---
title: Auth and rate limiting
description: >-
  Learn how UCP traffic is classified into token, signed, and anonymous
  requests, and what each tier can do across Catalog MCP, Cart MCP, Checkout
  MCP, and Order MCP.
source_url:
  html: 'https://shopify.dev/docs/agents/profiles/auth-and-rate-limiting'
  md: 'https://shopify.dev/docs/agents/profiles/auth-and-rate-limiting.md'
---

# Auth and rate limiting

UCP traffic to Shopify's MCP servers is classified into three tiers based on how your agent identifies itself. Each tier has different capabilities and rate-limiting allowances.

***

## Traffic tiers

Each tier reflects how much Shopify knows about the agent making the request. Stronger identification means higher rate limits and access to more sensitive tools.

The following table summarizes what each tier can do. Subsequent sections describe how to qualify for each tier.

| Auth type | [Catalog tools](https://shopify.dev/docs/agents/catalog) | [Cart tools](https://shopify.dev/docs/agents/carts-and-checkout/cart-mcp) | [Checkout tools](https://shopify.dev/docs/agents/carts-and-checkout/checkout-mcp) | [`complete_checkout`](https://shopify.dev/docs/agents/carts-and-checkout/checkout-mcp#complete_checkout) | [Order tools](https://shopify.dev/docs/agents/orders/order-mcp) |
| - | - | - | - | - | - |
| [Token](#token) | Yes | Yes | Yes | When the token is granted permission to complete purchases | Yes, with the `read_global_api_orders` scope |
| [Signed](#signed) | Yes | Yes | Yes | No | No |
| [Anonymous](#anonymous) | Yes | Yes | Yes | No | No |

Rate-limit guidance:

* **Rate limits scale with identification.** The Token tier gets the highest limits, Signed gets lower limits, and Anonymous gets the lowest.
* **Checkout MCP is rate-limited more strictly than Cart MCP at every tier.** Use [Cart MCP](https://shopify.dev/docs/agents/carts-and-checkout/cart-mcp) to iterate on line items, refine context, and estimate totals, and reserve [Checkout MCP](https://shopify.dev/docs/agents/carts-and-checkout/checkout-mcp) for buyers who are ready to purchase.
* **Order MCP is for on-demand reads.** Reserve [`get_order`](https://shopify.dev/docs/agents/orders/order-mcp#get_order) for buyer-initiated views and reconciling missed webhooks. For proactive lifecycle updates, subscribe to [Order webhooks](https://shopify.dev/docs/agents/orders/order-webhooks).

***

## Token

Agents authenticating with a credential issued through [Dev Dashboard](https://shopify.dev/docs/apps/build/dev-dashboard), such as a global API token, customer accounts token, or shop access token.

* **How to authenticate:** JWT passed with Bearer token authentication. See [Authenticate your agent](https://shopify.dev/docs/agents/get-started/authentication) for a working example.
* **What you can do:** Access cart, checkout, and order tools at the highest rate limits. Call [`complete_checkout`](https://shopify.dev/docs/agents/carts-and-checkout/checkout-mcp#complete_checkout) when your token has been granted the required permission to complete purchases on the shop's behalf. Call [`get_order`](https://shopify.dev/docs/agents/orders/order-mcp#get_order) when your token includes the `read_global_api_orders` scope. Order access is restricted to orders placed through your agent.

***

## Signed

Agents that haven't created an API key but have implemented HTTP signatures per the UCP specification.

* **How to authenticate:** HTTP Message Signatures per [RFC 9421](https://www.rfc-editor.org/rfc/rfc9421) using ECDSA P-256. Shopify verifies the signature against the public key published in your agent's [well-known UCP profile](https://ucp.dev/2026-04-08/specification/overview/). See the [UCP signatures specification](https://ucp.dev/2026-04-08/specification/signatures) for how to construct signed requests.
* **What you can do:** Access cart and checkout tools at lower rate limits than the Token tier. `complete_checkout` and order tools aren't available at this tier.

***

## Anonymous

Agents that haven't identified themselves to Shopify.

* **How to authenticate:** No credentials or signatures provided. Send the request without an `Authorization` header or signature headers.
* **What you can do:** Access catalog, cart, and checkout build/edit tools at the lowest rate limits. `complete_checkout` and order tools aren't available at this tier.

***

## Next steps

[Authenticate your agent\
\
](https://shopify.dev/docs/agents/get-started/authentication)

[Generate API credentials and fetch bearer tokens at runtime.](https://shopify.dev/docs/agents/get-started/authentication)

[Define a profile\
\
](https://shopify.dev/docs/agents/get-started/profile)

[Host a UCP profile at a well-known URL for capability negotiation and signed-request verification.](https://shopify.dev/docs/agents/get-started/profile)

***