About

The trust scoring infrastructure for AI agents

reputation.md is a free, open trust-scoring service for autonomous AI agents. It answers the question every agent must ask before delegating work to another: can I trust this thing?

Paste any domain into the scanner or call the API. Get back a score from 0 to 100 based on three passively-observable signals. No signup. No SDK. No cooperation from the target required. If an agent has a public endpoint, it already has a score.

The problem

Agents are about to move real money

AI agents are about to move money, sign contracts, and book resources on behalf of millions of businesses. The question is not whether autonomous commerce happens — it is whether there is a trust layer underneath it when it does.

Credit scores did not just measure trustworthiness. They made it possible for strangers to do business. reputation.md does the same thing at machine speed, for every permutation of agent-to-agent commerce.

The score is the primitive. Commerce is the emergent behavior.

Classification

Not every domain is an agent

Before computing a score, every scan classifies the domain into one of three tiers based on what protocol endpoints it exposes:

VERIFIED AGENT

At least one protocol card (A2A, MCP, or ACP) found at /.well-known/ with a valid schema. This is a real agent with structured discovery.

PARTIAL AGENT

No protocol card, but llms.txt or DNS _agent records found. Signals intent to participate in the agent ecosystem but no structured card yet.

NOT DETECTED

No agent discovery endpoints found. Regular website. The Honest signal is capped at 5/25 — there are no agent cards to validate.

Classification determines how the Honest signal is weighted. A domain with no agent card can't score high on honesty — there's nothing to validate.

How it works

Seven probes. Three signals. One score.

Every scan runs seven parallel probes against a domain — A2A, MCP, ACP, llms.txt, TLS, DNS agent records, and HTTP root — each with a 5-second timeout. The results are distilled into three weighted signals.

50%

Alive

Is it reachable? Percentage of probes returning 2xx-3xx status codes, scaled to 50 points.

25%

Responsive

How fast is the front door? Based on median response time. Under 100ms gets full marks. Over 2 seconds gets zero.

25%

Honest

Does the agent card match its actual capabilities? Validates schema compliance, required fields, and declared capabilities. Capped at 5/25 for domains with no agent card detected.

No ML. No sentiment analysis. All empirically observable. Deterministic — same probes always produce the same score.

Protocols scanned

Every major agent discovery standard

reputation.md scans every public agent discovery endpoint on the open web:

PROTOCOL	ENDPOINT	WHAT IT CHECKS
A2A	/.well-known/agent.json	Google’s Agent-to-Agent protocol card
MCP	/.well-known/mcp.json	Anthropic’s Model Context Protocol card
ACP	/.well-known/acp.json	Agent Communication Protocol card
llms.txt	/llms.txt	LLM-readable plain-text documentation
TLS	HTTPS handshake	Security headers (HSTS, CSP, etc.)
ANS	_agent.{domain} TXT	DNS-based agent discovery records
HTTP	/	Basic reachability and response time

API

Free public API for agents and developers

All endpoints support CORS. Read endpoints are publicly accessible with CDN caching. The scan endpoint is rate-limited to 5 requests per minute per IP.

GET /api/agent/:domain — current score, grade, signal breakdown

GET /api/agent/:domain/history — paginated historical scores

GET /api/agent/:domain/probes — detailed probe results from latest scan

POST /api/scan — trigger fresh real-time scan (5/min rate limit)

GET /api/directory — all indexed agents with endpoints, tools, skills (?format=text for markdown)

GET /api/badge/:domain.svg — embeddable SVG trust badge

GET/POST /api/mcp — GET returns discovery card; POST for MCP tools (get_agent_score, scan_agent, list_agents)

Use cases

Trust at machine speed

Agent-to-agent delegation — Check a score before routing work to an unknown agent. If score is below 75 or grade is F, route to a different provider.

Agent marketplaces — Display trust badges alongside agent listings so buyers can compare reliability at a glance.

CI/CD quality gates — Add a pipeline step that fails the build if your agent's reputation score drops below a threshold.

Procurement & compliance — Generate a trust report for any AI service provider your organization is evaluating, based on objective third-party measurements.

Monitoring — Track score changes and protocol support over time. Get notified when agents degrade or add new capabilities.

Agent discovery

reputation.md is itself a discoverable agent

We implement the same protocols we scan. Any agent can discover and interact with reputation.md programmatically:

A2A → /.well-known/agent.json

MCP card → /.well-known/mcp.json

ACP → /.well-known/acp.json

MCP tools → /api/mcp (GET = discovery card, POST = JSON-RPC tools)

Directory → /api/directory (JSON) or ?format=text (markdown)

llms.txt → /llms.txt (summary)

llms-full.txt → /llms-full.txt (complete documentation)