Probe is a continuous compliance monitoring tool for AI agent APIs. It runs 22 automated checks and scores your API 0–100.
No account needed. Paste any https:// URL on the homepage and click Run free audit.
Every audit runs these checks against your API:
| Check | What it tests | Max score |
|---|---|---|
| SSL / TLS | Valid HTTPS certificate | 10 |
| x402 discovery | /.well-known/x402.json with valid accepts/facilitator | 10 |
| Agent identity | /agent.json per A2A protocol | 10 |
| llms.txt | Machine-readable LLM instructions file | 5 |
| security.txt | /.well-known/security.txt contact info | 5 |
| CORS | Access-Control-Allow-Origin headers for agent access | 5 |
| Security headers | Critical: X-Content-Type-Options, HSTS, CSP. Bonus: X-Frame-Options, Referrer-Policy | 10 |
| Response time | Average latency across 3 requests (<500ms = pass) | 10 |
| MCP server | Model Context Protocol endpoint discovery | 5 |
| API endpoints | Scans common paths (/v1/, /api/, /health, etc.) | 10 |
| Error handling | Proper 404 responses for unknown paths | 5 |
| x402 compliance | 402 Payment Required responses on protected endpoints | 5 |
| Rate limiting | X-RateLimit headers present | 5 |
| Documentation | /docs or /api-docs endpoint exists | 5 |
| robots.txt AI crawlers | AI crawler directives (GPTBot, ClaudeBot, Google-Extended, etc.) | 10 |
| AI plugin manifest | /.well-known/ai-plugin.json for ChatGPT/LLM integration | 5 |
| OpenAPI spec | Machine-readable OpenAPI/Swagger specification with paths, auth, servers | 10 |
| Privacy / GDPR | Privacy policy page or GDPR data deletion endpoint | 10 |
| Status / Health | Health check or status page for uptime monitoring | 5 |
| EU AI Act disclosure | Model card, AI disclosure, or risk classification endpoint | 10 |
| Travel Rule (FATF) | VASP disclosure, TRISA/TRP/OpenVASP endpoint, threshold declaration | 10 |
| A2A Protocol (Google) | A2A-compliant Agent Card with skills, capabilities, auth, streaming | 10 |
| Grade | Score range | Meaning |
|---|---|---|
| A+ | 95–100 | Fully compliant, production-ready |
| A | 85–94 | Minor issues only |
| B | 70–84 | Some improvements needed |
| C | 50–69 | Significant gaps |
| D / F | 0–49 | Major compliance failures |
Add a live badge to your README showing your latest Probe score:
[](https://getprobe.xyz/report/YOUR-REPORT-ID)The badge updates automatically after each audit.
Run a full audit on a URL.
curl -X POST https://getprobe.xyz/api/audit \
-H "Content-Type: application/json" \
-d '{"url": "https://your-api.xyz"}'Example response:
{
"id": "probe_abc123",
"url": "https://your-api.xyz",
"score": 85,
"grade": "A",
"label": "Listing-ready · 2 non-critical fixes remaining",
"timestamp": "2026-03-27T14:30:00Z",
"engine": { "version": "probe@1.1.0", "checkSet": "default-14@2026-03-27" },
"summary": { "pass": 11, "warn": 1, "fail": 2 },
"checks": [
{ "id": "ssl", "name": "SSL / TLS", "status": "pass", "value": "Valid HTTPS", "score": 10, "maxScore": 10 },
{ "id": "x402", "name": "x402 discovery", "status": "pass", "value": "/.well-known/x402.json found", "score": 10, "maxScore": 10 },
{ "id": "sec_headers", "name": "Security headers", "status": "pass", "value": "4/5 — critical headers OK", "score": 8, "maxScore": 10 },
{ "id": "cors", "name": "CORS headers", "status": "pass", "value": "origin: * (open)", "score": 5, "maxScore": 5 },
{ "id": "mcp", "name": "MCP server", "status": "fail", "value": "Not found", "score": 0, "maxScore": 5 },
{ "id": "rate_limit", "name": "Rate limiting", "status": "warn", "value": "No rate-limit headers", "score": 3, "maxScore": 5 }
],
"findings": [
{
"severity": "critical", "title": "MCP server failed", "description": "Not found",
"check_id": "mcp",
"fix": { "title": "Expose MCP endpoint", "steps": ["Implement MCP server at /mcp..."], "code": "// ...", "docs": "https://modelcontextprotocol.io" }
},
{
"severity": "warning", "title": "Rate limiting needs attention", "description": "No rate-limit headers",
"check_id": "rate_limit",
"fix": { "title": "Add rate limiting", "steps": ["Set rate limits per IP..."], "code": "// ...", "docs": "https://www.npmjs.com/package/express-rate-limit" }
}
]
}Retrieve a saved audit report by its ID. Returns the same format as the audit response above.
Returns an SVG badge with the latest score for a domain. Use in your README:
<img src="https://getprobe.xyz/api/badge/your-api.xyz" alt="Probe Score" />Returns the top 20 audited APIs sorted by score.
[
{ "domain": "api.example.com", "score": 92, "grade": "A", "reportId": "probe_abc123", "auditedAt": "2026-03-27T14:30:00Z" },
...
]Every audit response includes engine metadata for traceability:
"engine": {
"version": "probe@1.1.0",
"checkSet": "default-14@2026-03-27"
}Each check also includes maxScore so you can see exactly how points are distributed (e.g. "score": 8, "maxScore": 10).
Fail your build if your API drops below a compliance threshold. Here's a GitHub Actions example:
# .github/workflows/probe-check.yml
name: Probe Compliance Check
on: [push, pull_request]
jobs:
compliance:
runs-on: ubuntu-latest
steps:
- name: Run Probe audit
run: |
REPORT=$(curl -s -X POST https://getprobe.xyz/api/audit \
-H "Content-Type: application/json" \
-d '{"url": "${{ vars.API_URL }}"}')
SCORE=$(echo "$REPORT" | jq -r '.score')
GRADE=$(echo "$REPORT" | jq -r '.grade')
FAILURES=$(echo "$REPORT" | jq -r '.summary.fail')
echo "Probe score: $SCORE ($GRADE)"
echo "Critical failures: $FAILURES"
if [ "$FAILURES" -gt 0 ]; then
echo "::error::Probe found $FAILURES critical failures"
echo "$REPORT" | jq '.findings[] | select(.severity=="critical")'
exit 1
fi
if [ "$SCORE" -lt 70 ]; then
echo "::error::Probe score $SCORE is below threshold (70)"
exit 1
fi
echo "✅ Probe compliance check passed ($GRADE)"Set API_URL in your repository variables (Settings → Variables). Adjust the score threshold to match your compliance requirements.
The same pattern works for GitLab CI, CircleCI, or any CI system that can run curl + jq.
Free tier: max 10 audits per IP per day. Paid plans have higher limits. The API returns 429 Too Many Requests if you exceed the limit.
Private, internal, and metadata URLs (127.0.0.0/8, 10.0.0.0/8, 169.254.x.x, etc.) are blocked for security.
Free users get 1 audit/day via the UI (10/day via API). Paid plans add continuous monitoring with email alerts. See pricing.
Probe only makes standard HTTP requests to publicly accessible endpoints. We never:
Audit metadata (scores, check results) is retained for your plan's history period (Free: 7 days, Starter: 30 days, Pro: 90 days, Team: 1 year) and then deleted. Infrastructure runs on Cloudflare (edge functions) and Supabase (PostgreSQL). Email alerts via Resend. All data encrypted in transit (TLS) and at rest.
For paying customers, we're happy to sign a basic DPA or security addendum. Contact us at hello@getprobe.xyz.
AI agent API monitoring is the practice of continuously checking your agent's API endpoints for compliance with emerging standards (x402, ERC-8004), security best practices (CORS, HSTS, CSP), and operational health (response times, error handling). As AI agents increasingly connect to payments, identity, and onchain services, monitoring ensures your endpoints stay compliant and secure.
Traditional uptime monitors check if your server responds with HTTP 200. Probe goes deeper: it validates x402 payment disclosures, ERC-8004 agent identity, security headers, llms.txt, MCP endpoints, rate limiting, and 8 more compliance-specific checks. It's purpose-built for the AI agent ecosystem.
Probe runs 14 automated checks covering SSL/TLS, x402 discovery, agent identity, llms.txt, security.txt, CORS, security headers, response time, MCP server, API endpoints, error handling, x402 payment compliance, rate limiting, and documentation.
Yes. Free users get 1 audit per day with all 22 checks and an instant report. No account or credit card needed. Paid plans add continuous monitoring (every 1–12 hours), email alerts, and history.
No. Probe only makes read-only GET/HEAD requests to your public endpoints. We never store request bodies, response payloads, or API keys. Only audit metadata (score, check results, timestamps) is persisted.
x402 is an emerging standard for AI agent trust and payment disclosure. Probe auto-discovers your /.well-known/x402.json file and validates that it contains correct accepts, facilitator, and pricing metadata.
Yes. Probe works with any publicly accessible HTTPS endpoint. It's optimized for AI agent APIs but can audit any REST API for security headers, CORS, response times, and documentation.