--- title: Auth and rate limiting description: >- Learn how UCP traffic is classified into token, signed, and anonymous requests, and what each tier can do across Catalog MCP and Checkout MCP. source_url: html: 'https://shopify.dev/docs/agents/profiles/auth-and-rate-limiting' md: 'https://shopify.dev/docs/agents/profiles/auth-and-rate-limiting.md' --- # Auth and rate limiting UCP traffic to Shopify's MCP servers is classified into three tiers based on how your agent identifies itself. Each tier has different capabilities and rate-limiting allowances. *** ## Traffic tiers Each tier reflects how much Shopify knows about the agent making the request. Stronger identification means higher rate limits and access to more sensitive tools. The following table summarizes what each tier can do. Subsequent sections describe how to qualify for each tier. | Auth type | [Catalog tools](https://shopify.dev/docs/agents/catalog) | [Cart tools](https://shopify.dev/docs/agents/carts-and-checkout/cart-mcp) | [Checkout tools](https://shopify.dev/docs/agents/carts-and-checkout/checkout-mcp) | [`complete_checkout`](https://shopify.dev/docs/agents/carts-and-checkout/checkout-mcp#complete_checkout) | | - | - | - | - | - | | [Token](#token) | Yes | Yes | Yes | When the token is granted permission to complete purchases | | [Signed](#signed) | Yes | Yes | Yes | No | | [Anonymous](#anonymous) | Yes | Yes | No | No | Rate-limit guidance: * **Rate limits scale with identification.** The Token tier gets the highest limits, Signed gets lower limits, and Anonymous gets the lowest. * **Checkout MCP is rate-limited more strictly than Cart MCP at every tier.** Use [Cart MCP](https://shopify.dev/docs/agents/carts-and-checkout/cart-mcp) to iterate on line items, refine context, and estimate totals, and reserve [Checkout MCP](https://shopify.dev/docs/agents/carts-and-checkout/checkout-mcp) for buyers who are ready to purchase. *** ## Token Agents authenticating with a credential issued through [Dev Dashboard](https://shopify.dev/docs/apps/build/dev-dashboard), such as a global API token, customer accounts token, or shop access token. * **How to authenticate:** JWT passed with Bearer token authentication. See [Authenticate your agent](https://shopify.dev/docs/agents/get-started/authentication) for a working example. * **What you can do:** Access cart and checkout tools at the highest rate limits. Call [`complete_checkout`](https://shopify.dev/docs/agents/carts-and-checkout/checkout-mcp#complete_checkout) when your token has been granted the required permission to complete purchases on the shop's behalf. *** ## Signed Agents that haven't created an API key but have implemented HTTP signatures per the UCP specification. * **How to authenticate:** HTTP Message Signatures per [RFC 9421](https://www.rfc-editor.org/rfc/rfc9421) using ECDSA P-256. Shopify verifies the signature against the public key published in your agent's [well-known UCP profile](https://ucp.dev/2026-04-08/specification/overview/). See the [UCP signatures specification](https://ucp.dev/2026-04-08/specification/signatures) for how to construct signed requests. * **What you can do:** Access cart and checkout tools at lower rate limits than the Token tier. `complete_checkout` isn't available at this tier. *** ## Anonymous Agents that haven't identified themselves to Shopify. * **How to authenticate:** No credentials or signatures provided. Send the request without an `Authorization` header or signature headers. * **What you can do:** Access catalog and cart tools at the lowest rate limits. Checkout tools aren't available at this tier. *** ## Next steps [Authenticate your agent\ \ ](https://shopify.dev/docs/agents/get-started/authentication) [Generate API credentials and fetch bearer tokens at runtime.](https://shopify.dev/docs/agents/get-started/authentication) [Define a profile\ \ ](https://shopify.dev/docs/agents/get-started/profile) [Host a UCP profile at a well-known URL for capability negotiation and signed-request verification.](https://shopify.dev/docs/agents/get-started/profile) ***