx status, HubACP retries with exponential backoff:

Attempt Delay Total Time Elapsed
1 (initial) Immediate 0 seconds
2 1 minute 1 minute
3 5 minutes 6 minutes
4 15 minutes 21 minutes
5 1 hour ~1.4 hours
6 (final) 6 hours ~7.4 hours

💡 Best Practice

Always respond with 200 OK immediately, then process webhooks asynchronously. This prevents timeouts and ensures reliable delivery.

Security Best Practices

🔐 Security Checklist

  • ✅ Always use HTTPS in production
  • ✅ Store API keys and signing secrets securely (use environment variables)
  • ✅ Verify HMAC signatures on all webhooks
  • ✅ Use idempotency keys to prevent duplicate orders
  • ✅ Implement rate limiting on your webhook endpoints
  • ✅ Regularly rotate your API credentials
  • ✅ Monitor API usage for suspicious activity

Idempotency Keys

To prevent duplicate orders from network retries, include an idempotency key with checkout requests:

{
  "items": [...],
  "customer": {...},
  "idempotency_key": "unique-request-id-" + Date.now()
}

If the same idempotency key is used within 24 hours, HubACP will return the original response instead of creating a duplicate.

Code Examples

Complete Purchase Flow

JavaScript/TypeScript 
const HubACPClient = require('hubacp-client');

const client = new HubACPClient({
  baseUrl: 'https://your-store.com',
  apiKey: process.env.HUBACP_API_KEY,
  signingSecret: process.env.HUBACP_SIGNING_SECRET
});

async function completePurchase() {
  // 1. Search for products
  const products = await client.products.list({
    search: 'laptop',
    per_page: 5
  });

  console.log(`Found ${products.pagination.total} laptops`);

  // 2. Create checkout session
  const session = await client.checkout.createSession({
    items: [
      { product_id: products.products[0].id, quantity: 1 }
    ],
    customer: {
      email: 'customer@example.com',
      first_name: 'John',
      last_name: 'Doe'
    },
    idempotency_key: `order-${Date.now()}`
  });

  console.log(`Session created: ${session.session_id}`);

  // 3. Calculate shipping
  const shipping = await client.checkout.calculateShipping(session.session_id, {
    shipping_address: {
      first_name: 'John',
      last_name: 'Doe',
      address_1: '123 Main St',
      city: 'New York',
      state: 'NY',
      postcode: '10001',
      country: 'US'
    }
  });

  console.log('Shipping options:', shipping.shipping_methods);

  // 4. Complete the order
  const order = await client.checkout.complete(session.session_id, {
    payment_method: 'stripe',
    payment_intent_id: 'pi_123abc',
    billing_address: { /* ... */ },
    shipping_method_id: shipping.shipping_methods[0].id
  });

  console.log(`Order created: #${order.order_number}`);
  return order;
}

Python Example

Python 
from hubacp import HubACPClient
import os

client = HubACPClient(
    base_url='https://your-store.com',
    api_key=os.getenv('HUBACP_API_KEY'),
    signing_secret=os.getenv('HUBACP_SIGNING_SECRET')
)

# Search products
products = client.products.list(search='laptop', per_page=5)
print(f"Found {products['pagination']['total']} laptops")

# Create checkout session
session = client.checkout.create_session(
    items=[
        {'product_id': products['products'][0]['id'], 'quantity': 1}
    ],
    customer={
        'email': 'customer@example.com',
        'first_name': 'John',
        'last_name': 'Doe'
    },
    idempotency_key=f"order-{int(time.time())}"
)

# Complete order
order = client.checkout.complete(
    session['session_id'],
    payment_method='stripe',
    payment_intent_id='pi_123abc',
    billing_address={...},
    shipping_method_id='flat_rate'
)

print(f"Order created: #{order['order_number']}")

Troubleshooting

Common Issues

401 Unauthorized Error

Cause: Invalid API key or missing authentication header.

Solution: Verify your API key is correct and included in the X-WCP-API-Key header.

403 Forbidden - Invalid Signature

Cause: HMAC signature doesn't match the request body.

Solution: Ensure you're using the correct signing secret and computing the HMAC correctly. The signature must be generated from the exact request body string.

404 Product Not Found

Cause: Product ID doesn't exist or is not published.

Solution: Check the product exists in WooCommerce and is published. Only published products are available via the API.

422 Session Expired

Cause: Checkout session has expired (sessions expire after 1 hour).

Solution: Create a new checkout session. Don't store session IDs for long periods.

429 Rate Limit Exceeded

Cause: Too many requests in a short time period.

Solution: Implement exponential backoff and respect rate limit headers. Free plan: 60 requests/minute. Pro plan: 300 requests/minute.

Debug Mode

Enable debug mode in the HubACP settings to log all API requests and responses:

  1. Go to WooCommerce → Settings → HubACP
  2. Enable Debug Mode
  3. Check logs at WooCommerce → Status → Logs

⚠️ Warning: Debug mode can expose sensitive data. Only enable it temporarily for troubleshooting and disable it in production.

Frequently Asked Questions

What exactly does HubACP do?

HubACP transforms your WooCommerce store into an AI-ready commerce platform. It provides a secure REST API that enables ChatGPT to browse your products, create shopping carts, calculate shipping and taxes, and complete purchases - all through natural conversation. It implements OpenAI's Agentic Commerce Protocol (ACP).

What's the difference between Free and Pro?

Free version: Display up to 2 products in ChatGPT, full checkout integration, complete payment processing, real-time webhooks, all security features, and community support (72h response).

Pro version ($99/year): Everything in Free PLUS unlimited products in ChatGPT feed, priority email support (24h response), automatic updates, and analytics dashboard (coming soon).

Important: All core commerce features (checkout, payments, webhooks, security) are included in the Free version! The main Pro benefits are unlimited products and priority support.

How does checkout work through ChatGPT?

When a customer tells ChatGPT they want to buy something, ChatGPT uses our API to: (1) Create a checkout session with their items, (2) Calculate shipping costs to their address, (3) Calculate applicable taxes, (4) Process payment securely, (5) Create the order in your WooCommerce store. You get notified via webhook and the order appears in WooCommerce just like a normal order.

What are the system requirements?

PHP 8.1+, WordPress 6.5+, and WooCommerce 8.0+. You'll also need to register as an OpenAI merchant (free) and configure the API credentials. HTTPS/SSL certificate required for production.

How secure is the API?

Very secure. We use HMAC-SHA256 signature authentication (same as Stripe), timestamp validation with 5-minute tolerance window, rate limiting, and idempotency keys. All API requests must be cryptographically signed with your secret key.

Can I use HubACP with other AI agents besides ChatGPT?

Yes! HubACP is AI-agnostic and OpenAI ACP compliant. Any system that can make authenticated HTTP requests can integrate - Claude, custom AI agents, headless commerce platforms, etc.

How do payments work?

ChatGPT processes payment through its own payment infrastructure, then passes the payment confirmation ID to our API. HubACP creates the order in WooCommerce with "Processing" status. Your existing WooCommerce payment gateways are not used for ChatGPT orders.

Can I test without ChatGPT integration?

Yes! HubACP includes 9 built-in diagnostic tools in Settings → Diagnostics. You can test the entire checkout flow, webhooks, and API endpoints without writing any code or connecting ChatGPT.

How do I upgrade from Free to Pro?

Click 🚀 Upgrade to Pro in the admin menu, complete the Freemius checkout (secure payment via Stripe/PayPal), download the Pro ZIP, and install it (it overrides the Free version). License activates automatically - no manual key entry needed.

Do you offer refunds?

Yes, we offer a 14-day money-back guarantee on all Pro purchases. No questions asked.

Are webhooks guaranteed to be delivered?

We make best effort with 6 automatic retry attempts over 7+ hours. However, always implement idempotency on your end. For critical integrations, consider polling the order status API as a backup.

Is HubACP compatible with my WooCommerce plugins?

HubACP works with standard WooCommerce functionality. Tax calculators, shipping methods, and most plugins work normally. Variable products, product bundles, and subscriptions have varying support - test in your staging environment first.

Need Help?

📧 Email Support

Pro customers get priority email support with 24-hour response time.

Contact Support

💬 Community Forum

Join our community forum to ask questions and share experiences.

Visit Forum

🐛 Report a Bug

Found a bug? Report it on GitHub and help us improve HubACP.

Report Issue