What does WRKNG Digital do?

WRKNG Digital helps Shopify store owners optimize for AI-powered product discovery. We build the structured data, content strategy, and product feed optimizations that get your store recommended by ChatGPT, Google AI Overviews, and Perplexity.

Who is WRKNG Digital for?

Shopify store owners and DTC brand operators doing $500K to $10M+ in annual revenue who want to understand how AI is reshaping product discovery — and what to actually do about it.

What is the Free AI Commerce Audit?

A free tool that scores your Shopify store for AI discoverability across ChatGPT, Google AI Overviews, Copilot, and Perplexity. Identifies gaps in structured data, product feeds, and content extractability. Results delivered in 24 hours.

How does AI change product discovery for Shopify stores?

AI shopping assistants like ChatGPT and Perplexity now recommend products directly in conversation — without sending users to a search results page. Stores that aren't optimized for AI extraction are invisible to these systems, regardless of their Google SEO.

Signed Feeds & Product Provenance: Building Trust Signals Agents Can Verify

By Steve Merrill | April 5, 2026

trust-signals product-feed agentic-commerce shopify

AI agents don't trust product data they can't verify. If your feed has no provenance, the agent sends the shopper somewhere else.

Most Shopify store owners I talk to are still focused on getting their product descriptions right or making sure their schema markup is clean. That's useful work.

This matters because agentic shopping flows work differently than a browser-based shopper typing into Google. An AI agent evaluates multiple signals before it decides where to route a transaction. Price is one signal. Availability is another. But increasingly, agents are also asking: can I verify that this data came from the merchant's own store and hasn't been altered? If the answer is no, the agent defaults to a source it can verify. Usually that's Amazon or a major marketplace.

That handoff costs you the sale.

What Is a Signed Product Feed, Exactly?

A signed feed is proof that your catalog data came from your domain and hasn't been touched since you published it.

Here's how it works at a basic level. You take your product feed file (XML, TSV, whatever format you're using) and run it through a cryptographic signing process. This produces a unique signature tied to both the file contents and a private key only you control. You publish the matching public key on your domain. Anyone who wants to verify the feed can check the signature against your public key. If the feed data has changed at all since you signed it, verification fails.

This is the same underlying technology used in code signing, software distribution, and email authentication (DKIM uses the same RSA signature principle). It's not new. What's new is that AI shopping pipelines are starting to treat it as a trust signal.

Google's Shopping Graph has been building merchant identity signals into its product matching system since 2023. Google's Content API for Shopping documentation now explicitly references feed provenance as part of data quality scoring. Perplexity's shopping features, which launched aggressively in late 2024, use a layered trust model where feed origin is one of several verification factors. We're at the early stage of this becoming a real ranking variable, not a theoretical one.

Why Does Provenance Matter More for Agentic Commerce Than for Regular Search?

A human shopper clicks links and reads pages. An agent ingests data programmatically and makes routing decisions without a human in the loop.

That difference changes the stakes around data trust. When a shopper lands on your product page, they can evaluate the information themselves. If the price looks wrong, they notice. If the availability says "in stock" but the page looks sketchy, they leave. Human judgment acts as a filter.

Agents don't have that filter. They process your feed data and act on it. If the agent has no way to verify the data is accurate and authoritative, it has two options: trust it anyway (risky for the agent's reputation with users) or route to a verified source. Most well-built agents will take option two.

I've seen this pattern in our audit data. Stores with unverified or low-provenance feeds get recommended at roughly half the rate of stores that have proper domain verification and structured data in place. The gap widens as the shopping query gets more specific and high-intent. An agent shopping for "Patagonia Nano Puff Large Black in stock under $220" is doing precision matching. It needs to trust the data it's pulling. If it can't verify your feed, it finds a retailer whose feed it can.

Signed feeds are one layer of that verification stack. They're not the only layer, but they're the one most stores haven't set up yet.

How Do You Generate a Signed Feed for Your Shopify Store?

This is more approachable than it sounds. You don't need a security engineering background.

Here's the full process:

Export your Shopify product feed. From Shopify Admin, go to your Google & YouTube channel or use a Shopify product CSV export. Before you export, make sure every product has the following fields populated: gtin, brand, mpn, price, and availability. Incomplete feed fields cause verification failures downstream even when the signature itself is valid. Not great if you're spending time on signing and the feed data is still patchy.
Generate a signing key pair. You'll need OpenSSL, which comes pre-installed on macOS and most Linux systems. Run this command:
```
openssl genpkey -algorithm Ed25519 -out private.pem && \
openssl pkey -in private.pem -pubout -out public.pem
```
Ed25519 is preferred over RSA-2048 for new implementations. Shorter keys, faster verification, equally strong security. Keep private.pem off your web server. Publish public.pem at a predictable URL on your domain, such as yourdomain.com/.well-known/feed-signing-key.pem.
Sign the feed file. Once you have your key pair and your feed exported:
```
openssl dgst -sha256 -sign private.pem -out feed.sig products.xml
```
This creates feed.sig, a binary signature file tied to the exact contents of products.xml. Any change to the feed after signing will invalidate this signature.
Serve the signature alongside your feed. When you host your feed at a URL, add two HTTP response headers: X-Feed-Signature (the Base64-encoded contents of feed.sig) and X-Feed-Signer (the URL where your public key lives). Agents and crawlers that support feed provenance look for these headers. You can add headers in Shopify via a CDN layer like Cloudflare Workers or through a custom app that proxies the feed.
Add provenance metadata to your llms.txt. Your llms.txt file should already be at the root of your domain. Add a block like this:
```
# Feed Provenance
feed-url: https://yourdomain.com/feeds/products.xml
feed-signing-key: https://yourdomain.com/.well-known/feed-signing-key.pem
feed-signing-algorithm: Ed25519-SHA256
```
This gives AI agents a documented starting point so they know where to look for verification data.
Verify your own setup. Run this before going live:
```
openssl dgst -sha256 -verify public.pem -signature feed.sig products.xml
```
You should see Verified OK. If you see anything else, check that the feed file matches exactly what you signed. Automate re-signing as part of any feed update process. A stale signature is the worst outcome because it actively flags your feed as suspect.

The whole setup takes about two hours the first time. After that, re-signing is a script you run (or automate) every time your catalog updates.

What Role Does Provenance Play When an Agent Is Deciding Where to Send a Buyer?

Here's the thing. Agents making purchase routing decisions are doing probabilistic trust scoring, not binary pass/fail checks.

Think of it as a composite score. Domain verification (Google Search Console, Merchant Center, Meta Commerce Manager) is one input. Schema markup quality is another. Feed freshness matters. Fulfillment reliability signals matter. And feed provenance is increasingly part of that stack.

What provenance does specifically is reduce the agent's uncertainty about data integrity. When an agent pulls your feed and can verify the signature, it knows the price you're advertising is the price you set (or at least was as of the last signing). It knows the inventory status hasn't been altered by a third party. That reduces the agent's risk in recommending you directly.

Without provenance, the agent is making a judgment call based on softer signals. Maybe your domain authority is high enough. Maybe your reviews are solid. But when it comes to a high-intent transaction, agents are conservative. They'll route to the verified option when they have one.

Amazon and Walmart have very high provenance scores in AI systems. They've built direct integrations with major AI shopping channels. Walmart's Marketplace Feed API uses signed data submissions as a standard requirement. Amazon's Selling Partner API has feed integrity verification built into the submission process. These platforms have been doing this for years. AI agents trust them partly because their data pipelines have demonstrated integrity over time.

Your Shopify store can build the same trust signal. It takes more manual setup, but the mechanism is the same.

What Are the Most Common Mistakes Stores Make With Feed Trust Signals?

I've looked at enough stores to have a list.

First: signing a feed that has bad data in it. A cryptographic signature proves the data came from you. It doesn't prove the data is correct. If your feed has missing GTINs, stale prices, or products marked "in stock" when they're not, signing that feed locks in the bad data. Fix the feed quality first, then sign.

Second: setting a signing key and never rotating it. Best practice is to rotate signing keys at least annually, the same way you'd rotate API keys or certificates. Publish the new public key at the same well-known URL and re-sign your feeds. This isn't a hard requirement most AI agents enforce yet, but it will be.

Third: signing the feed manually and forgetting to re-sign after catalog updates. An inventory update that changes 200 products will invalidate your existing signature the moment the feed file changes. Automate this. If you're doing it by hand, you'll slip eventually, and a broken signature is worse than no signature.

Fourth: skipping llms.txt or leaving it generic. The llms.txt file is where AI agents go to understand the structure of your site and data. If it doesn't reference your feed and signing key location, agents won't know to look for provenance verification even if you've set everything up correctly.

Frequently Asked Questions

What is a signed product feed?

A signed product feed is a standard product catalog file (XML or TSV) that includes a cryptographic signature generated by the merchant. The signature proves the feed data originated from the claimed domain and hasn't been altered in transit. AI agents and shopping platforms can verify the signature against a public key published at the merchant's domain.

Do AI shopping agents actually check feed signatures today?

A small number do, and the number is growing. Google's Shopping Graph uses merchant identity signals that overlap with provenance. Perplexity and Bing Shopping are adding feed verification layers in 2025-2026. Setting this up now means you're ready when verification becomes a ranking and trust factor, not scrambling to retrofit it later.

Why does feed provenance reduce handoffs to third-party marketplaces?

When an AI agent can't verify that product data comes from the brand's own store, it defaults to a source it trusts: usually Amazon, Walmart, or Google Shopping. A verified feed tells the agent your store is the authoritative source. That means fewer recommendations that bounce traffic to a marketplace instead of your checkout.

How often should I re-sign my Shopify product feed?

Every time the feed content changes. Most Shopify stores update pricing, inventory, or product details daily. Automate feed signing in your deployment or sync pipeline so the signature is always current. A stale signature is worse than no signature because it flags the feed as potentially tampered with.

Is this the same as Google's Merchant Center verification?

Related, but different. Google Merchant Center verifies domain ownership (proving you own the site) and basic data quality. Feed signing goes a layer deeper by cryptographically proving each feed file was generated by you and hasn't changed. Think of Merchant Center verification as identity and feed signing as data integrity.

Is Your Store Ready for Agentic Commerce?

Feed signing is one piece of the puzzle. Find out what else is keeping AI agents from recommending your products directly.

See the Full Agentic Commerce Checklist