🛍

ShopMCP

A WebMCP Retail Demo

This demo shows that session + client_id is sufficient for agent identity — no separate agent OAuth required.

Sign in with PingOne to open the storefront. An AI agent interacts with the store through WebMCP tools using your existing session. The client_id in the token is all the identity signal needed.

Auth via PingOne OIDC —

🛍 ShopMCP WebMCP Demo

Products

Cart 0

Your cart is empty.

Total: $0.00

Confirm Purchase

WebMCP Elicitation The agent has requested checkout. Your confirmation is required before any purchase is completed.

🔒 Step-Up Authentication Required

WebMCP Elicitation PingOne Authorize requires MFA to complete this checkout. Enter the one-time code to proceed.

🔐 Verify Transaction

WebMCP Elicitation Scan this QR code with the PingOne Verify app to approve the transaction. The page will continue automatically once approved.
Transaction verification QR code
Verification code — confirm this matches what PingOne Verify shows you

✓

Order Placed!

✗

Order Denied

⚙

WebMCP Tool Console

Simulate agent tool calls. In production, an AI agent would invoke these via navigator.modelContext.

Tool output
Ready. Call a tool above to see output.
🔑

Token Inspector

Access Token ID Token

Decoded JWT claims from the active PingOne session. The access_token is what tools forward as a Bearer credential. The id_token carries identity claims for the UI session.

Access Token — Agent Identity Signal
aud —
client_id —

The RS validates aud (is this token intended for me?) and client_id (which application obtained it?). The client_id is the agent identity signal — no separate agent credential required.

1
User authenticates via PingOne OIDC. Both an id_token (identity) and access_token (credential) are issued.
2
Agent calls WebMCP tools using the same session — no separate OAuth flow.
3
The RS receives the access_token as Bearer. It validates aud, client_id, and scope. The client_id is the agent signal. No extra credential needed.