stripe.com

Serve `/llms-full.txt` — the companion to llms.txt containing the full concatenated text of your site so non-browsing LLMs (RAG pipelines, embedded agents) can ingest your content in one fetch. See [the spec](https://llmstxt.org/).

Add `<link rel="alternate" type="text/plain" href="/llms-full.txt">` to your HTML `<head>` so agents and search engines discover the full-content companion file.

<link rel="alternate" type="text/plain" title="llms-full.txt" href="/llms-full.txt">

Add `<link rel="alternate" type="text/plain" href="/llms.txt">` to your HTML `<head>` so search engines (especially Google for Gemini) index the relationship.

<link rel="alternate" type="text/plain" title="llms.txt" href="/llms.txt">

Add `<link rel="icon" type="image/png" href="/favicon.png">` (at least 180x180) or serve `/favicon.png` for broad browser compatibility.

Serve `/agents.txt` with at least 10 characters of content. There is no required format — the scanner only checks for existence. Best practice: define agent access policies, rate limits, and allowed actions.

Agent fetch tools commonly send `Accept: text/markdown, text/html, */*` — markdown listed first, which per [RFC 9110 §12.5.1](https://www.rfc-editor.org/rfc/rfc9110#name-accept) signals it as the preferred type. Serve markdown or plain text in that case, not HTML. Three common bugs produce the wrong outcome: (1) substring-matching the Accept header (`if accept.includes('text/html')`) — ignores preference order entirely; (2) framework defaults that pick HTML whenever `*/*` is in Accept, overriding explicit non-HTML preferences (Rails 8: `Accept: text/markdown, */*` returns HTML even though markdown is listed first); (3) preferring server-declared format order over client preference and ignoring q-values — even `Accept: text/plain;q=0.9, text/html;q=0.5` returns HTML when the server's internal preference list favors HTML. Fix recipes by stack: Express — `req.accepts(['text/html','text/markdown','text/plain'])`; Node bare — `negotiator` npm package; Python — `werkzeug.wrappers.AcceptMixin`; Go — `github.com/markusthoemmes/goautoneg`; Rails — set `request.format` explicitly in a `before_action` based on the leading Accept type. All proper Accept negotiators handle preference order, q-values, and wildcards per RFC 9110 — the fix recipe is the same regardless of which of the three bug patterns is in play. Pass requires Content-Type `text/markdown`, `text/plain`, or `application/json` (anything but HTML) with body ≥20 bytes. See https://agentgrade.com/kb/content-negotiation.

Return JSON with status 200 when `Accept: application/json` is sent to the root URL. Note: the response must not have a top-level `"error"` field — structured error responses like `{"error": "..."}` will fail this check.

Return `Content-Type: text/plain` or `text/markdown` with status 200 when `Accept: text/plain` is sent to the root URL. The body must be at least 20 bytes.

Return `Content-Type: text/markdown` when the client sends `Accept: text/markdown`. Agents that prefer markdown can request it directly without scraping HTML.

Stricter than "Agent UA gets non-HTML": the response Content-Type must match the type the client actually preferred, accounting for client order AND q-values. The scanner probes four variations: (1) `Accept: text/markdown, text/html, */*` should return `text/markdown` (Claude Code / Cursor pattern); (2) `Accept: text/html, text/markdown, */*` should return `text/html` (reverse-order — catches sites that ignore client order and use server-side preference instead); (3) `Accept: text/markdown;q=0.5, text/html;q=1.0` should return `text/html` (catches sites that ignore q-values entirely — see [RFC 9110 §12.5.1](https://www.rfc-editor.org/rfc/rfc9110#name-accept)); (4) `Accept: application/json, text/html, */*` should return `application/json` (programmatic discovery). All four must pass. Common bug patterns: substring matching the Accept header (`if accept.includes('text/html')`); framework defaults that fall back to HTML when `*/*` is present (Rails 8); hand-rolled selection logic using server-side priority order; q-value parsing missing entirely. Fix recipe by stack: Express — `req.accepts(['text/html','text/markdown','text/plain','application/json'])`; Node bare — `negotiator` npm package; Python — `werkzeug.wrappers.AcceptMixin`; Go — `github.com/markusthoemmes/goautoneg`; Rails — `before_action` setting `request.format` based on the leading non-wildcard Accept type. All proper Accept negotiators handle order, q-values, and wildcards per RFC 9110 — the fix recipe is the same regardless of which bug pattern is in play. See https://agentgrade.com/kb/content-negotiation.

Your homepage redirects agent requests (302/301) to a different URL — likely `/llms.txt` or similar. Industry best practice is **inline content negotiation**: same URL returns different bodies based on the `Accept` header. Cited by [RFC 9110 §12.2](https://www.rfc-editor.org/rfc/rfc9110#name-reactive-negotiation) (reactive/redirect-based negotiation "suffers from... needing a second request"), and used by every major content-negotiation-aware site we tested — GitHub API, Stripe docs, Cloudflare docs, Vercel, Mintlify, Sanity. The fix: detect Accept on the same URL, serve the right body inline, set `Vary: Accept`. No 302. Concrete benefits: one fetch instead of two (half the latency), the URL the agent reports to the user is the URL they asked about (not a redirect target), and caches handle it cleanly. See https://agentgrade.com/kb/content-negotiation.

When the same URL returns different bodies based on the `Accept` header, include `Vary: Accept` in the response so shared caches (CDNs, proxies) key entries by `Accept`. Without it, a CDN can serve JSON to a browser or HTML to an agent depending on which request hit first. `Vary: *` or `Cache-Control: private` / `no-store` also satisfy this. Only applies to sites that actually negotiate — API-only origins serving JSON to every request are exempt.

Return `Cache-Control`, `ETag`, or `Last-Modified` headers so agents know when to re-fetch vs use cached data. See https://agentgrade.com/kb/infrastructure.

// Set Cache-Control + ETag on long-lived responses
app.get('/api/v1/things/:id', async (req, res) => {
  const thing = await db.findThing(req.params.id);
  res.setHeader('Cache-Control', 'public, max-age=300, must-revalidate');
  res.setHeader('ETag', '"' + thing.version + '"');
  res.setHeader('Last-Modified', thing.updatedAt.toUTCString());
  res.json(thing);
});

Return JSON error responses instead of HTML error pages. Agents can parse `{"error": "not found"}` but not an HTML 404 page wrapped in nav/footer chrome. Use content negotiation: when `Accept: application/json`, return JSON; for browsers, return HTML. SPA gotcha: if your catch-all serves `index.html` with status 200 for unknown paths, the check fails — return status 404 from the server, then let the SPA route on the client. See https://agentgrade.com/kb/infrastructure.

// Content negotiation: JSON for agents, HTML for browsers
app.use((req, res) => {
  res.status(404);
  if (req.accepts('json') && !req.accepts('html')) {
    return res.json({ error: 'not_found', path: req.path });
  }
  res.format({
    'application/json': () => res.json({ error: 'not_found', path: req.path }),
    'text/html': () => res.send('<h1>404 Not Found</h1>'),
    default: () => res.type('text/plain').send('Not found'),
  });
});

(Optional) Return `X-RateLimit-Limit`, `X-RateLimit-Remaining`, or `Retry-After` headers so agents can self-throttle. See https://agentgrade.com/kb/infrastructure.

// Surface rate-limit state so agents can self-throttle
import rateLimit from 'express-rate-limit';

app.use('/api', rateLimit({
  windowMs: 60_000,
  max: 60,
  standardHeaders: true,   // adds RateLimit-Limit / RateLimit-Remaining / RateLimit-Reset
  legacyHeaders: false,
}));

Serve `/.well-known/http-message-signatures-directory` with a JSON object listing your agent identity and public keys (RFC 9421).

Add a `members` array to your signatures directory with at least one entry containing `name` and `publicKeyUrl`.

Each member in your signatures directory should have a `publicKeyUrl` pointing to a fetchable public key for signature verification.

(Optional) Publish a Google A2A Agent Card at `/.well-known/agent.json` with `name`, `url`, `description`, and `capabilities` to let other agents discover and interact with your agent. Use your real URL and only capabilities you actually expose. See https://agentgrade.com/kb/a2a.

{
  "name": "stripe.com",
  "url": "https://stripe.com/",
  "description": "What this agent does, in one sentence.",
  "version": "1.0.0",
  "capabilities": {
    "streaming": false,
    "pushNotifications": false
  },
  "skills": [
    {
      "id": "search",
      "name": "Search catalog",
      "description": "Search the product catalog for matching items"
    }
  ]
}

(Optional) Ensure your Agent Card contains at least `name` and `url` fields so agents can identify and connect to your service. See https://agentgrade.com/kb/a2a.

(Optional) Publish a WebMCP manifest at `/.well-known/webmcp.json` listing tools your site exposes to browser-based AI agents. See https://agentgrade.com/kb/webmcp.

{
  "name": "stripe.com",
  "version": "1.0.0",
  "description": "Browser-accessible MCP tools for stripe.com",
  "tools": [
    {
      "name": "search",
      "description": "Search the catalog",
      "inputSchema": {
        "type": "object",
        "properties": { "query": { "type": "string" } },
        "required": ["query"]
      }
    }
  ]
}

(Optional) Add `tool-name` and `tool-description` attributes to `<form>` elements so browser AI agents can invoke them as structured tools. See https://agentgrade.com/kb/webmcp.

<form action="/api/v1/search" method="post"
      tool-name="search"
      tool-description="Search the catalog">
  <input name="query" type="text" placeholder="Search..." required>
  <button type="submit">Search</button>
</form>