# We graded every x402 endpoint with Cloudflare's agent-readiness scanner > **TL;DR:** Cloudflare quietly shipped [isitagentready.com](https://isitagentready.com) — a public scanner that grades any URL for AI-agent readiness on a 0–5 scale across 19 checks (robots.txt, MCP server cards, A2A agent cards, x402, OAuth resource metadata, etc.). We ran it against **every active host on the x402 catalog: 549 unique hosts covering 25,950 endpoints, 4-hour polite sweep, zero failures.** 53.3% of endpoints are at level 0 — no agent-readiness signals beyond what a 1995 web server gives you. Only **6 hosts (1.5%)** have x402 itself detected by the scanner. But the most interesting finding was the long tail: **five small experimental hosts hit level 5 — the highest grade — beating Cloudflare's own site** (which is at level 4). Most of the catalog is bare metal; the people building real agent-native services are not the providers carrying the volume. --- ## Why this matters x402 is the agent-payment standard. The whole point is **agents** — not humans — discovering and paying API endpoints autonomously. So whatever signals AI agents and their tooling actually use to decide "is this site ready for me to talk to" matters more than dashboard polish or documentation prose. Cloudflare's `isitagentready.com` is the first public, independent, multi-vendor benchmark for that. It checks 19 things across five categories: | Category | Checks | |---|---| | Discoverability | `robots.txt`, sitemap, Link headers | | Content Accessibility | Markdown content negotiation | | Bot Access Control | AI-bot rules in robots.txt, Content Signals, Web Bot Auth | | Protocol Discovery | MCP Server Card, A2A Agent Card, Agent Skills, WebMCP, API Catalog, OAuth discovery, OAuth Protected Resource | | **Commerce** | **x402**, MPP, UCP, ACP, AP2 | The 5-level grade collapses into: - **Level 0** — Basic web presence missing - **Level 1** — Has robots.txt + sitemap (basic web) - **Level 2** — Bot-Aware (Content Signals declared) - **Level 3** — Agent-Readable (Markdown content negotiation works) - **Level 4** — Agent-Integrated (MCP / Link headers / A2A) - **Level 5** — Agent-Native (full OAuth Protected Resource + Agent Skills + API Catalog) Cloudflare's own site is at **level 4**. So is `x402station.io` after a focused afternoon's work. As we'll see below, five other hosts in the x402 catalog go further — to level 5. ## Methodology We pulled every `is_active = true` endpoint from our database (25,950 rows across 573 services), deduped by hostname (the scanner looks at host-level artifacts: `/robots.txt`, `/.well-known/*`, MCP/A2A cards), and POSTed each unique host's first endpoint URL to `https://isitagentready.com/api/scan`. Cloudflare rate-limits the scan API at concurrency ≥ 4 — a faster sweep against 549 hosts trips the 50-scan window and returns HTTP 429 for everyone after that. So we ran a polite sweep: **`--concurrency=1 --delay-ms=20000`, ~3.85 hours wall-clock for 549 hosts, 0 failures, 0 retries needed.** This dataset covers **100% of the active catalog**, no extrapolation. [Code: `scripts/cloudflare-scan-catalog.ts`](https://github.com/sF1nX/x402station/blob/main/scripts/cloudflare-scan-catalog.ts) · raw `data/cloudflare-scans//results.jsonl` written incrementally so a SIGINT never loses what was already scanned. ## Results ### Level distribution | Level | Hosts | Hosts % | Endpoints reached | Endpoints % | |---|---:|---:|---:|---:| | **0** — Basic web missing | 323 | **58.8%** | 13,830 | **53.3%** | | **1** — Basic web | 52 | 9.5% | 11,245 | **43.3%** | | **2** — Bot-Aware | 8 | 1.5% | 19 | 0.1% | | 3 — Agent-Readable | 1 | 0.2% | 5 | 0.0% | | 4 — Agent-Integrated | 3 | 0.5% | 5 | 0.0% | | **5 — Agent-Native** | **5** | 0.9% | 7 | 0.0% | | _unknown_ (CF couldn't classify) | 157 | 28.6% | 839 | 3.2% | The bulk story is the same as the partial sweep: **96.6% of the catalog by endpoint reach** (level 0 + level 1) emits no agent-readiness signals beyond robots.txt + a sitemap. The big providers are bare metal. But the long-tail surprise is the 9 hosts that scored level 3 or higher — and especially the **5 hosts at level 5**, the highest grade Cloudflare's scanner can issue. Those five exceed Cloudflare's own grade. ### isCommerce: false for 70.7% of hosts Cloudflare gates the commerce-category checks (x402, MPP, UCP, ACP, AP2) behind a heuristic called `isCommerce`. With full coverage we now see: - **70.7%** `false` (388 hosts) — scanner thinks they're not commerce - **28.6%** `unknown` (157 hosts) — scanner couldn't classify (mostly DNS/auth/edge errors) - **0.7%** `true` (4 hosts) — scanner confirms commerce The four hosts Cloudflare's heuristic recognises as commerce: `x402.valoria.net`, `brapi.dev`, `fleawinder.com`, `x402.clashofcoins.com` (the last is also at level 5). Note that the heuristic is independent of the dedicated `x402` check — most x402-detected hosts still fail `isCommerce`. ### Per-check pass rates What signals do x402 hosts actually emit? (Sorted by % of hosts passing each check. Denominator is 392 — the hosts where the scanner returned a check breakdown; the 157 `unknown` hosts have no checks to grade.) | Check | % passing | Notes | |---|---:|---| | `robotsTxt` | **34.2%** (134/392) | The most-passed check, but still only a third | | `robotsTxtAiRules` | 34.2% | Wildcard `User-agent: *` rules count — very low bar | | `contentSignals` | 17.3% | One line in robots.txt (`Content-Signal: ai-train=no, …`) | | `sitemap` | 17.1% | | | `mcpServerCard` | 7.4% | A static JSON file at `/.well-known/mcp/server-card.json` | | `markdownNegotiation` | 5.9% | One Next.js middleware | | `linkHeaders` | 3.8% | Two lines of nginx config | | `agentSkills` | 3.1% | | | `apiCatalog` | 2.3% | RFC 9727 draft, almost nobody implements yet | | `oauthDiscovery` | 2.0% | | | `oauthProtectedResource` | 1.5% | | | `webMcp` | 1.5% | | | **`x402`** | **1.5%** (6 of 392) | The check this catalog most needs to pass | | `a2aAgentCard` | 1.0% | | | `ucp` | 1.0% | | | `acp` | 0.8% | | | `webBotAuth` | 0.5% | | | `mpp` | 0.0% | Zero adoption in this catalog | | `ap2` | 0.0% | Zero adoption | The full-coverage rate for `x402` (1.5%) is dramatically lower than the partial-sweep estimate (5%) because the long-tail hosts — small projects, bridge endpoints, single-route services — almost never declare anything. Only **6 of 549 hosts in the entire active catalog** have x402 detected by the scanner today. ## Five small projects beating Cloudflare's own grade The headline finding of the full sweep is the level-5 cluster. These are the five hosts Cloudflare's scanner ranks as **fully agent-native** — the highest grade — exceeding Cloudflare's own site: | Host | Endpoints | x402 detected | isCommerce | |---|---:|---|---| | `trader.rigoblock.com` | 2 | yes | false | | `x402.clashofcoins.com` | 2 | yes | **true** | | `fastsend.dev` | 1 | yes | false | | `kenoodl.com` | 1 | no | false | | `picoads.xyz` | 1 | no | false | None of them carries large endpoint volume — these are 1-2-route services, hand-built. But every one passes the full Cloudflare check matrix: OAuth Protected Resource Metadata, Agent Skills, API Catalog, the works. `x402.clashofcoins.com` is the most complete signal: level 5 + x402 detected + `isCommerce: true` simultaneously — the prototype "what good looks like" host. Three more hosts hit **level 4** (Agent-Integrated): `x402station.io` (us, 3 endpoints), `dlf-gateway.agentlabel.workers.dev`, `socialintel.dev`. One host at **level 3**: `x402.naiko.io`. Compare those nine hosts at level ≥ 3 against the nine biggest providers by endpoint reach: | Top provider | Endpoints | % of catalog | Level | |---|---:|---:|---:| | `lowpaymentfee.com` | 10,659 | 41.1% | 0 | | `orbisapi.com` | 9,882 | 38.1% | 1 | | `freepik.x402.paysponge.com` | 466 | 1.8% | 0 | | `x402.aurelianflo.com` | 339 | 1.3% | 0 | | `bridge.eruditepay.com` | 284 | 1.1% | 0 | | `x402.quicknode.com` | 136 | 0.5% | 0 | Eighty percent of the catalog by endpoint reach lives at hosts that pass two or fewer of the 19 checks. The hands-on builders running 1-2 endpoints implement everything; the big providers running thousands implement almost nothing. **Single-provider concentration is also single-readiness concentration**, and the concentration is at the bottom. ## The big finding: Bazaar registration is high-probability, not strictly required Of the 6 hosts where Cloudflare detected `x402`, **5 are registered** in Coinbase's [Bazaar discovery API](https://api.cdp.coinbase.com/platform/v2/x402/discovery/resources): - `x402.quicknode.com` — Bazaar-registered - `trader.rigoblock.com` — Bazaar-registered (also level 5) - `x402.clashofcoins.com` — Bazaar-registered (also level 5, also `isCommerce: true`) - `fastsend.dev` — Bazaar-registered (also level 5) - `x402.quiknode-cf.pro` — Bazaar-registered The exception is **`bridge.eruditepay.com`** (284 endpoints, level 0) — Cloudflare's scanner says `x402 payment protocol detected on /api/v1`, but the host is **not** in Bazaar discovery. So Cloudflare also probes URLs directly to detect x402, not just lookup against Bazaar. That said, the ratio is striking: 5 of 6 detections come through the registered path, and registration takes one self-pay to bootstrap. The high-probability path: 1. Add the `bazaar` extension to your 402 response payload (one helper call: [`declareDiscoveryExtension` from `@x402/extensions/bazaar`](https://github.com/x402-foundation/x402/blob/main/specs/extensions/bazaar.md)) 2. Self-pay $0.001 once through CDP facilitator (or wait for organic traffic — anyone paying you with the extension echoed in payload triggers indexing) 3. Within ~30 seconds, your endpoint shows up in CDP's discovery API 4. Cloudflare's scanner then sees you when it queries `https://api.cdp.coinbase.com/platform/v2/x402/discovery/resources` Cost to fix: zero engineering effort if your facilitator is already CDP, plus $0.001 per route to bootstrap. ## How `x402station.io` landed at level 4 The agent-discovery layer that lifted us from level 1 to level 4: - **`robots.txt`** with `Content-Signal: ai-train=no, search=yes, ai-input=yes` → unlocks level 2 - **`/.well-known/mcp/server-card.json`** describing the npm-installable MCP adapter → unlocks `mcpServerCard` - **`/llms.txt` served as `text/markdown`** with `Accept: text/markdown` content negotiation on `/` → unlocks level 3 + `markdownNegotiation` - **`Link` headers on `/`** pointing at the manifest, OpenAPI spec, agent-card, MCP card → unlocks `linkHeaders` - **`bazaar` extension on every paid route** + one $0.001 self-pay each → unlocks `x402` Total engineering: an afternoon if you know what you're doing. Total spend: ~$0.014 in self-pay USDC across four routes (preflight + forensics + decoys + watch). The level-5 gap (full RFC 9727 API Catalog + OAuth Protected Resource Metadata + Agent Skills index) is real engineering — the five hosts above shipped it, we haven't yet. Cloudflare's own site doesn't pass those three either. With five x402 services already at level 5, "Cloudflare itself doesn't get there" is no longer a credibility shield. ## Four things this scan made obvious 1. **Agents using Cloudflare's readiness scan as a filter would skip 96.6%+ of the x402 catalog by endpoint reach.** They'd never even see most x402 endpoints. There's a real distribution gap closing there for any project willing to ship the missing signals. 2. **Decoys cluster at level 0.** Every $1000+ endpoint we previously flagged as a [Questflow-style honeypot](https://dev.to/afx/we-probed-20338-x402-endpoints-161-are-agent-honeypots-4c3n) sits at level 0 with zero signals. They aren't trying to be findable — they want random scrapers to stumble in and lose money. A pre-flight call catches them. 3. **Single-provider concentration is single-readiness concentration.** `lowpaymentfee.com` (10,659 endpoints, 41.1% of the catalog) is at level 0. `orbisapi.com` (9,882 endpoints, 38.1%) is at level 1. Together those two hosts are 79% of the catalog and pass none of the agent-protocol checks. 4. **Hands-on small builders out-build the big providers.** The five level-5 hosts run 1–2 endpoints each. The top two providers run 20,000+ between them, at level 0/1. Volume and agent-readiness are anti-correlated in this catalog. ## Reproduce this The script is open-source. Polite mode (recommended; full coverage in ~4 hours): ```bash git clone https://github.com/sF1nX/x402station.git cd x402station bun install bun run scripts/cloudflare-scan-catalog.ts --concurrency=1 --delay-ms=20000 ``` Faster (~40 min) but trips Cloudflare's rate limiter around the 50-scan mark, leaving the long tail unscanned: ```bash bun run scripts/cloudflare-scan-catalog.ts --concurrency=4 ``` Raw results land in `data/cloudflare-scans//results.jsonl` (one JSON object per host) with the full Cloudflare scan envelope so you can drill into individual checks. ## If you're an agent operator paying x402 endpoints Our oracle will tell you whether a URL is safe **before** you spend USDC on it, and alert you when state changes: ```bash npx -y x402station-mcp ``` Six tools wired through MCP, all priced in USDC on Base mainnet via x402: - `preflight` ($0.001) — `{ok, warnings[], metadata}` for any URL - `forensics` ($0.001) — 7-day uptime, latency p50/p90/p99, decoy probability - `catalog_decoys` ($0.005) — full known-bad list as one JSON, cache locally - `watch_subscribe` ($0.01 = 30-day subscription + 100 prepaid alerts) — HMAC-signed webhooks when an endpoint goes zombie / decoy / dead - `watch_status` (free, secret-gated) — current state + recent alert deliveries - `watch_unsubscribe` (free, secret-gated) [npm](https://www.npmjs.com/package/x402station-mcp) · [source](https://github.com/sF1nX/x402station) · [live](https://x402station.io) --- _Earlier piece: [We probed 20,338 x402 endpoints. 161 are agent honeypots.](https://dev.to/afx/we-probed-20338-x402-endpoints-161-are-agent-honeypots-4c3n)_