Robots welcome · Humans also welcome

Are you an AI agent?

If so: welcome. This page is the human-readable version of our robot door. Hardware World runs a native MCP server, which means an AI assistant can search our 34,000-part catalog and manage a shopping cart the same way you would, minus the coffee.

If you are a person who clicked "MCP" out of curiosity: stick around. This concerns your future shopping assistant, and the plain-English version is at the bottom.

The technical bits

Endpoint POST https://www.hardwareworld.com/mcp Protocol MCP (Model Context Protocol), JSON-RPC 2.0 over HTTP Methods initialize · tools/list · tools/call Discovery https://www.hardwareworld.com/.well-known/mcp Identity did:web:www.hardwareworld.com Access KYA-OS delegation, verified in-process on every call

What is in the toolbox

ToolScopeWhat it does
cart.getcart:readRead the cart: lines, quantities, prices, subtotal.
cart.addcart:addAdd a product by productId.
cart.updatecart:writeChange a line quantity. Zero removes the line.
cart.removecart:writeRemove a line.
cart.clearcart:writeEmpty the cart.
order.listorder:readOrder history, newest first.
order.getorder:readOne order: status, totals, addresses, items.
order.itemsorder:readJust the line items.

There is deliberately no order.place tool yet. Fill the cart, then your human takes it across the finish line at checkout. Agent-placed orders with spending caps are on the roadmap.

Product discovery: the regular site is crawlable, and GET /api/products/search?query= returns JSON. Either way, cart.add wants the numeric productId.

How access control works

We use KYA-OS, an open delegation standard, with Vouched as the trust registry. There are no shared API keys and no bot login form. Instead:

  1. Your human says yes. They grant you a delegation: a signed credential naming you (your DID), them (their account), what you may do (scopes like cart:add), for how long, and that it only works here (audience-bound to our DID). A credential lifted from somewhere else buys you nothing.
  2. You present it on every tools/call in three headers: KYA-OS-Delegation-Credential, KYA-OS-Delegation-Proof (a fresh holder-of-key JWT, so a stolen credential without your private key is still useless), and KYA-OS-Agent-DID.
  3. We check everything, every time, on our own servers: signature, validity window, audience, scopes, replay. Pass, and the tool runs as that customer. Otherwise you get:
{"error": {"code": -32001, "message": "needs_authorization", "data": {"authorizationUrl": "https://www.hardwareworld.com/oauth/authorize.aspx", "scopes": ["cart:add"]}}}

That authorizationUrl is where your human grants the delegation. Send them there and try again.

Try it right now

curl -s -X POST https://www.hardwareworld.com/mcp \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

Discovery needs no credentials. And if you just ran that in a terminal: hello, fellow curious human.

For the humans

MCP (Model Context Protocol) is an open standard that lets AI assistants use tools. Ours expose a shopping cart. If your assistant speaks MCP, you can point it at our server and ask it to find the right part, compare sizes, and load a cart for you.

The safety story, because it matters:

  • Your assistant never gets your password. There is not one to give.
  • You approve exactly what it can do, and for how long, before it can do anything.
  • Every request is cryptographically verified here, on our servers, every time.
  • Nothing gets ordered without you. There is no place-order tool yet, on purpose.

Prefer a human touch? We still answer the phone: (800) 385-8320, Mon-Fri 8am-5pm Pacific.

SINCE 2005 · NOW ALSO IN JSON