Well-Known URIs for CMP

The Commerce Mesh Protocol uses the .well-known URI path for standardized discovery of feeds and protocol information. This follows RFC 8615 for well-known URIs.

Standard Feed Location

All CMP participants should host their product feed index at:

https://yourdomain.com/.well-known/cmp/feed.json

Benefits of Standardized Location

Automatic Discovery: AI agents and discovery nodes can find feeds without configuration
Simplified Integration: No need to register feed URLs separately
Consistent Experience: All CMP participants use the same pattern
Protocol Compliance: Follows web standards for metadata discovery

Directory Structure

/.well-known/
└── cmp/
    ├── feed.json          # Main feed index
    ├── feed-001.json      # Shard file 1
    ├── feed-002.json      # Shard file 2
    └── ...                # Additional shards

Implementation Examples

Apache Configuration

# Ensure .well-known is accessible
<Directory /var/www/html/.well-known>
    Require all granted
    Options -Indexes
</Directory>

# Set correct content type
<FilesMatch "\.json$">
    Header set Content-Type "application/json"
</FilesMatch>

Nginx Configuration

location /.well-known/cmp/ {
    alias /var/www/cmp/;
    add_header Content-Type application/json;
    add_header Access-Control-Allow-Origin *;
}

Express.js Route

app.use('/.well-known/cmp', express.static('feeds', {
    setHeaders: (res, path) => {
        res.setHeader('Content-Type', 'application/json');
        res.setHeader('Cache-Control', 'public, max-age=3600');
    }
}));

CORS Configuration

Enable CORS for your .well-known/cmp/ directory to allow cross-origin access:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, HEAD
Access-Control-Max-Age: 86400

Discovery Process

Here's how discovery nodes find your feed:

Domain Resolution: Start with your registered domain (e.g., example.com)
Well-Known Path: Append /.well-known/cmp/feed.json
HTTPS Request: Make secure request to https://example.com/.well-known/cmp/feed.json
Parse Index: Read feed index to find shard locations
Fetch Shards: Download individual shard files as needed

Testing Your Setup

Verify your feed is accessible:

# Test feed accessibility
curl -I https://yourdomain.com/.well-known/cmp/feed.json

# Check CORS headers
curl -H "Origin: https://example.com" \
     -I https://yourdomain.com/.well-known/cmp/feed.json

# Validate JSON
curl https://yourdomain.com/.well-known/cmp/feed.json | jq .

Security Considerations

HTTPS Only: Always serve feeds over HTTPS
No Authentication: Well-known feeds should be publicly accessible
Rate Limiting: Implement reasonable rate limits to prevent abuse
Cache Headers: Use appropriate cache headers to reduce load

Future Extensions

The .well-known/cmp/ directory may be extended with:

manifest.json - Protocol capabilities and versions
trust.json - Trust signals and certifications
webhooks.json - Real-time update endpoints

Standard Feed Location​

Benefits of Standardized Location​

Directory Structure​

Implementation Examples​

Apache Configuration​

Nginx Configuration​

Express.js Route​

CORS Configuration​

Discovery Process​

Testing Your Setup​

Security Considerations​

Future Extensions​

See Also​