Discoverable
Bots can find you. Your site exposes the metadata and machine-readable files that let AI agents know you exist.
A /.well-known/llms.txt or /llms.txt file exists with machine-readable site information.
An agent card (/.well-known/agent.json or similar) describes capabilities for AI agents.
An OpenAPI/Swagger specification is publicly accessible.
robots.txt includes directives for AI crawlers and agents.
Developer documentation is publicly accessible without authentication.
CORS headers allow cross-origin API access for browser-based agents.
HTML meta tags (llms:description, llms:url, llms:instructions) help AI agents discover site capabilities.
A /skill.md file provides structured agent instructions with YAML frontmatter.
A /.well-known/ai.json file describes the site name, capabilities, and skill links for agents.
A /.well-known/skills/index.json file lists all available agent skills with id and name.
HTML <link> elements in <head> point to llms.txt, ai.json, or agent-card.json for discovery.
A Model Context Protocol (MCP) server endpoint is discoverable at /.well-known/mcp.json or /mcp.
The homepage HTML is token-efficient — LLMs can extract useful content without excessive overhead from scripts, styles, and boilerplate.
An RSS or Atom feed is available, providing structured content that agents can consume without parsing HTML.
robots.txt declares AI content usage preferences via a Content-Signal directive (ai-train, search, ai-input) — see contentsignals.org.
A /.well-known/api-catalog endpoint returns an RFC 9727 linkset pointing to service-desc, service-doc, and status for each API.
Requests with Accept: text/markdown return a markdown rendering of the page, so agents skip HTML overhead.
The homepage calls navigator.modelContext.provideContext() to expose in-browser tools to AI agents (WebMCP).
Usable
Your API works for agents. Authentication, error handling, and core operations are agent-compatible.
Read operations (list, get, search) are available via API.
Write operations (create, update, delete) are available via API.
The primary value action of the app is available via API.
API key authentication is supported, not only OAuth browser flows.
API keys can be scoped to specific permissions.
An OpenID Connect discovery document is available.
All API errors return structured JSON with error codes.
Long-running operations return a job ID with pollable status.
Write endpoints support idempotency keys to prevent duplicate operations.
A /.well-known/oauth-protected-resource document advertises authorization servers and scopes so agents can obtain tokens (RFC 9728).
API endpoints support the x402 agent-native payment protocol — a protected route returns HTTP 402 with machine-readable payment requirements.
Optimized
Agents can work efficiently. Pagination, filtering, and caching reduce token waste and round-trips.
A fields or select parameter exists to request only needed fields.
List endpoints use cursor-based pagination.
Resources can be filtered by common attributes.
Batch create/update/delete endpoints exist.
Responses include rate limit headers (X-RateLimit-* or similar).
Responses include caching headers (ETag, Cache-Control, Last-Modified).
MCP server exposes well-described tools and resources with input schemas for agent use.
Indexable
AI search systems can find, index, and ground answers in this site. Crawl access, page experience, structured data, and content quality are in place.
robots.txt does not Disallow / for Googlebot or all user agents — required for AI search indexing.
robots.txt has an explicit User-agent: Google-Extended block stating an AI training/grounding policy.
Homepage has no noindex meta tag or X-Robots-Tag: noindex header — eligible for the search index.
A reachable sitemap.xml exists and is referenced from robots.txt — helps AI search systems discover all pages.
Origin serves over https; http requests redirect to https.
Homepage declares a mobile-friendly viewport meta tag with width=device-width.
Homepage includes at least one valid JSON-LD script block — required substrate for rich results and AI grounding.
JSON-LD declares the site/business entity via @type: Organization, WebSite, or LocalBusiness.
Homepage has a self-referential <link rel="canonical"> tag pointing to its own origin.
Page has exactly one h1, at least one h2, and no heading-level skips in the first 20 headings.
80% or more of <img> tags on the homepage have alt attributes (alt="" for decorative counts).
Homepage main content is at least 300 words after stripping nav, footer, and scripts.
Agent-Native
First-class agent support. Intent endpoints, sessions, scoped tokens, and tool schemas treat agents as primary consumers.
High-level "intent" endpoints exist alongside CRUD (e.g., /send-invoice instead of multiple calls).
Why CLI only: Intent endpoints require deep API exploration and test calls that cannot be determined from external metadata alone.
Agents can create persistent sessions with context that survives across requests.
Why CLI only: Session creation requires authenticated API calls and stateful interaction that web scanning cannot perform.
Agent-specific tokens with hard capability limits and expiration.
Why CLI only: Token scoping requires authenticated access to the token management system.
API actions are logged with agent identifiers for traceability.
Why CLI only: Audit log verification requires authenticated access and test write operations.
A sandbox environment exists for agent testing without real side effects.
Why CLI only: Sandbox detection requires environment probing and authenticated API exploration.
Documentation and API metadata mark consequential or irreversible actions.
Why CLI only: Consequence labels are embedded in API schemas and tool definitions that require deep parsing.
Core API actions are packaged as ready-to-use tool definitions for agent frameworks.
Why CLI only: Tool schema validation requires fetching and parsing platform-specific definition formats.