Probe is a continuous compliance monitoring tool for AI agent APIs. It runs 14 automated checks and scores your API 0–100.
No account needed. Paste any https:// URL on the homepage and click Audit now.
Every audit runs these checks against your API:
| Check | What it tests | Max score |
|---|---|---|
| SSL / TLS | Valid HTTPS certificate | 10 |
| x402 discovery | /.well-known/x402.json with valid accepts/facilitator | 10 |
| Agent identity | /agent.json per A2A protocol | 10 |
| llms.txt | Machine-readable LLM instructions file | 5 |
| security.txt | /.well-known/security.txt contact info | 5 |
| CORS | Access-Control-Allow-Origin headers for agent access | 5 |
| Security headers | X-Content-Type-Options, X-Frame-Options, CSP, HSTS, X-XSS-Protection | 10 |
| Response time | Average latency across 3 requests (<500ms = pass) | 10 |
| MCP server | Model Context Protocol endpoint discovery | 5 |
| API endpoints | Scans common paths (/v1/, /api/, /health, etc.) | 10 |
| Error handling | Proper 404 responses for unknown paths | 5 |
| x402 compliance | 402 Payment Required responses on protected endpoints | 5 |
| Rate limiting | X-RateLimit headers present | 5 |
| Documentation | /docs or /api-docs endpoint exists | 5 |
| Grade | Score range | Meaning |
|---|---|---|
| A+ | 95–100 | Fully compliant, production-ready |
| A | 85–94 | Minor issues only |
| B | 70–84 | Some improvements needed |
| C | 50–69 | Significant gaps |
| D / F | 0–49 | Major compliance failures |
Add a live badge to your README showing your latest Probe score:
[](https://getprobe.xyz/report/YOUR-REPORT-ID)The badge updates automatically after each audit.
Run a full audit on a URL.
curl -X POST https://getprobe.xyz/api/audit \
-H "Content-Type: application/json" \
-d '{"url": "https://your-api.xyz"}'Retrieve a saved audit report by its ID.
Returns an SVG badge with the latest score for a domain.
Returns the top 20 audited APIs sorted by score.
Free users get 1 audit/day. Paid plans add continuous monitoring with email alerts. See pricing.
Probe only makes standard HTTP requests to publicly accessible endpoints. We never:
Infrastructure runs on Cloudflare (edge functions) and Supabase (PostgreSQL). Email alerts via Resend.