Probe is a compliance auditing tool for AI agent APIs. It runs 44 automated checks (including 10 Voice AI checks) and scores your API 0–100. 100% free.
No account needed. Paste any https:// URL on the homepage and click Run free audit.
Every audit runs these checks against your API:
| Check | What it tests | Max score |
|---|---|---|
| SSL / TLS | Valid HTTPS certificate, TLS version, HTTP/2-3 detection, certificate expiry warning | 10 |
| x402 discovery | /.well-known/x402.json with accepts/facilitator, v1/v2 detection, multi-chain support | 10 |
| Agent identity | /agent.json per A2A protocol | 10 |
| llms.txt | Machine-readable LLM instructions file | 5 |
| security.txt | /.well-known/security.txt contact info | 5 |
| CORS | Access-Control-Allow-Origin headers for agent access | 5 |
| Security headers | Critical: X-Content-Type-Options, HSTS, CSP. Bonus: X-Frame-Options, Referrer-Policy | 10 |
| Response time | Average latency across 3 requests (<500ms = pass) | 10 |
| MCP server | Model Context Protocol endpoint discovery | 5 |
| API endpoints | Scans common paths (/v1/, /api/, /health, etc.) | 10 |
| Error handling | Proper 404 responses for unknown paths | 5 |
| x402 compliance | 402 Payment Required responses on protected endpoints | 5 |
| Rate limiting | X-RateLimit headers present | 5 |
| Documentation | /docs or /api-docs endpoint exists | 5 |
| robots.txt AI crawlers | AI crawler directives (GPTBot, ClaudeBot, Google-Extended, etc.) | 10 |
| AI plugin manifest | /.well-known/ai-plugin.json for ChatGPT/LLM integration | 5 |
| OpenAPI spec | Machine-readable OpenAPI/Swagger specification with paths, auth, servers | 10 |
| Privacy / GDPR | Privacy policy page or GDPR data deletion endpoint | 10 |
| Status / Health | Health check or status page for uptime monitoring | 5 |
| EU AI Act disclosure | Model card, AI disclosure, or risk classification endpoint | 10 |
| Travel Rule (FATF) | VASP disclosure, TRISA/TRP/OpenVASP endpoint, threshold declaration | 10 |
| A2A Protocol (Google) | A2A-compliant Agent Card with skills, capabilities, auth, streaming | 10 |
| Wallet trust | Multi-chain wallet verification (EVM, Solana, Bitcoin) via x402 v1/v2 payTo | 5 |
| DNSSEC | DNS Security Extensions — validates DNSSEC is enabled on the domain | 5 |
| CAA Records | Certificate Authority Authorization — restricts which CAs can issue certificates | 5 |
| DMARC / SPF | Email authentication — DMARC policy, SPF record, and enforcement level | 5 |
| ERC-8004 on-chain | Verifies wallet is registered in ERC-8004 Identity Registry on-chain | 10 |
| Auth maturity | Authentication method detection — OAuth 2.0, OIDC validation, Bearer, API key, x402 payment gate | 10 |
| API versioning | Checks for versioned paths (/v1/), Sunset & Deprecation lifecycle headers (RFC 8594) | 5 |
| Human oversight | EU AI Act Art. 14 — human oversight / kill switch endpoint detection | 10 |
| Terms of Service | Checks for /terms, /.well-known/terms-of-service, or equivalent ToS endpoint | 5 |
| Content-Type | Validates correct application/json Content-Type with charset on API responses | 5 |
| OASF compliance | Open Agent Service Framework compliance | 5 |
| MCP transport security | MCP transport-level security validation | 5 |
Based on EU AI Act Article 50, FCC/TCPA rules, and GDPR requirements:
| Check | What it tests | Max score |
|---|---|---|
| Voice AI disclosure | Dedicated voice agent disclosure endpoint (EU AI Act Art. 50 — AI-generated calls must be declared) | 10 |
| Synthetic voice labeling | Declaration of synthetic voice usage and labeling (EU AI Act Art. 50) | 10 |
| Synthetic content labeling | Machine-readable label marking audio as AI-generated (Art. 50 requirement) | 5 |
| Emotion recognition | Declaration of emotion recognition opt-in/out (EU AI Act bans unconsented emotion detection) | 5 |
| Call recording consent | Recording disclosure and consent mechanism (GDPR, two-party consent states) | 10 |
| FCC/TCPA compliance | Compliance declaration for US AI voice calls (FCC AI robocall ban, TCPA) | 10 |
| Operator identity | Operator name, email, and verification status (Art. 50 requires identifiable deployer) | 10 |
| Opt-out & human escalation | Opt-out mechanism and transfer to human agent (FCC + EU AI Act requirement) | 10 |
| Voice call policy | Calling hours, frequency limits, recording disclosure, call purpose | 10 |
| Caller identity declaration | Who is calling, AI status declaration, callback number for recipients | 10 |
| Grade | Score range | Meaning |
|---|---|---|
| A+ | 95–100 | Fully compliant, production-ready |
| A | 85–94 | Minor issues only |
| B | 70–84 | Some improvements needed |
| C | 50–69 | Significant gaps |
| D / F | 0–49 | Major compliance failures |
Add a live badge to your README showing your latest Probe score:
[](https://getprobe.xyz/report/YOUR-REPORT-ID)The badge updates automatically after each audit.
Run a full audit on a URL.
curl -X POST https://getprobe.xyz/api/audit \
-H "Content-Type: application/json" \
-d '{"url": "https://your-api.xyz"}'Example response:
{
"id": "probe_abc123",
"url": "https://your-api.xyz",
"score": 85,
"grade": "A",
"label": "Listing-ready · 2 non-critical fixes remaining",
"timestamp": "2026-03-27T14:30:00Z",
"engine": { "version": "probe@4.0.0", "checkSet": "default-44@2026-04-02" },
"summary": { "pass": 11, "warn": 1, "fail": 2 },
"checks": [
{ "id": "ssl", "name": "SSL / TLS", "status": "pass", "value": "Valid HTTPS", "score": 10, "maxScore": 10 },
{ "id": "x402", "name": "x402 discovery", "status": "pass", "value": "/.well-known/x402.json found", "score": 10, "maxScore": 10 },
{ "id": "sec_headers", "name": "Security headers", "status": "pass", "value": "4/5 — critical headers OK", "score": 8, "maxScore": 10 },
{ "id": "cors", "name": "CORS headers", "status": "pass", "value": "origin: * (open)", "score": 5, "maxScore": 5 },
{ "id": "mcp", "name": "MCP server", "status": "fail", "value": "Not found", "score": 0, "maxScore": 5 },
{ "id": "rate_limit", "name": "Rate limiting", "status": "warn", "value": "No rate-limit headers", "score": 3, "maxScore": 5 }
],
"findings": [
{
"severity": "critical", "title": "MCP server failed", "description": "Not found",
"check_id": "mcp",
"fix": { "title": "Expose MCP endpoint", "steps": ["Implement MCP server at /mcp..."], "code": "// ...", "docs": "https://modelcontextprotocol.io" }
},
{
"severity": "warning", "title": "Rate limiting needs attention", "description": "No rate-limit headers",
"check_id": "rate_limit",
"fix": { "title": "Add rate limiting", "steps": ["Set rate limits per IP..."], "code": "// ...", "docs": "https://www.npmjs.com/package/express-rate-limit" }
}
]
}Retrieve a saved audit report by its ID. Returns the same format as the audit response above.
Returns an SVG badge with the latest score for a domain. Add &style=seal for a larger trust seal. Use in your README or site footer:
<img src="https://getprobe.xyz/api/badge?domain=your-api.xyz" alt="Probe" />
<!-- Footer trust seal -->
<a href="https://getprobe.xyz/report/YOUR-ID">
<img src="https://getprobe.xyz/api/badge?domain=your-api.xyz&style=seal" alt="Verified by Probe" width="120">
</a>Returns the top 20 audited APIs sorted by score.
[
{ "domain": "api.example.com", "score": 92, "grade": "A", "reportId": "probe_abc123", "auditedAt": "2026-03-27T14:30:00Z" },
...
]Every audit response includes engine metadata for traceability:
"engine": {
"version": "probe@4.0.0",
"checkSet": "default-44@2026-04-02"
}Each check also includes maxScore so you can see exactly how points are distributed (e.g. "score": 8, "maxScore": 10).
Fail your build if your API drops below a compliance threshold. Here's a GitHub Actions example:
# .github/workflows/probe-check.yml
name: Probe Compliance Check
on: [push, pull_request]
jobs:
compliance:
runs-on: ubuntu-latest
steps:
- name: Run Probe audit
run: |
REPORT=$(curl -s -X POST https://getprobe.xyz/api/audit \
-H "Content-Type: application/json" \
-d '{"url": "${{ vars.API_URL }}"}')
SCORE=$(echo "$REPORT" | jq -r '.score')
GRADE=$(echo "$REPORT" | jq -r '.grade')
FAILURES=$(echo "$REPORT" | jq -r '.summary.fail')
echo "Probe score: $SCORE ($GRADE)"
echo "Critical failures: $FAILURES"
if [ "$FAILURES" -gt 0 ]; then
echo "::error::Probe found $FAILURES critical failures"
echo "$REPORT" | jq '.findings[] | select(.severity=="critical")'
exit 1
fi
if [ "$SCORE" -lt 70 ]; then
echo "::error::Probe score $SCORE is below threshold (70)"
exit 1
fi
echo "✅ Probe compliance check passed ($GRADE)"Set API_URL in your repository variables (Settings → Variables). Adjust the score threshold to match your compliance requirements.
The same pattern works for GitLab CI, CircleCI, or any CI system that can run curl + jq.
For simpler integration, use the dedicated /api/ci endpoint which returns 200 if above threshold, 422 if below:
curl -s -X POST https://getprobe.xyz/api/ci \
-H "Content-Type: application/json" \
-d '{"url": "https://your-api.com", "threshold": 70}'
# Response includes: passed (bool), score, grade, checks, badge_urlAdd a live compliance badge to your README:
The badge updates hourly and shows your latest audit grade and score. Colors: green (A/A-), amber (B/C), red (D/F).
Probe is free and unlimited for normal use. We reserve the right to rate-limit abusive automated traffic to protect the service. The API returns 429 Too Many Requests in those cases.
Private, internal, and metadata URLs (127.0.0.0/8, 10.0.0.0/8, 169.254.x.x, etc.) are blocked for security.
Probe is 100% free — unlimited audits, all 44 checks, autofix, shareable reports. No account, no credit card. We're building the largest AI agent compliance dataset and want maximum adoption.
Need enterprise features (SSO, SLA, DPA, dedicated support)? Contact us.
Probe only makes standard HTTP requests to publicly accessible endpoints. We never:
Audit metadata (scores, check results) is stored for report sharing and leaderboard. Infrastructure runs on Cloudflare (edge functions) and Supabase (PostgreSQL). All data encrypted in transit (TLS) and at rest.
Need a DPA or security addendum? Contact us at contact@getprobe.xyz.
AI agent API monitoring is the practice of continuously checking your agent's API endpoints for compliance with emerging standards (x402, ERC-8004), security best practices (CORS, HSTS, CSP), and operational health (response times, error handling). As AI agents increasingly connect to payments, identity, and onchain services, monitoring ensures your endpoints stay compliant and secure.
Traditional uptime monitors check if your server responds with HTTP 200. Probe goes deeper: it validates x402 payment disclosures, ERC-8004 agent identity, security headers, llms.txt, MCP endpoints, rate limiting, and 8 more compliance-specific checks. It's purpose-built for the AI agent ecosystem.
Probe runs 44 automated checks: 34 core checks (SSL, x402, agent identity, security headers, MCP, EU AI Act, and more) plus 10 Voice AI compliance checks (synthetic voice disclosure, operator identity, call recording consent, FCC/TCPA, opt-out mechanisms). See the full list above.
Yes — Probe is 100% free. Unlimited audits, all 44 checks including 10 Voice AI compliance checks, autofix, and shareable reports. No account, no credit card, no limits.
No. Probe only makes read-only GET/HEAD requests to your public endpoints. We never store request bodies, response payloads, or API keys. Only audit metadata (score, check results, timestamps) is persisted.
x402 is an emerging standard for AI agent trust and payment disclosure. Probe auto-discovers your /.well-known/x402.json file and validates that it contains correct accepts, facilitator, and pricing metadata.
Yes. Probe works with any publicly accessible HTTPS endpoint. It's optimized for AI agent APIs but can audit any REST API for security headers, CORS, response times, and documentation.
Probe is a technical compliance monitoring tool, not a law firm. Our checks support your compliance work but do not constitute legal advice. For regulatory questions about EU AI Act, MiCA, or other frameworks, consult qualified legal counsel.