"Discover services. Execute directly."
A neutral, stateless discovery layer for machine services. AI agents search the index to find APIs, MCP servers, and agent services on the open web — no accounts, no API keys, no intermediaries. The index crawls, the agent decides.
The crawler probes thousands of domains across four discovery protocols.
Agents publishing /.well-known/agent-card.json (Google's Agent-to-Agent protocol, IANA registered)
Servers discoverable via /.well-known/mcp/server-card.json or registered in the MCP Registry
APIs publishing OpenAPI specs at /openapi.json, /swagger.json, or /.well-known/api-catalog
Services publishing /llms.txt for AI consumption
Individual tools discovered by connecting to MCP servers and performing the JSON-RPC handshake. Each tool is independently searchable.
The index probes every alive service to classify its access requirements.
No authentication needed. Open access.
Requires an API key or bearer token.
OAuth2 or OpenID Connect authentication.
Requires payment (x402, Stripe, or other).
Services that accept real-time micropayments via the x402 protocol. No accounts, no billing — pay per request with BSV.
x402 extends HTTP with settlement-gated access. Agents pay per request using BSV micropayments — no API keys, no subscriptions, no billing infrastructure. The service sets the price, the agent decides whether to pay. Learn more about x402 →
Three steps from publication to execution.
Publish a .well-known/agent-card.json, .well-known/agent.json, or OpenAPI spec on your domain. Or let the crawler find you via the MCP Registry, APIs.guru, or npm.
The multi-source crawler probes thousands of domains every 6 hours, checking five discovery paths per domain.
Your agent installs the SDK, searches by capability, gets back live endpoints, and interacts with services directly.
Make your service discoverable. No registration, no accounts, no approval process.
// Serve at /.well-known/agent-card.json { "name": "Translation Agent", "description": "Translates text between 50+ languages", "url": "https://api.example.com", "skills": [ { "id": "translate", "name": "Translate Text", "inputModes": ["text/plain"], "outputModes": ["text/plain"] } ] }
// Serve at /.well-known/agent.json { "services": [ { "endpoint": "/translate", "capabilities": ["translation"], "payment_hints": ["free"] } ] }
// If your API already serves an OpenAPI spec at // /openapi.json or /swagger.json, we'll find you // automatically. No additional configuration needed. // The crawler checks these paths on every domain: // /openapi.json // /openapi.yaml // /swagger.json // /api/openapi.json
Deploy the file and the next crawl picks you up. Or submit your domain manually via POST /submit.
Want to know how agent-ready your service is? Check your readiness score, see what discovery protocols you're missing, and get specific recommendations to improve.
Install the SDK and start discovering services in five lines.
npm install agent-discovery-sdk
import { AgentDiscovery } from 'agent-discovery-sdk' const discovery = new AgentDiscovery() // Find translation services const results = await discovery.search('translation') for (const service of results.results) { console.log(service.endpoint, service.capabilities) // → https://api.example.com/translate ["translation"] }
// Find only MCP servers const mcp = await discovery.search('*', { sourceType: 'mcp-server-card' }) // Find payment-gated services const paid = await discovery.search('*', { hasPayment: true }) // Submit your own service await discovery.submit('https://api.myservice.com') // Async iteration over results for await (const service of discovery.discover('search')) { console.log(service.endpoint) }
See the SDK README for full API documentation.
Search the index right here. Try "search", "translation", or "geocoding".
No sessions, no accounts, no stored state.
The index suggests, services define truth, the agent decides.
Works with free services, x402, Stripe, or any payment model.
Indexes A2A, MCP, OpenAPI, and agent.json in a single search.
Services that declare their operator, terms, and support channels earn higher readiness scores.
Discovery is not endorsement. The index tells you what exists — your agent decides whether to trust it.
Every service is probed and classified — free, API key, OAuth, or x402. You know what authentication a service requires before your agent calls it.
Services are scored 0–100 based on TLS validity, response integrity, prompt injection detection, and community reports. The SDK filters out high-risk services by default.
const risk = await discovery.verify('https://api.example.com') // { riskLevel: "low", hasValidTLS: true, injectionDetected: false }
Check TLS certificates, scan for injection patterns, and detect suspicious redirects — before your agent sends any data.
const safe = sanitizeResponse(rawBody) // Strips HTML, scripts, and prompt injection patterns
Clean service responses before they reach your LLM. Detects known injection delimiters, strips executable content, and truncates oversized responses.
Flag malicious services via POST /report. Reported services are marked in search results so other agents can avoid them.
The index serves metadata only. Your agent calls services directly — no proxy, no data stored, no man-in-the-middle. We never see your requests or responses.
Trust Verification Tiers: Services earn trust badges through verifiable, objective criteria.
Discovered — The crawler found this service and it responded to at least one probe.
Verified — Alive across 3+ crawl cycles, valid TLS, structured data, stable capabilities.
Attested — Meets all Verified criteria AND the operator has proven domain ownership via DNS TXT or well-known file.
What the index does not do: It does not audit source code, verify operator identity, guarantee uptime or correctness, or store any of your data. Services are indexed automatically from the open web. Always verify before sending sensitive data to any discovered service.
SDK safe defaults: The SDK ships with max_risk: 50 (high-risk services filtered out), safeFetch() with 10-second timeouts and same-domain redirect enforcement, and sanitizeResponse() for cleaning LLM-bound content. Safety is on by default — opt out explicitly if you need to.