twit.sh D · 58/100
15 passed 17 warnings 0 failed audit-mnek1skz
SSL / TLS Valid HTTPS · 695ms
x402 discovery /.well-known/x402.json (non-JSON) · 694ms
Agent discovery /.well-known/agent.json not valid JSON · 697ms
llms.txt Found (2314 chars) · 696ms
security.txt Found · 695ms
CORS headers No CORS header (OK if server-to-server only) · 748ms
Security headers 0/5 — missing critical: x-content-type-options, strict-transport-security, content-security-policy · 749ms
Response time 357ms avg · 357ms
MCP server /mcp/info responds · 750ms
API endpoints 3 endpoints found
Error handling Returns 200 for unknown paths · 748ms
x402 compliance No x402 payment gates found · 787ms
Rate limiting No rate-limit headers (may still be rate-limited server-side) · 792ms
Documentation /docs found · 792ms
robots.txt AI crawlers No AI crawler directives (GPTBot, ClaudeBot, etc.) · 871ms
AI plugin manifest /.well-known/ai-plugin.json not valid JSON · 792ms
OpenAPI spec /openapi.json — 3.1.0, 24 paths, servers defined, auth documented · 792ms
Privacy / GDPR /privacy found (2314 chars) · 833ms
Status / Health /status found · 837ms
EU AI Act disclosure /.well-known/model-card.json found (2314 chars) · 836ms
Travel Rule (FATF) /.well-known/travel-rule.json found (non-JSON, 2314 chars) · 835ms
A2A Protocol (Google) agent.json found but invalid JSON · 837ms
DNSSEC No DNSSEC — domain is vulnerable to DNS spoofing
CAA Records No CAA records — any CA can issue certificates
DMARC / SPF No DMARC or SPF records found
Auth maturity No authentication detected — open API or check failed
API versioning /v1
Human oversight /agent/stop — active (EU AI Act Art. 14) · 915ms
Terms of Service /terms found (2314 chars) · 916ms
Content-Type API paths return HTML: /v1/ returns HTML, /api/ returns HTML
Wallet trust No wallet address found in x402 or agent.json
ERC-8004 on-chain No EVM wallet found to verify on-chain registration
58
17 issues to fix
Warning — 17
Agent discovery needs attention

/.well-known/agent.json not valid JSON

CORS headers needs attention

No CORS header (OK if server-to-server only)

Security headers needs attention

0/5 — missing critical: x-content-type-options, strict-transport-security, content-security-policy

Error handling needs attention

Returns 200 for unknown paths

x402 compliance needs attention

No x402 payment gates found

Rate limiting needs attention

No rate-limit headers (may still be rate-limited server-side)

robots.txt AI crawlers needs attention

No AI crawler directives (GPTBot, ClaudeBot, etc.)

AI plugin manifest needs attention

/.well-known/ai-plugin.json not valid JSON

Travel Rule (FATF) needs attention

/.well-known/travel-rule.json found (non-JSON, 2314 chars)

A2A Protocol (Google) needs attention

agent.json found but invalid JSON

DNSSEC needs attention

No DNSSEC — domain is vulnerable to DNS spoofing

CAA Records needs attention

No CAA records — any CA can issue certificates

DMARC / SPF needs attention

No DMARC or SPF records found

Auth maturity needs attention

No authentication detected — open API or check failed

Content-Type needs attention

API paths return HTML: /v1/ returns HTML, /api/ returns HTML

Wallet trust needs attention

No wallet address found in x402 or agent.json

ERC-8004 on-chain needs attention

No EVM wallet found to verify on-chain registration

Share on X Run new audit
🔒 Probe trust badge — unlock at score 60+

Fix your failing checks to earn the Probe verified badge. Display it on your site footer and README to show compliance.

⚡ Fix my API — $29 Current score: 58/100 → need 60+
Badge preview Shield preview
2026-03-31 11:50:06 UTC · getprobe.xyz