AI Shopping Agents at Checkout: How to Stop Bot Fraud by IP Without Blocking Real Sales

There is a paradox at the center of e-commerce in 2026: your best-converting checkout traffic and your most expensive fraud now look identical. AI shopping agents — ChatGPT Instant Checkout, Perplexity, Copilot Checkout — have gone from a curiosity to a revenue channel, while automated traffic is now the majority of the web. If you react with a blunt "block datacenter and automated IPs" rule, you don't just stop bots; you silently reject your highest-value customers. This guide shows how to use IP, ASN, connection-type and residential-proxy signals — plus an explainable 0–100 risk score and cryptographic agent verification — to stop carding, account takeover and scalping at the payment step without killing legitimate agent-mediated sales.

The checkout paradox of 2026

The numbers flipped fast. AI-referred traffic to US retailers rose 393% year over year in Q1 2026, and by March it converted 42% better with 37% higher revenue per visit than non-AI traffic — a reversal from a year earlier when AI traffic converted worse (Adobe Analytics, via TechCrunch). Agent traffic is now the cohort you least want to block.

At the same time, automated traffic reached 53% of all web traffic in 2025 (Imperva 2026 Bad Bot Report), and HUMAN Security found that 2.3% of agentic activity now happens on checkout pages — with only half a percentage point separating benign from malicious automation (HUMAN 2026). You cannot separate the two by behavior alone. The answer is graduated, explainable IP risk scoring layered with agent verification — not a binary gate.

Why "just block datacenter and proxy IPs" fails both ways

It's leaky and dangerous.

• Leaky: the costly fraud — card testing, account takeover, scalping — increasingly rides residential proxies that carry clean ASN reputation and defeat datacenter blocklists. Carding volume is up 250% since 2022 and post-login account compromise more than quadrupled year over year (HUMAN 2026).
• Dangerous: blanket datacenter blocking rejects legitimate buyers behind Apple iCloud Private Relay (relay/cloud egress that preserves region), carrier-grade NAT (RFC 6598 reserves 100.64.0.0/10 — and Cloudflare found CGNAT IPs are rate-limited 3× more despite a lower bot rate), and mobile-carrier NAT pools. Legitimate AI-agent infrastructure also egresses from datacenters.

The lesson: connection type is a weighted input, never a hard decline. The genuinely dangerous signal isn't "datacenter" — it's residential-proxy attribution plus a geo mismatch.

What a legitimate agent order actually looks like

Before scoring the IP, verify identity. Two open, primary-sourced mechanisms make agent orders verifiable:

1. Agentic Commerce Protocol (ACP). Launched by Stripe and OpenAI on September 29, 2025 (Apache 2.0), ACP routes Instant Checkout orders to your endpoint with an Authorization bearer token, an API-Version header, a required Idempotency-Key, and a recommended Signature + Timestamp over the canonical body. Payment uses a Shared Payment Token scoped to a specific merchant and cart total — which structurally limits card testing on that lane.
2. Web Bot Auth. An IETF draft built on RFC 9421 HTTP Message Signatures (Standards Track, Feb 2024): agents sign each request with an Ed25519 key you verify against a /.well-known key directory. Cloudflare verifies signed agents via the Signature, Signature-Input, and Signature-Agent headers.

Verify the signature first. A valid ACP token or Web Bot Auth signature is a strong negative-risk signal that should override the datacenter penalty.

Why IP allowlists alone are brittle — even for real agents

Cloudflare states plainly that IP allowlisting for agents is brittle: agent IPs are shared via privacy proxies and VPNs, cloud ranges shift, and user-agents are trivially spoofed. HUMAN found the ChatGPT-User agent had the worst spoof ratio (~1:5), with 7.9 million spoofed requests in the first two months of 2026 (HUMAN). OpenAI does publish machine-readable IP ranges and exact user-agents (e.g. chatgpt-user.json), so IP-range matching is a useful corroborating confidence input — not the gate.

The real threats to score at the payment step

• Card testing / enumeration — bursts of low-dollar or auth-only attempts with high decline and AVS-failure rates. Visa attributes roughly $1.1B in annual losses to enumeration, and 33% of enumerated accounts saw fraud within five days (Visa). Sophisticated rings now distribute probing across many merchants to evade per-IP velocity.
• Account takeover — post-login compromise quadrupled YoY; financial services saw 46% of ATO incidents (Imperva 2026).
• Scalping — inventory-hoarding bots on high-demand drops.

Their signatures differ from a legit agent order (one cart, one buyer, a verifiable signature). The high-confidence fraud flag is residential-proxy attribution + geo mismatch + velocity.

The decision framework: map IP signals to a 0–100 score

GeoIPHub's explainable risk score folds these inputs into one number:

Crucially, layer ASN-concentration and BIN-spread for distributed carding — not single-IP counters. The output maps to an action: low = allow, mid = step-up (3DS), high = manual review or block.

The rules playbook (copy-paste logic)

1. Verified Web Bot Auth signature or valid ACP token → trusted lane: override the datacenter penalty, low friction.
2. Datacenter ASN + no signature + no token + card velocity → high score → block or step-up (card testing).
3. Residential-proxy attribution + IP/billing geo mismatch → high score → 3DS or manual review.
4. Mobile/residential consumer IP + consistent geo + no proxy → low score → allow.
5. Treat Private Relay / CGNAT / mobile-carrier ASNs as explicit exceptions — fall back to country-level geo, never city.

Map the score onto ACP's risk_signals.action enum so the decision happens at payment, not at the front door.

Escalate, don't block: 3DS as the liability-shifting middle path

Under EMV 3-D Secure 2, successful cardholder authentication shifts chargeback liability to the issuer and lifts approval rates (Trust Payments). Card-not-present decline rates run far higher than card-present, so a hard block on a medium-risk IP often rejects a real buyer. Step the mid-risk band up to 3DS instead of rejecting — you preserve the sale and move liability. (The merchant remains merchant of record and owns the risk decision even on agent orders — see account-takeover defense and detecting anonymized traffic without blocking real customers.)

Governance: the authorized-agent question

Distinguish an agent your customer authorized to buy (allow) from an agent scraping or buying against your terms (you may refuse). The federal BOTS Act covers only event tickets, so retail scalping isn't federally illegal in the US (the proposed Stop Grinch Bots Act would extend it), and a March 2026 federal court reportedly enjoined an agent browser from purchasing on a major retailer. The defensible posture is verified-agent gating + clear ToS — identity and authorization are the real control, not IP enforcement alone.

Implementation notes and guardrail metrics

Operationalize it server-side: call the GeoIPHub IP intelligence / risk API at the checkout endpoint, verify the agent signature, fold connection-type and the 0–100 score into your existing fraud rules, and require an Idempotency-Key on the agent API to blunt replay/duplicate charges. Then watch your guardrails: track false-positive rate by segment (iOS Safari conversion, mobile-carrier ASNs, Private Relay) so you catch over-blocking early. Background reading: residential-proxy fraud detection, how accurate IP geolocation really is, and verifying AI crawlers by IP.

Honest caveats: HUMAN and Imperva figures are vendor network measurements; agent-share growth numbers are directional; and city-level geolocation is unreliable for individual IPs — use country-level for decisions, never a city-radius decline.

FAQ

Should I block all datacenter or proxy IPs at checkout to stop bots?

No. Blanket datacenter blocking is both leaky and dangerous in 2026. It misses the expensive fraud (card testing, account takeover, scalping) that increasingly rides residential-proxy IPs with clean ASN reputation, and it wrongly rejects real buyers behind Apple iCloud Private Relay, carrier-grade NAT (RFC 6598), and mobile-carrier NAT — plus legitimate AI shopping agents that egress from cloud datacenters. Treat datacenter and connection-type as weighted inputs to a 0–100 risk score, not a hard decline.

How do I tell a legitimate AI shopping agent from a fraud bot at the payment step?

Verify identity before you score the IP. A legitimate Agentic Commerce Protocol (ACP) order arrives with an Authorization bearer token, an API-Version header, a required Idempotency-Key, and a recommended Signature over the request body, paid with a Stripe Shared Payment Token scoped to one merchant and one cart total. Separately, Web Bot Auth (built on RFC 9421 HTTP Message Signatures) lets agents sign requests with Ed25519 keys you verify against the provider's published key directory. A valid signature is a strong negative-risk signal that should override the datacenter penalty; a self-declared agent user-agent on a datacenter IP with no signature is a likely spoof.

Why is IP allowlisting alone brittle for AI agents?

Because agent IPs are shared across users via privacy proxies and VPNs, cloud ranges change over time, and user-agent strings are trivially spoofed. Cloudflare's engineering guidance calls IP allowlisting brittle for exactly this reason, and HUMAN Security found the ChatGPT-User agent had roughly a one-in-five spoof ratio in early 2026. Published IP ranges remain a useful corroborating signal, but should never be the sole gate — cryptographic signature verification is the durable one.

How should a 0-100 IP risk score map to a checkout decision?

Use graduated actions, not allow/block. Low scores (consistent residential or mobile consumer IP, no proxy, matching geo, or a verified agent signature) pass with low friction. Mid-band scores (datacenter or proxy without verification, minor geo mismatch) step up to 3-D Secure rather than reject. High scores (residential-proxy attribution with billing/shipping geo mismatch, or datacenter plus card-testing velocity and no signature) go to manual review or block. In ACP, map the score onto the risk_signals action enum so the decision happens at the payment step.

Will stepping up to 3-D Secure hurt conversion more than blocking?

Usually no. Under EMV 3-D Secure 2, a successfully authenticated transaction shifts fraud-chargeback liability to the issuer, and issuers approve authenticated transactions at higher rates. Card-not-present false-decline rates run far higher than card-present, so a hard block on a medium-risk IP often rejects a real customer. Escalation preserves the sale while moving liability, which is why it beats blocking for ambiguous traffic.

Do AI-agent orders remove my IP-based fraud controls?

No — they make them more important. Under ACP the merchant remains the merchant of record and analyzes payment and risk signals on its own stack; the agent only relays buyer and payment data. Because the agent obscures the original device and network, your server-side IP, ASN, connection-type and risk-score checks at the checkout endpoint still run as for any web checkout, and they become a primary line of defense rather than a backstop.

Is it legal to block AI agents from buying on my store?

It depends on authorization. Distinguish an agent your customer authorized to buy, which you generally want to allow, from an agent scraping or purchasing against your terms of service, which you can refuse. The federal BOTS Act covers only event tickets, so retail scalping is not federally illegal in the US, though the proposed Stop Grinch Bots Act would extend enforcement. A March 2026 federal court reportedly enjoined an agent browser from purchasing on a major retailer — an early signal that retailers can lawfully gate unauthorized agent purchasing. Verified-agent gating plus clear terms of service is the defensible posture.