Receive a PunchOutSetupRequest HTTP POST from the procurement system (Ariba, Coupa, etc.) — parse the XML body to extract BuyerCookie, the Extrinsic identity fields, and the BrowserFormPost URL.
Authenticate the buyer using the shared secret in the <Credential> element; look up the buyer's account and contract pricing tier from your internal database.
Return a PunchOutSetupResponse containing a single <StartPage><URL> that encodes a one-time session token — the procurement system will redirect the buyer's browser to this URL.
When the buyer clicks Check Out in your storefront, build a cXML OrderRequest (or PunchOutOrderMessage if your store does not process the order natively) and HTTP POST it to the BrowserFormPost URL captured in step 1.
Validate the response HTTP 200 and a <Response><Status code="200"> element; log the PunchOut session ID for reconciliation when the buyer later submits the purchase order.
Handle the subsequent EDI/cXML 850 Purchase Order that the procurement system sends after internal approval, and acknowledge it with an 855 or cXML OrderConfirmation.
Known gotchas
The cXML spec requires the PayloadID to be globally unique for every document — use a UUID plus your domain (e.g., UUID@yourstore.com); duplicate PayloadIDs will be rejected by strict procurement systems.
The PunchOutSetupRequest operation attribute can be 'create', 'inspect', or 'edit' — you must handle 'edit' by restoring the buyer's existing cart rather than starting a new session.
OCI (Open Catalog Interface) is SAP's proprietary alternative to cXML PunchOut and uses a simpler form-field POST (HOOK_URL) instead of XML; if your buyer uses SAP SRM or early versions of Ariba they may require OCI rather than cXML.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp