# We graded every x402 endpoint with Cloudflare's agent-readiness scanner > **TL;DR:** Cloudflare quietly shipped [isitagentready.com](https://isitagentready.com) — a public scanner that grades any URL for AI-agent readiness on a 0–5 scale across 19 checks (robots.txt, MCP server cards, A2A agent cards, x402, OAuth resource metadata, etc.). We ran it against **every active host on the x402 catalog: 549 unique hosts covering 25,950 endpoints, 4-hour polite sweep, zero failures.** 53.3% of endpoints are at level 0 — no agent-readiness signals beyond what a 1995 web server gives you. Only **6 hosts (1.5%)** have x402 itself detected by the scanner. But the most interesting finding was the long tail: **five small experimental hosts hit level 5 — the highest grade — beating Cloudflare's own site** (which is at level 4). Most of the catalog is bare metal; the people building real agent-native services are not the providers carrying the volume. --- ## Why this matters x402 is the agent-payment standard. The whole point is **agents** — not humans — discovering and paying API endpoints autonomously. So whatever signals AI agents and their tooling actually use to decide "is this site ready for me to talk to" matters more than dashboard polish or documentation prose. Cloudflare's `isitagentready.com` is the first public, independent, multi-vendor benchmark for that. It checks 19 things across five categories: | Category | Checks | |---|---| | Discoverability | `robots.txt`, sitemap, Link headers | | Content Accessibility | Markdown content negotiation | | Bot Access Control | AI-bot rules in robots.txt, Content Signals, Web Bot Auth | | Protocol Discovery | MCP Server Card, A2A Agent Card, Agent Skills, WebMCP, API Catalog, OAuth discovery, OAuth Protected Resource | | **Commerce** | **x402**, MPP, UCP, ACP, AP2 | The 5-level grade collapses into: - **Level 0** — Basic web presence missing - **Level 1** — Has robots.txt + sitemap (basic web) - **Level 2** — Bot-Aware (Content Signals declared) - **Level 3** — Agent-Readable (Markdown content negotiation works) - **Level 4** — Agent-Integrated (MCP / Link headers / A2A) - **Level 5** — Agent-Native (full OAuth Protected Resource + Agent Skills + API Catalog) Cloudflare's own site is at **level 4**. `x402station.io` started this scan at level 4 too — and finished at **level 5** after we shipped the four remaining well-known files (more on the climb at the end). Five other hosts in the catalog were already at level 5 when we surveyed. ## Methodology We pulled every `is_active = true` endpoint from our database (25,950 rows across 573 services), deduped by hostname (the scanner looks at host-level artifacts: `/robots.txt`, `/.well-known/*`, MCP/A2A cards), and POSTed each unique host's first endpoint URL to `https://isitagentready.com/api/scan`. Cloudflare rate-limits the scan API at concurrency ≥ 4 — a faster sweep against 549 hosts trips the 50-scan window and returns HTTP 429 for everyone after that. So we ran a polite sweep: **`--concurrency=1 --delay-ms=20000`, ~3.85 hours wall-clock for 549 hosts, 0 failures, 0 retries needed.** This dataset covers **100% of the active catalog**, no extrapolation. The scan script is part of the x402station backend (private repo); the data is fully reproducible against public sources. Pull the active endpoint list from the [agentic.market](https://agentic.market) catalog API, dedup by hostname, POST each unique host's first endpoint URL to `https://isitagentready.com/api/scan`, persist the response. Raw `results.jsonl` written incrementally so a SIGINT never loses what was already scanned. Drop us a note via the dev.to comments or [GitHub Issues](https://github.com/sF1nX/x402station-mcp/issues) if you want a copy of our run's JSONL. ## Results ### Level distribution | Level | Hosts | Hosts % | Endpoints reached | Endpoints % | |---|---:|---:|---:|---:| | **0** — Basic web missing | 323 | **58.8%** | 13,830 | **53.3%** | | **1** — Basic web | 52 | 9.5% | 11,245 | **43.3%** | | **2** — Bot-Aware | 8 | 1.5% | 19 | 0.1% | | 3 — Agent-Readable | 1 | 0.2% | 5 | 0.0% | | 4 — Agent-Integrated | 3 | 0.5% | 5 | 0.0% | | **5 — Agent-Native** | **5** | 0.9% | 7 | 0.0% | | _unknown_ (CF couldn't classify) | 157 | 28.6% | 839 | 3.2% | The bulk story is the same as the partial sweep: **96.6% of the catalog by endpoint reach** (level 0 + level 1) emits no agent-readiness signals beyond robots.txt + a sitemap. The big providers are bare metal. But the long-tail surprise is the 9 hosts that scored level 3 or higher — and especially the **5 hosts at level 5**, the highest grade Cloudflare's scanner can issue. Those five exceed Cloudflare's own grade. ### isCommerce: false for 70.7% of hosts Cloudflare gates the commerce-category checks (x402, MPP, UCP, ACP, AP2) behind a heuristic called `isCommerce`. With full coverage we now see: - **70.7%** `false` (388 hosts) — scanner thinks they're not commerce - **28.6%** `unknown` (157 hosts) — scanner couldn't classify (mostly DNS/auth/edge errors) - **0.7%** `true` (4 hosts) — scanner confirms commerce The four hosts Cloudflare's heuristic recognises as commerce: `x402.valoria.net`, `brapi.dev`, `fleawinder.com`, `x402.clashofcoins.com` (the last is also at level 5). Note that the heuristic is independent of the dedicated `x402` check — most x402-detected hosts still fail `isCommerce`. ### Per-check pass rates What signals do x402 hosts actually emit? (Sorted by % of hosts passing each check. Denominator is 392 — the hosts where the scanner returned a check breakdown; the 157 `unknown` hosts have no checks to grade.) | Check | % passing | Notes | |---|---:|---| | `robotsTxt` | **34.2%** (134/392) | The most-passed check, but still only a third | | `robotsTxtAiRules` | 34.2% | Wildcard `User-agent: *` rules count — very low bar | | `contentSignals` | 17.3% | One line in robots.txt (`Content-Signal: ai-train=no, …`) | | `sitemap` | 17.1% | | | `mcpServerCard` | 7.4% | A static JSON file at `/.well-known/mcp/server-card.json` | | `markdownNegotiation` | 5.9% | One Next.js middleware | | `linkHeaders` | 3.8% | Two lines of nginx config | | `agentSkills` | 3.1% | | | `apiCatalog` | 2.3% | RFC 9727 draft, almost nobody implements yet | | `oauthDiscovery` | 2.0% | | | `oauthProtectedResource` | 1.5% | | | `webMcp` | 1.5% | | | **`x402`** | **1.5%** (6 of 392) | The check this catalog most needs to pass | | `a2aAgentCard` | 1.0% | | | `ucp` | 1.0% | | | `acp` | 0.8% | | | `webBotAuth` | 0.5% | | | `mpp` | 0.0% | Zero adoption in this catalog | | `ap2` | 0.0% | Zero adoption | The full-coverage rate for `x402` (1.5%) is dramatically lower than the partial-sweep estimate (5%) because the long-tail hosts — small projects, bridge endpoints, single-route services — almost never declare anything. Only **6 of 549 hosts in the entire active catalog** have x402 detected by the scanner today. ## Five small projects beating Cloudflare's own grade The headline finding of the full sweep is the level-5 cluster. These are the five hosts Cloudflare's scanner ranks as **fully agent-native** — the highest grade — exceeding Cloudflare's own site: | Host | Endpoints | x402 detected | isCommerce | |---|---:|---|---| | `trader.rigoblock.com` | 2 | yes | false | | `x402.clashofcoins.com` | 2 | yes | **true** | | `fastsend.dev` | 1 | yes | false | | `kenoodl.com` | 1 | no | false | | `picoads.xyz` | 1 | no | false | None of them carries large endpoint volume — these are 1-2-route services, hand-built. But every one passes the full Cloudflare check matrix: OAuth Protected Resource Metadata, Agent Skills, API Catalog, the works. `x402.clashofcoins.com` is the most complete signal: level 5 + x402 detected + `isCommerce: true` simultaneously — the prototype "what good looks like" host. Two more hosts hit **level 4** (Agent-Integrated): `dlf-gateway.agentlabel.workers.dev`, `socialintel.dev`. One host at **level 3**: `x402.naiko.io`. `x402station.io` started this session at level 4 and reached **level 5** after the well-known files shipped; see the climbing section below. Compare those nine hosts at level ≥ 3 against the nine biggest providers by endpoint reach: | Top provider | Endpoints | % of catalog | Level | |---|---:|---:|---:| | `lowpaymentfee.com` | 10,659 | 41.1% | 0 | | `orbisapi.com` | 9,882 | 38.1% | 1 | | `freepik.x402.paysponge.com` | 466 | 1.8% | 0 | | `x402.aurelianflo.com` | 339 | 1.3% | 0 | | `bridge.eruditepay.com` | 284 | 1.1% | 0 | | `x402.quicknode.com` | 136 | 0.5% | 0 | Eighty percent of the catalog by endpoint reach lives at hosts that pass two or fewer of the 19 checks. The hands-on builders running 1-2 endpoints implement everything; the big providers running thousands implement almost nothing. **Single-provider concentration is also single-readiness concentration**, and the concentration is at the bottom. ## The big finding: Bazaar registration is high-probability, not strictly required Of the 6 hosts where Cloudflare detected `x402`, **5 are registered** in Coinbase's [Bazaar discovery API](https://api.cdp.coinbase.com/platform/v2/x402/discovery/resources): - `x402.quicknode.com` — Bazaar-registered - `trader.rigoblock.com` — Bazaar-registered (also level 5) - `x402.clashofcoins.com` — Bazaar-registered (also level 5, also `isCommerce: true`) - `fastsend.dev` — Bazaar-registered (also level 5) - `x402.quiknode-cf.pro` — Bazaar-registered The exception is **`bridge.eruditepay.com`** (284 endpoints, level 0) — Cloudflare's scanner says `x402 payment protocol detected on /api/v1`, but the host is **not** in Bazaar discovery. So Cloudflare also probes URLs directly to detect x402, not just lookup against Bazaar. That said, the ratio is striking: 5 of 6 detections come through the registered path, and registration takes one self-pay to bootstrap. The high-probability path: 1. Add the `bazaar` extension to your 402 response payload (one helper call: [`declareDiscoveryExtension` from `@x402/extensions/bazaar`](https://github.com/x402-foundation/x402/blob/main/specs/extensions/bazaar.md)) 2. Self-pay $0.001 once through CDP facilitator (or wait for organic traffic — anyone paying you with the extension echoed in payload triggers indexing) 3. Within ~30 seconds, your endpoint shows up in CDP's discovery API 4. Cloudflare's scanner then sees you when it queries `https://api.cdp.coinbase.com/platform/v2/x402/discovery/resources` Cost to fix: zero engineering effort if your facilitator is already CDP, plus $0.001 per route to bootstrap. ## How `x402station.io` climbed from level 1 to level 5 The agent-discovery layer that lifted us: **Level 1 → 4** (took an afternoon earlier this month): - **`robots.txt`** with `Content-Signal: ai-train=no, search=yes, ai-input=yes` → unlocks level 2 - **`/.well-known/mcp/server-card.json`** describing the npm-installable MCP adapter → unlocks `mcpServerCard` - **`/llms.txt` served as `text/markdown`** with `Accept: text/markdown` content negotiation on `/` → unlocks level 3 + `markdownNegotiation` - **`Link` headers on `/`** pointing at the manifest, OpenAPI spec, agent-card, MCP card → unlocks `linkHeaders` - **`bazaar` extension on every paid route** + one $0.001 self-pay each → unlocks `x402` (until we crossed the `isCommerce` boundary, anyway — see note) **Level 4 → 5** (shipped right after the survey closed, in the same session as this article): - **`/.well-known/api-catalog`** (RFC 9727 linkset+json) — one document linking every machine-readable artefact (OpenAPI, agent-card, MCP card, manifest, llms.txt, blog) → unlocks `apiCatalog` - **`/.well-known/oauth-protected-resource`** (RFC 9728) — minimal stub with empty arrays. We don't speak OAuth (payment is x402), and an honest empty-array body declares that fact in machine-readable form. Same pattern every level-5 host in the catalog uses → unlocks `oauthProtectedResource` - **`/.well-known/oauth-authorization-server`** (RFC 8414) — same empty-array stub → unlocks `oauthDiscovery` - **`supportedInterfaces[]` field added to A2A agent card** so scanners can pivot to the new well-known files inline → strengthens `a2aAgentCard` Total spend across both phases: ~$0.014 in self-pay USDC across four paid routes (preflight + forensics + decoys + watch). Engineering: a focused afternoon for level 4, another two hours for the level-5 climb. A subtle gotcha: when `x402station.io` flipped to level 5, the dedicated `x402` check turned `neutral` instead of `pass` — Cloudflare's `isCommerce` heuristic returns `false` for our domain (we look like documentation/dashboard, not a checkout), so the scanner doesn't bother running commerce-category checks against us. Only **4 hosts in the entire catalog** trip `isCommerce=true` (`x402.valoria.net`, `brapi.dev`, `fleawinder.com`, `x402.clashofcoins.com`). That's the next dial to turn, but it doesn't move you past level 5 — it just lights up extra commerce-category checks. ## Four things this scan made obvious 1. **Agents using Cloudflare's readiness scan as a filter would skip 96.6%+ of the x402 catalog by endpoint reach.** They'd never even see most x402 endpoints. There's a real distribution gap closing there for any project willing to ship the missing signals. 2. **Decoys cluster at level 0.** Every $1000+ endpoint we previously flagged as a [Questflow-style honeypot](https://dev.to/afx/we-probed-20338-x402-endpoints-161-are-agent-honeypots-4c3n) sits at level 0 with zero signals. They aren't trying to be findable — they want random scrapers to stumble in and lose money. A pre-flight call catches them. 3. **Single-provider concentration is single-readiness concentration.** `lowpaymentfee.com` (10,659 endpoints, 41.1% of the catalog) is at level 0. `orbisapi.com` (9,882 endpoints, 38.1%) is at level 1. Together those two hosts are 79% of the catalog and pass none of the agent-protocol checks. 4. **Hands-on small builders out-build the big providers.** The five level-5 hosts run 1–2 endpoints each. The top two providers run 20,000+ between them, at level 0/1. Volume and agent-readiness are anti-correlated in this catalog. ## Reproduce this The data is reproducible from public sources — no x402station internals needed. Rough recipe (any language): ```ts // 1. Pull the active endpoint list from agentic.market's public catalog API const catalog = await fetch("https://api.agentic.market/services").then((r) => r.json()); // 2. Dedup endpoints by hostname (Cloudflare's scanner is per-host) const hosts = new Map(); // host → first endpoint URL for (const svc of catalog.services) { for (const ep of svc.endpoints ?? []) { const u = new URL(ep.url); if (!hosts.has(u.host)) hosts.set(u.host, ep.url); } } // 3. POST each host's URL to Cloudflare's scanner. Polite mode: concurrency=1, // delay=20s — full catalog in ~4 hours, zero 429s. Concurrency=4 trips // Cloudflare's ~50-scan rate limit and leaves the long tail unscanned. for (const [host, url] of hosts) { const res = await fetch("https://isitagentready.com/api/scan", { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ url }), }); // … persist `await res.json()` keyed by host await new Promise((r) => setTimeout(r, 20_000)); } ``` Drop us a note via the dev.to comments or [GitHub Issues](https://github.com/sF1nX/x402station-mcp/issues) if you want a copy of our 549-host JSONL — we're happy to share for verification. ## If you're an agent operator paying x402 endpoints Our oracle will tell you whether a URL is safe **before** you spend USDC on it, and alert you when state changes: ```bash npx -y x402station-mcp ``` Current MCP package status: `x402station-mcp` v1.0.10 exposes ten tools, all priced in USDC on Base mainnet via x402 where payment is required: - `preflight` ($0.001) — `{ok, warnings[], metadata}` for any URL - `forensics` ($0.001) — 7-day uptime, latency p50/p90/p99, decoy probability - `catalog_decoys` ($0.005) — full known-bad list as one JSON, cache locally - `alternatives` ($0.005) — healthy sibling endpoints for a blocked URL - `whats_new` ($0.001) — catalog diff polling since a timestamp - `watch_subscribe` ($0.01 = 30-day subscription + 100 prepaid alerts) — HMAC-signed webhooks when an endpoint goes zombie / decoy / dead - `buy_credits` ($0.50) — 1000 prepaid preflights at the discounted rate - `watch_status` (free, secret-gated) — current state + recent alert deliveries - `watch_unsubscribe` (free, secret-gated) - `credits_status` (free, id-gated) — prepaid credit balance + expiry [npm](https://www.npmjs.com/package/x402station-mcp) · [client SDK source](https://github.com/sF1nX/x402station-mcp) · [live oracle](https://x402station.io) --- _Earlier piece: [We probed 20,338 x402 endpoints. 161 are agent honeypots.](https://dev.to/afx/we-probed-20338-x402-endpoints-161-are-agent-honeypots-4c3n)_