Exposes a single paid endpoint that returns domain trust scores from 0 to 100, breaking down age, TLD quality, DNS presence, and registrar reputation. Uses the x402 protocol for micropayments, charging 0.003 USDC per lookup via Base network without requiring API keys or accounts. Ships with testnet support out of the box so you can wire up Claude Desktop and test the payment flow before going to mainnet. Reach for this when your agent needs to evaluate whether a domain is established and legitimate before scraping it, following links, or making decisions based on third party content. The roadmap mentions future research and skill APIs, but right now it's just trustscore.
x402-powered verification APIs for AI agents — URL safety, email authentication, domain trust, SSL/TLS, security headers, robots.txt. Pay per use, no API keys, no accounts.
npm install
cp .env.example .env
Open .env and set at minimum:
PAY_TO_ADDRESS=0xYourBaseWalletAddress
Leave everything else as-is to run on Base Sepolia testnet (no real money).
npm run dev
You should see the startup banner at http://localhost:3000.
curl http://localhost:3000/
curl http://localhost:3000/health
curl http://localhost:3000/trustscore?domain=example.com
# Returns HTTP 402 with payment instructions in the PAYMENT-REQUIRED header
The x402 testnet facilitator at https://x402.org/facilitator accepts test payments.
To fully test the payment flow, use an x402 client with a funded testnet wallet.
Get Base Sepolia testnet ETH: https://sepolia.base.org/faucet
Get testnet USDC: https://faucet.circle.com (select Base Sepolia)
In .env, change:
NETWORK=eip155:8453
FACILITATOR_URL=https://api.cdp.coinbase.com/platform/v2/x402
CDP_API_KEY_ID=your-key-id
CDP_API_KEY_SECRET=your-key-secret
Make sure your PAY_TO_ADDRESS Base wallet has some ETH for gas.
Your endpoints auto-list in the Bazaar/Agentic.Market after the first paid call clears.
GET /urlcheckOne composite CLEAR / REVIEW / BLOCK safety verdict on any URL, fusing domain trust, a live TLS check, and typosquat/lookalike detection.
Payment: 0.01 USDC per call (via x402)
Params:
?url=https://example.com — URL to vet?domain=example.com — bare domain (alternative)Response:
{
"domain": "paypa1.com",
"verdict": "BLOCK",
"score": 12,
"maxScore": 100,
"reasons": ["possible lookalike of paypal.com (homoglyph_substitution, confidence 0.90)"],
"signals": {
"domainTrust": { "score": 12, "tier": "HIGH_RISK", "ageDays": 3, "newlyRegistered": true },
"tls": { "reachable": true, "valid": true, "tier": "VALID", "daysRemaining": 60 },
"typosquat": { "isLookalike": true, "nearestBrand": "paypal.com", "technique": "homoglyph_substitution", "confidence": 0.9 }
},
"meta": { "checkedAt": "...", "apiVersion": "1.0", "paidWith": "x402/USDC", "cached": false }
}
Verdicts: CLEAR (safe) · REVIEW (inspect before acting) · BLOCK (do not proceed)
GET /emailtrustEmail-authentication posture grade (SPF/DKIM/DMARC/BIMI/MX) — is this sender domain spoofable?
Payment: 0.003 USDC per call (via x402)
Params:
?domain=example.com — sender domain (or user@example.com)Response:
{
"domain": "example.com",
"grade": "C",
"score": 45,
"maxScore": 100,
"spoofable": true,
"spf": { "present": true, "qualifier": "~all", "multiple": false },
"dmarc": { "present": true, "policy": "none", "pct": 100, "rua": true },
"dkim": { "present": true, "selectorsFound": ["default"] },
"bimi": false,
"mx": ["mail.example.com"],
"issues": ["dmarc_p_none_no_enforcement"],
"meta": { "checkedAt": "...", "apiVersion": "1.0", "paidWith": "x402/USDC", "cached": false }
}
Grades: A/B = enforced, not spoofable · C/D = monitoring only, spoofable · F = no authentication
GET /trustscoreReturns a 0–100 trust score for any domain.
Payment: 0.003 USDC per call (via x402)
Params:
?domain=example.com — bare domain?url=https://example.com/some/path — full URL (domain extracted)Response:
{
"domain": "example.com",
"score": 80,
"maxScore": 100,
"tier": "TRUSTED",
"breakdown": {
"domainAge": 30,
"tld": 20,
"dnsPresence": 30,
"registrar": 20
},
"details": {
"age": { "days": 9720, "label": "established (5+ years)", "created": "...", "expires": "..." },
"tld": ".com",
"dns": { "hasARecord": true, "hasMxRecord": true, "mxRecords": ["mail.example.com"] },
"registrar": "GoDaddy"
},
"meta": {
"checkedAt": "2026-05-22T12:00:00.000Z",
"apiVersion": "1.0",
"paidWith": "x402/USDC"
}
}
Tiers:
| Score | Tier |
|---|---|
| 75–100 | TRUSTED |
| 50–74 | MODERATE |
| 25–49 | CAUTION |
| 0–24 | HIGH_RISK |
trustsource/
├── src/
│ ├── server.ts # Express app + x402 middleware, rate limiting, logging
│ ├── openapi.ts # OpenAPI 3.1 spec served at /openapi.json
│ ├── lib/
│ │ ├── net-guard.ts # Shared SSRF guard (private-IP checks, resolve + pin)
│ │ ├── domain.ts # Shared domain extraction/validation
│ │ ├── cache.ts # Shared in-memory TTL cache
│ │ ├── domain-trust.ts # Domain trust scoring (used by /trustscore + /urlcheck)
│ │ ├── tls-check.ts # TLS handshake + cert scoring (used by /sslcheck + /urlcheck)
│ │ ├── typosquat.ts # Lookalike/typosquat detection (used by /urlcheck)
│ │ └── mailauth.ts # SPF/DKIM/DMARC/BIMI/MX analysis (used by /emailtrust)
│ └── routes/
│ ├── urlcheck.ts # Composite CLEAR/REVIEW/BLOCK URL verdict
│ ├── emailtrust.ts # Email-auth posture grade
│ ├── trustscore.ts # WHOIS + DNS + TLD + registrar scoring
│ ├── sslcheck.ts # Live TLS handshake + certificate scoring
│ ├── headers.ts # HTTP security-header audit
│ └── robots.ts # robots.txt + AI-bot policy detection
├── mcp-server/ # MCP server wrapping the six APIs as tools
├── public/ # Landing page
├── .env.example
├── .env # Your config (git-ignored)
├── package.json
└── tsconfig.json
/openapi.jsontrustsource-mcp) wrapping all six APIs/safefetch — injection-safe content firewall (flagship)/phishcheck — typosquat + Certificate-Transparency detection/kyb — official-registry business-identity verificationWALLET_PRIVATE_KEY*secretBase Mainnet wallet private key holding USDC (fees) and ETH (gas).
TRUSTSOURCE_API_URLOverride the TrustSource API base URL. Optional.
com.exploit-intel/eip-mcp
dmontgomery40/pentest-mcp
pantheon-security/notebooklm-mcp-secure
cyanheads/pentest-mcp-server
io.github.akhilucky/ai-firewall-mcp