APIs.io Scores 83 (Level 5 Agent-Native) on the Is Your Site Agent-Ready Scan

APIs.io Scores 83 (Level 5 Agent-Native) on the Is Your Site Agent-Ready Scan

Agent Readiness MCP Agent Skills Discovery Cloudflare

Cloudflare just launched Is Your Site Agent-Ready? — a public scanner that grades a domain against the emerging stack of standards that lets AI agents discover and act on the web. I pointed it at apis.io and the result is 83 out of 100, Level 5 — Agent-Native.

The 83 is interesting on its own. What’s more interesting is which 17 points are missing and why — because the gaps say something about what apis.io is, and what it isn’t trying to be.

The Breakdown

Category Score Status
Discoverability 100 3/3 ✅
Content 100 1/1 ✅
Bot Access Control 100 2/2 ✅
API, Auth, MCP & Skill Discovery 67 4/6 ⚠
Commerce Not applicable

The first three categories are perfect. The fourth — agent-facing discovery — is where the 17 points went.

What’s Passing

Discoverability (3/3)

  • robots.txt with an explicit notice: Indexing, AI inference (RAG/grounding), and training are all explicitly permitted. No ambiguity about how the content is licensed for machine consumption.
  • sitemap.xml present and valid, declared from robots.txt.
  • Link headers advertising api-catalog, agent-skills, mcp-server-card, sitemap, and alternate (Markdown) relations on every page. RFC 8288 done right — an agent can curl -I any URL and find every machine-readable surface without scraping a single HTML page.

Content (1/1)

  • Markdown content negotiation — sending Accept: text/markdown returns clean Markdown instead of styled HTML. Cheaper to feed to a model, no DOM-parsing required, no tag soup. Every page on the network supports this.

Bot Access Control (2/2)

  • AI bot rules present in robots.txt via the wildcard User-agent: * (with the explicit “training permitted” notice above).
  • Cloudflare Content Signals (search=yes, ai-input=yes, ai-train=yes) and the AIPREF Content-Usage draft (search=y, ai-input=y, ai-train=y) — both newer signal formats declared side by side, so whichever standard a crawler implements first, the answer is the same.

API / Auth / MCP / Skill Discovery (4/6)

Four wins here:

  • API Catalog at /.well-known/api-catalog (RFC 9727) — application/linkset+json, 13 federated APIs listed. The agent’s entry point into the whole network.
  • MCP Server Card at /.well-known/mcp/server-card.json — SEP-format card, MCP-clients can discover the server without out-of-band config.
  • Agent Skills index at /.well-known/agent-skills/index.json — currently four skills, including discover-integrations shipped last week. Each skill is downloadable and self-describing.
  • WebMCP — the scanner detected 2 tools registered via navigator.modelContext on the homepage. The same MCP tool surface, made available to in-browser agents without a separate connection.

There’s also a Web Bot Auth directory at /.well-known/http-message-signatures-directory, intentionally empty: apis.io is a public catalog and does not sign outbound traffic, but the directory is published so agents can discover that fact per draft-meunier-web-bot-auth-architecture. The Cloudflare Worker layer (source) observes inbound RFC 9421 web-bot-auth signatures and surfaces them in the x-bot-auth response header.

The Missing 17 Points

Two checks fail:

  • OAuth / OIDC discovery/.well-known/openid-configuration and /.well-known/oauth-authorization-server both return 404.
  • OAuth Protected Resource Metadata/.well-known/oauth-protected-resource returns 404.

These are real gaps in the auth-discovery layer, but they’re partially by design. apis.io itself doesn’t have protected APIs — it’s a public, read-only federated catalog. There’s nothing to authenticate to. Every endpoint is open, indexable, and free.

That said, the catalog describes APIs that do require auth. Right now an agent reading our API catalog has to follow the humanURL for each provider and figure out their auth flow from the docs. We could publish an aggregated discovery directory that lists each indexed provider’s OAuth issuer (where they expose one), so agents can resolve auth metadata in one hop rather than per-provider scraping. That’s the work behind those two missing points — and it’s worth doing.

The Commerce category — x402, MPP, UCP, ACP — was not scored. The catalog has no commerce signals because there’s nothing to sell. The protocols are real and worth tracking, but they don’t apply here.

Why Level 5 Matters

The grading scale on isitagentready.com runs from Level 0 (no signals) through Level 5 (Agent-Native). Level 5 is awarded when a site has:

  1. Discoverable machine-readable surfaces.
  2. Negotiable Markdown content.
  3. Explicit, granular bot-access policy.
  4. At least one of: API Catalog, MCP, Agent Skills.

apis.io clears all four with room to spare. The point of building the catalog this way was always that the network itself should be agent-ready before it asks providers to be. We can’t credibly ask 4,400 API providers to expose RFC 9727 catalogs or AgentSkills indexes if our own front door doesn’t.

What I find genuinely useful about the scanner is that it makes this stack of standards — most of which are months old or still drafts — concrete. RFC 9727, RFC 9728, draft-ietf-aipref-attach, the AgentSkills v0.2.0 schema, Cloudflare Content Signals, web-bot-auth — every one of these landed in 2024–2026. Running a scan that says “you implement four of these and lack two” is a far more legible signal than reading six specs cover-to-cover.

Run It on Your Own Domain

Three minutes, no signup:

https://isitagentready.com/<your-domain>

If you ship an API and you’d like apis.io to reflect your agent-readiness as well as your spec quality, two cheap moves move you up the scale immediately:

  1. Publish /.well-known/api-catalog in application/linkset+json (RFC 9727). One static file lists the APIs you ship.
  2. Add Markdown negotiation — return text/markdown when Accept: text/markdown. Static-site generators do this in ~20 lines of edge config.

We’re tracking which providers in the apis.io network publish each of these surfaces as part of the API Rating system. The signal goes into the composite score, so being agent-ready translates directly into better search ranking on apis.io.

The 17 missing points at apis.io are a backlog, not a verdict. We’ll close most of them in the next quarter — and run the scan again to keep ourselves honest.

← Observability for the Agent Era: 14 Stories From One Week
Incident Response in the Agentic Era: 13 Stories From One Week →