We graded every x402 endpoint with Cloudflare's agent-readiness scanner

TL;DR: Cloudflare quietly shipped isitagentready.com — a public scanner that grades any URL for AI-agent readiness on a 0–5 scale across 19 checks (robots.txt, MCP server cards, A2A agent cards, x402, OAuth resource metadata, etc.). We ran it against every active host on the x402 catalog: 549 unique hosts covering 25,950 endpoints, 4-hour polite sweep, zero failures. 53.3% of endpoints are at level 0 — no agent-readiness signals beyond what a 1995 web server gives you. Only 6 hosts (1.5%) have x402 itself detected by the scanner. But the most interesting finding was the long tail: five small experimental hosts hit level 5 — the highest grade — beating Cloudflare's own site (which is at level 4). Most of the catalog is bare metal; the people building real agent-native services are not the providers carrying the volume.

Why this matters

x402 is the agent-payment standard. The whole point is agents — not humans — discovering and paying API endpoints autonomously. So whatever signals AI agents and their tooling actually use to decide "is this site ready for me to talk to" matters more than dashboard polish or documentation prose.

Cloudflare's isitagentready.com is the first public, independent, multi-vendor benchmark for that. It checks 19 things across five categories:

The 5-level grade collapses into:

• Level 0 — Basic web presence missing
• Level 1 — Has robots.txt + sitemap (basic web)
• Level 2 — Bot-Aware (Content Signals declared)
• Level 3 — Agent-Readable (Markdown content negotiation works)
• Level 4 — Agent-Integrated (MCP / Link headers / A2A)
• Level 5 — Agent-Native (full OAuth Protected Resource + Agent Skills + API Catalog)

Cloudflare's own site is at level 4. x402station.io started this scan at level 4 too — and finished at level 5 after we shipped the four remaining well-known files (more on the climb at the end). Five other hosts in the catalog were already at level 5 when we surveyed.

Methodology

We pulled every is_active = true endpoint from our database (25,950 rows across 573 services), deduped by hostname (the scanner looks at host-level artifacts: /robots.txt, /.well-known/*, MCP/A2A cards), and POSTed each unique host's first endpoint URL to https://isitagentready.com/api/scan.

Cloudflare rate-limits the scan API at concurrency ≥ 4 — a faster sweep against 549 hosts trips the 50-scan window and returns HTTP 429 for everyone after that. So we ran a polite sweep: --concurrency=1 --delay-ms=20000, ~3.85 hours wall-clock for 549 hosts, 0 failures, 0 retries needed. This dataset covers 100% of the active catalog, no extrapolation.

The scan script is part of the x402station backend (private repo); the data is fully reproducible against public sources. Pull the active endpoint list from the agentic.market catalog API, dedup by hostname, POST each unique host's first endpoint URL to https://isitagentready.com/api/scan, persist the response. Raw results.jsonl written incrementally so a SIGINT never loses what was already scanned. Drop us a note via the dev.to comments or GitHub Issues if you want a copy of our run's JSONL.

Results

Level distribution

The bulk story is the same as the partial sweep: 96.6% of the catalog by endpoint reach (level 0 + level 1) emits no agent-readiness signals beyond robots.txt + a sitemap. The big providers are bare metal.

But the long-tail surprise is the 9 hosts that scored level 3 or higher — and especially the 5 hosts at level 5, the highest grade Cloudflare's scanner can issue. Those five exceed Cloudflare's own grade.

isCommerce: false for 70.7% of hosts

Cloudflare gates the commerce-category checks (x402, MPP, UCP, ACP, AP2) behind a heuristic called isCommerce. With full coverage we now see:

• 70.7% false (388 hosts) — scanner thinks they're not commerce
• 28.6% unknown (157 hosts) — scanner couldn't classify (mostly DNS/auth/edge errors)
• 0.7% true (4 hosts) — scanner confirms commerce

The four hosts Cloudflare's heuristic recognises as commerce: x402.valoria.net, brapi.dev, fleawinder.com, x402.clashofcoins.com (the last is also at level 5). Note that the heuristic is independent of the dedicated x402 check — most x402-detected hosts still fail isCommerce.

Per-check pass rates

What signals do x402 hosts actually emit? (Sorted by % of hosts passing each check. Denominator is 392 — the hosts where the scanner returned a check breakdown; the 157 unknown hosts have no checks to grade.)

The full-coverage rate for x402 (1.5%) is dramatically lower than the partial-sweep estimate (5%) because the long-tail hosts — small projects, bridge endpoints, single-route services — almost never declare anything. Only 6 of 549 hosts in the entire active catalog have x402 detected by the scanner today.

Five small projects beating Cloudflare's own grade

The headline finding of the full sweep is the level-5 cluster. These are the five hosts Cloudflare's scanner ranks as fully agent-native — the highest grade — exceeding Cloudflare's own site:

None of them carries large endpoint volume — these are 1-2-route services, hand-built. But every one passes the full Cloudflare check matrix: OAuth Protected Resource Metadata, Agent Skills, API Catalog, the works. x402.clashofcoins.com is the most complete signal: level 5 + x402 detected + isCommerce: true simultaneously — the prototype "what good looks like" host.

Two more hosts hit level 4 (Agent-Integrated): dlf-gateway.agentlabel.workers.dev, socialintel.dev. One host at level 3: x402.naiko.io. x402station.io started this session at level 4 and reached level 5 after the well-known files shipped; see the climbing section below.

Compare those nine hosts at level ≥ 3 against the nine biggest providers by endpoint reach:

Eighty percent of the catalog by endpoint reach lives at hosts that pass two or fewer of the 19 checks. The hands-on builders running 1-2 endpoints implement everything; the big providers running thousands implement almost nothing. Single-provider concentration is also single-readiness concentration, and the concentration is at the bottom.

The big finding: Bazaar registration is high-probability, not strictly required

Of the 6 hosts where Cloudflare detected x402, 5 are registered in Coinbase's Bazaar discovery API:

• x402.quicknode.com — Bazaar-registered
• trader.rigoblock.com — Bazaar-registered (also level 5)
• x402.clashofcoins.com — Bazaar-registered (also level 5, also isCommerce: true)
• fastsend.dev — Bazaar-registered (also level 5)
• x402.quiknode-cf.pro — Bazaar-registered

The exception is bridge.eruditepay.com (284 endpoints, level 0) — Cloudflare's scanner says x402 payment protocol detected on /api/v1, but the host is not in Bazaar discovery. So Cloudflare also probes URLs directly to detect x402, not just lookup against Bazaar. That said, the ratio is striking: 5 of 6 detections come through the registered path, and registration takes one self-pay to bootstrap.

The high-probability path:

1. Add the bazaar extension to your 402 response payload (one helper call: declareDiscoveryExtension from @x402/extensions/bazaar)
2. Self-pay $0.001 once through CDP facilitator (or wait for organic traffic — anyone paying you with the extension echoed in payload triggers indexing)
3. Within ~30 seconds, your endpoint shows up in CDP's discovery API
4. Cloudflare's scanner then sees you when it queries https://api.cdp.coinbase.com/platform/v2/x402/discovery/resources

Cost to fix: zero engineering effort if your facilitator is already CDP, plus $0.001 per route to bootstrap.

How x402station.io climbed from level 1 to level 5

The agent-discovery layer that lifted us:

Level 1 → 4 (took an afternoon earlier this month):

• robots.txt with Content-Signal: ai-train=no, search=yes, ai-input=yes → unlocks level 2
• /.well-known/mcp/server-card.json describing the npm-installable MCP adapter → unlocks mcpServerCard
• /llms.txt served as text/markdown with Accept: text/markdown content negotiation on / → unlocks level 3 + markdownNegotiation
• Link headers on / pointing at the manifest, OpenAPI spec, agent-card, MCP card → unlocks linkHeaders
• bazaar extension on every paid route + one $0.001 self-pay each → unlocks x402 (until we crossed the isCommerce boundary, anyway — see note)

Level 4 → 5 (shipped right after the survey closed, in the same session as this article):

• /.well-known/api-catalog (RFC 9727 linkset+json) — one document linking every machine-readable artefact (OpenAPI, agent-card, MCP card, manifest, llms.txt, blog) → unlocks apiCatalog
• /.well-known/oauth-protected-resource (RFC 9728) — minimal stub with empty arrays. We don't speak OAuth (payment is x402), and an honest empty-array body declares that fact in machine-readable form. Same pattern every level-5 host in the catalog uses → unlocks oauthProtectedResource
• /.well-known/oauth-authorization-server (RFC 8414) — same empty-array stub → unlocks oauthDiscovery
• supportedInterfaces[] field added to A2A agent card so scanners can pivot to the new well-known files inline → strengthens a2aAgentCard

Total spend across both phases: ~$0.014 in self-pay USDC across four paid routes (preflight + forensics + decoys + watch). Engineering: a focused afternoon for level 4, another two hours for the level-5 climb.

A subtle gotcha: when x402station.io flipped to level 5, the dedicated x402 check turned neutral instead of pass — Cloudflare's isCommerce heuristic returns false for our domain (we look like documentation/dashboard, not a checkout), so the scanner doesn't bother running commerce-category checks against us. Only 4 hosts in the entire catalog trip isCommerce=true (x402.valoria.net, brapi.dev, fleawinder.com, x402.clashofcoins.com). That's the next dial to turn, but it doesn't move you past level 5 — it just lights up extra commerce-category checks.

Four things this scan made obvious

1. Agents using Cloudflare's readiness scan as a filter would skip 96.6%+ of the x402 catalog by endpoint reach. They'd never even see most x402 endpoints. There's a real distribution gap closing there for any project willing to ship the missing signals.
2. Decoys cluster at level 0. Every $1000+ endpoint we previously flagged as a Questflow-style honeypot sits at level 0 with zero signals. They aren't trying to be findable — they want random scrapers to stumble in and lose money. A pre-flight call catches them.
3. Single-provider concentration is single-readiness concentration. lowpaymentfee.com (10,659 endpoints, 41.1% of the catalog) is at level 0. orbisapi.com (9,882 endpoints, 38.1%) is at level 1. Together those two hosts are 79% of the catalog and pass none of the agent-protocol checks.
4. Hands-on small builders out-build the big providers. The five level-5 hosts run 1–2 endpoints each. The top two providers run 20,000+ between them, at level 0/1. Volume and agent-readiness are anti-correlated in this catalog.

Reproduce this

The data is reproducible from public sources — no x402station internals needed. Rough recipe (any language):

// 1. Pull the active endpoint list from agentic.market's public catalog API
const catalog = await fetch("https://api.agentic.market/services").then((r) => r.json());

// 2. Dedup endpoints by hostname (Cloudflare's scanner is per-host)
const hosts = new Map<string, string>(); // host → first endpoint URL
for (const svc of catalog.services) {
  for (const ep of svc.endpoints ?? []) {
    const u = new URL(ep.url);
    if (!hosts.has(u.host)) hosts.set(u.host, ep.url);
  }
}

// 3. POST each host's URL to Cloudflare's scanner. Polite mode: concurrency=1,
//    delay=20s — full catalog in ~4 hours, zero 429s. Concurrency=4 trips
//    Cloudflare's ~50-scan rate limit and leaves the long tail unscanned.
for (const [host, url] of hosts) {
  const res = await fetch("https://isitagentready.com/api/scan", {
    method: "POST",
    headers: { "content-type": "application/json" },
    body: JSON.stringify({ url }),
  });
  // … persist `await res.json()` keyed by host
  await new Promise((r) => setTimeout(r, 20_000));
}

Drop us a note via the dev.to comments or GitHub Issues if you want a copy of our 549-host JSONL — we're happy to share for verification.

If you're an agent operator paying x402 endpoints

Our oracle will tell you whether a URL is safe before you spend USDC on it, and alert you when state changes:

npx -y x402station-mcp

Current MCP package status: x402station-mcp v1.0.10 exposes ten tools, all priced in USDC on Base mainnet via x402 where payment is required:

• preflight ($0.001) — {ok, warnings[], metadata} for any URL
• forensics ($0.001) — 7-day uptime, latency p50/p90/p99, decoy probability
• catalog_decoys ($0.005) — full known-bad list as one JSON, cache locally
• alternatives ($0.005) — healthy sibling endpoints for a blocked URL
• whats_new ($0.001) — catalog diff polling since a timestamp
• watch_subscribe ($0.01 = 30-day subscription + 100 prepaid alerts) — HMAC-signed webhooks when an endpoint goes zombie / decoy / dead
• buy_credits ($0.50) — 1000 prepaid preflights at the discounted rate
• watch_status (free, secret-gated) — current state + recent alert deliveries
• watch_unsubscribe (free, secret-gated)
• credits_status (free, id-gated) — prepaid credit balance + expiry

npm · client SDK source · live oracle

Earlier piece: We probed 20,338 x402 endpoints. 161 are agent honeypots.