TL;DR: Cloudflare quietly shipped isitagentready.com — a public scanner that grades any URL for AI-agent readiness on a 0–5 scale across 19 checks (robots.txt, MCP server cards, A2A agent cards, x402, OAuth resource metadata, etc.). We ran it against every active host on the x402 catalog: 549 unique hosts covering 25,950 endpoints, 4-hour polite sweep, zero failures. 53.3% of endpoints are at level 0 — no agent-readiness signals beyond what a 1995 web server gives you. Only 6 hosts (1.5%) have x402 itself detected by the scanner. But the most interesting finding was the long tail: five small experimental hosts hit level 5 — the highest grade — beating Cloudflare's own site (which is at level 4). Most of the catalog is bare metal; the people building real agent-native services are not the providers carrying the volume.
Why this matters
x402 is the agent-payment standard. The whole point is agents — not humans — discovering and paying API endpoints autonomously. So whatever signals AI agents and their tooling actually use to decide "is this site ready for me to talk to" matters more than dashboard polish or documentation prose.
Cloudflare's isitagentready.com is the first public, independent, multi-vendor benchmark for that. It checks 19 things across five categories:
Category Checks
Discoverability robots.txt, sitemap, Link headers
Content Accessibility Markdown content negotiation
Bot Access Control AI-bot rules in robots.txt, Content Signals, Web Bot Auth
Protocol Discovery MCP Server Card, A2A Agent Card, Agent Skills, WebMCP, API Catalog, OAuth discovery, OAuth Protected Resource
Commerce x402, MPP, UCP, ACP, AP2
The 5-level grade collapses into:
Level 0 — Basic web presence missing
Level 1 — Has robots.txt + sitemap (basic web)
Level 2 — Bot-Aware (Content Signals declared)
Level 3 — Agent-Readable (Markdown content negotiation works)
Level 4 — Agent-Integrated (MCP / Link headers / A2A)
Level 5 — Agent-Native (full OAuth Protected Resource + Agent Skills + API Catalog)
Cloudflare's own site is at level 4. x402station.io started this scan at level 4 too — and finished at level 5 after we shipped the four remaining well-known files (more on the climb at the end). Five other hosts in the catalog were already at level 5 when we surveyed.
Methodology
We pulled every is_active = true endpoint from our database (25,950 rows across 573 services), deduped by hostname (the scanner looks at host-level artifacts: /robots.txt, /.well-known/*, MCP/A2A cards), and POSTed each unique host's first endpoint URL to https://isitagentready.com/api/scan.
Cloudflare rate-limits the scan API at concurrency ≥ 4 — a faster sweep against 549 hosts trips the 50-scan window and returns HTTP 429 for everyone after that. So we ran a polite sweep: --concurrency=1 --delay-ms=20000, ~3.85 hours wall-clock for 549 hosts, 0 failures, 0 retries needed. This dataset covers 100% of the active catalog, no extrapolation.
The scan script is part of the x402station backend (private repo); the data is fully reproducible against public sources. Pull the active endpoint list from the agentic.market catalog API, dedup by hostname, POST each unique host's first endpoint URL to https://isitagentready.com/api/scan, persist the response. Raw results.jsonl written incrementally so a SIGINT never loses what was already scanned. Drop us a note via the dev.to comments or GitHub Issues if you want a copy of our run's JSONL.
Results
Level distribution
Level Hosts Hosts % Endpoints reached Endpoints %
0 — Basic web missing 323 58.8% 13,830 53.3%
1 — Basic web 52 9.5% 11,245 43.3%
2 — Bot-Aware 8 1.5% 19 0.1%
3 — Agent-Readable 1 0.2% 5 0.0%
4 — Agent-Integrated 3 0.5% 5 0.0%
5 — Agent-Native 5 0.9% 7 0.0%
unknown (CF couldn't classify) 157 28.6% 839 3.2%
The bulk story is the same as the partial sweep: 96.6% of the catalog by endpoint reach (level 0 + level 1) emits no agent-readiness signals beyond robots.txt + a sitemap. The big providers are bare metal.
But the long-tail surprise is the 9 hosts that scored level 3 or higher — and especially the 5 hosts at level 5, the highest grade Cloudflare's scanner can issue. Those five exceed Cloudflare's own grade.
isCommerce: false for 70.7% of hosts
Cloudflare gates the commerce-category checks (x402, MPP, UCP, ACP, AP2) behind a heuristic called isCommerce. With full coverage we now see:
70.7% false (388 hosts) — scanner thinks they're not commerce
28.6% unknown (157 hosts) — scanner couldn't classify (mostly DNS/auth/edge errors)
0.7% true (4 hosts) — scanner confirms commerce
The four hosts Cloudflare's heuristic recognises as commerce: x402.valoria.net, brapi.dev, fleawinder.com, x402.clashofcoins.com (the last is also at level 5). Note that the heuristic is independent of the dedicated x402 check — most x402-detected hosts still fail isCommerce.
Per-check pass rates
What signals do x402 hosts actually emit? (Sorted by % of hosts passing each check. Denominator is 392 — the hosts where the scanner returned a check breakdown; the 157 unknown hosts have no checks to grade.)
Check % passing Notes
robotsTxt 34.2% (134/392) The most-passed check, but still only a third
robotsTxtAiRules 34.2% Wildcard User-agent: * rules count — very low bar
contentSignals 17.3% One line in robots.txt (Content-Signal: ai-train=no, …)
sitemap 17.1%
mcpServerCard 7.4% A static JSON file at /.well-known/mcp/server-card.json
markdownNegotiation 5.9% One Next.js middleware
linkHeaders 3.8% Two lines of nginx config
agentSkills 3.1%
apiCatalog 2.3% RFC 9727 draft, almost nobody implements yet
oauthDiscovery 2.0%
oauthProtectedResource 1.5%
webMcp 1.5%
x402 1.5% (6 of 392) The check this catalog most needs to pass
a2aAgentCard 1.0%
ucp 1.0%
acp 0.8%
webBotAuth 0.5%
mpp 0.0% Zero adoption in this catalog
ap2 0.0% Zero adoption
The full-coverage rate for x402 (1.5%) is dramatically lower than the partial-sweep estimate (5%) because the long-tail hosts — small projects, bridge endpoints, single-route services — almost never declare anything. Only 6 of 549 hosts in the entire active catalog have x402 detected by the scanner today.
Five small projects beating Cloudflare's own grade
The headline finding of the full sweep is the level-5 cluster. These are the five hosts Cloudflare's scanner ranks as fully agent-native — the highest grade — exceeding Cloudflare's own site:
Host Endpoints x402 detected isCommerce
trader.rigoblock.com 2 yes false
x402.clashofcoins.com 2 yes true
fastsend.dev 1 yes false
kenoodl.com 1 no false
picoads.xyz 1 no false
None of them carries large endpoint volume — these are 1-2-route services, hand-built. But every one passes the full Cloudflare check matrix: OAuth Protected Resource Metadata, Agent Skills, API Catalog, the works. x402.clashofcoins.com is the most complete signal: level 5 + x402 detected + isCommerce: true simultaneously — the prototype "what good looks like" host.
Three more hosts hit level 4 (Agent-Integrated): x402station.io (us, 3 endpoints), dlf-gateway.agentlabel.workers.dev, socialintel.dev. One host at level 3: x402.naiko.io.
Compare those nine hosts at level ≥ 3 against the nine biggest providers by endpoint reach:
Top provider Endpoints % of catalog Level
lowpaymentfee.com 10,659 41.1% 0
orbisapi.com 9,882 38.1% 1
freepik.x402.paysponge.com 466 1.8% 0
x402.aurelianflo.com 339 1.3% 0
bridge.eruditepay.com 284 1.1% 0
x402.quicknode.com 136 0.5% 0
Eighty percent of the catalog by endpoint reach lives at hosts that pass two or fewer of the 19 checks. The hands-on builders running 1-2 endpoints implement everything; the big providers running thousands implement almost nothing. Single-provider concentration is also single-readiness concentration, and the concentration is at the bottom.
The big finding: Bazaar registration is high-probability, not strictly required
Of the 6 hosts where Cloudflare detected x402, 5 are registered in Coinbase's Bazaar discovery API:
x402.quicknode.com — Bazaar-registered
trader.rigoblock.com — Bazaar-registered (also level 5)
x402.clashofcoins.com — Bazaar-registered (also level 5, also isCommerce: true)
fastsend.dev — Bazaar-registered (also level 5)
x402.quiknode-cf.pro — Bazaar-registered
The exception is bridge.eruditepay.com (284 endpoints, level 0) — Cloudflare's scanner says x402 payment protocol detected on /api/v1, but the host is not in Bazaar discovery. So Cloudflare also probes URLs directly to detect x402, not just lookup against Bazaar. That said, the ratio is striking: 5 of 6 detections come through the registered path, and registration takes one self-pay to bootstrap.
The high-probability path:
Add the bazaar extension to your 402 response payload (one helper call: declareDiscoveryExtension from @x402/extensions/bazaar)
Self-pay $0.001 once through CDP facilitator (or wait for organic traffic — anyone paying you with the extension echoed in payload triggers indexing)
Within ~30 seconds, your endpoint shows up in CDP's discovery API
Cloudflare's scanner then sees you when it queries https://api.cdp.coinbase.com/platform/v2/x402/discovery/resources
Cost to fix: zero engineering effort if your facilitator is already CDP, plus $0.001 per route to bootstrap.
How x402station.io climbed from level 1 to level 5
The agent-discovery layer that lifted us:
Level 1 → 4 (took an afternoon earlier this month):
robots.txt with Content-Signal: ai-train=no, search=yes, ai-input=yes → unlocks level 2
/.well-known/mcp/server-card.json describing the npm-installable MCP adapter → unlocks mcpServerCard
/llms.txt served as text/markdown with Accept: text/markdown content negotiation on / → unlocks level 3 + markdownNegotiation
Link headers on / pointing at the manifest, OpenAPI spec, agent-card, MCP card → unlocks linkHeaders
bazaar extension on every paid route + one $0.001 self-pay each → unlocks x402 (until we crossed the isCommerce boundary, anyway — see note)
Level 4 → 5 (shipped right after the survey closed, in the same session as this article):
/.well-known/api-catalog (RFC 9727 linkset+json) — one document linking every machine-readable artefact (OpenAPI, agent-card, MCP card, manifest, llms.txt, blog) → unlocks apiCatalog
/.well-known/oauth-protected-resource (RFC 9728) — minimal stub with empty arrays. We don't speak OAuth (payment is x402), and an honest empty-array body declares that fact in machine-readable form. Same pattern every level-5 host in the catalog uses → unlocks oauthProtectedResource
/.well-known/oauth-authorization-server (RFC 8414) — same empty-array stub → unlocks oauthDiscovery
supportedInterfaces[] field added to A2A agent card so scanners can pivot to the new well-known files inline → strengthens a2aAgentCard
Total spend across both phases: ~$0.014 in self-pay USDC across four paid routes (preflight + forensics + decoys + watch). Engineering: a focused afternoon for level 4, another two hours for the level-5 climb.
A subtle gotcha: when x402station.io flipped to level 5, the dedicated x402 check turned neutral instead of pass — Cloudflare's isCommerce heuristic returns false for our domain (we look like documentation/dashboard, not a checkout), so the scanner doesn't bother running commerce-category checks against us. Only 4 hosts in the entire catalog trip isCommerce=true (x402.valoria.net, brapi.dev, fleawinder.com, x402.clashofcoins.com). That's the next dial to turn, but it doesn't move you past level 5 — it just lights up extra commerce-category checks.
Four things this scan made obvious
Agents using Cloudflare's readiness scan as a filter would skip 96.6%+ of the x402 catalog by endpoint reach. They'd never even see most x402 endpoints. There's a real distribution gap closing there for any project willing to ship the missing signals.
Decoys cluster at level 0. Every $1000+ endpoint we previously flagged as a Questflow-style honeypot sits at level 0 with zero signals. They aren't trying to be findable — they want random scrapers to stumble in and lose money. A pre-flight call catches them.
Single-provider concentration is single-readiness concentration. lowpaymentfee.com (10,659 endpoints, 41.1% of the catalog) is at level 0. orbisapi.com (9,882 endpoints, 38.1%) is at level 1. Together those two hosts are 79% of the catalog and pass none of the agent-protocol checks.
Hands-on small builders out-build the big providers. The five level-5 hosts run 1–2 endpoints each. The top two providers run 20,000+ between them, at level 0/1. Volume and agent-readiness are anti-correlated in this catalog.
Reproduce this
The data is reproducible from public sources — no x402station internals needed. Rough recipe (any language):
// 1. Pull the active endpoint list from agentic.market's public catalog API
const catalog = await fetch("https://api.agentic.market/services").then((r) => r.json());
// 2. Dedup endpoints by hostname (Cloudflare's scanner is per-host)
const hosts = new Map(); // host → first endpoint URL
for (const svc of catalog.services) {
for (const ep of svc.endpoints ?? []) {
const u = new URL(ep.url);
if (!hosts.has(u.host)) hosts.set(u.host, ep.url);
}
}
// 3. POST each host's URL to Cloudflare's scanner. Polite mode: concurrency=1,
// delay=20s — full catalog in ~4 hours, zero 429s. Concurrency=4 trips
// Cloudflare's ~50-scan rate limit and leaves the long tail unscanned.
for (const [host, url] of hosts) {
const res = await fetch("https://isitagentready.com/api/scan", {
method: "POST",
headers: { "content-type": "application/json" },
body: JSON.stringify({ url }),
});
// … persist await res.json() keyed by host
await new Promise((r) => setTimeout(r, 20_000));
}
Drop us a note via the dev.to comments or GitHub Issues if you want a copy of our 549-host JSONL — we're happy to share for verification.
If you're an agent operator paying x402 endpoints
Our oracle will tell you whether a URL is safe before you spend USDC on it, and alert you when state changes:
npx -y x402station-mcp
Six tools wired through MCP, all priced in USDC on Base mainnet via x402:
preflight ($0.001) — {ok, warnings[], metadata} for any URL
forensics ($0.001) — 7-day uptime, latency p50/p90/p99, decoy probability
catalog_decoys ($0.005) — full known-bad list as one JSON, cache locally
watch_subscribe ($0.01 = 30-day subscription + 100 prepaid alerts) — HMAC-signed webhooks when an endpoint goes zombie / decoy / dead
watch_status (free, secret-gated) — current state + recent alert deliveries
watch_unsubscribe (free, secret-gated)
npm · client SDK source · live oracle
Earlier piece: We probed 20,338 x402 endpoints. 161 are agent honeypots.
Top comments (0)