Your x402/MCP endpoint may be listed but not actually callable.
The Marketplace Visibility Audit is a structured visibility check that answers the question every x402/MCP seller eventually asks: "why is nobody finding or paying my endpoint?" Private beta. First-pass audit is free on request.
Status: Private beta | Audit engine: built | Public paid route: not yet launched | Price hypothesis: $0.05 USDC for a quick audit when live
The visibility problem (in numbers)
The Decixa State of x402 report (April 2026) probed the public x402 ecosystem and surfaced a structural quality gap: most endpoints that claim to be x402 do not actually return a valid 402 handshake when an agent tries to call them. The numbers below are from that independently-published report:
30,600
x402 listings tracked across the public ecosystem
9,246
actually probed by Decixa
5,523
verified live (returned a valid 402 handshake)
~18%
raw working share of total tracked listings
Who this is for
- x402 sellers who think they are listed somewhere (x402scan, awesome-x402, MCP Registry, Coinbase Bazaar, Glama, Skiln) but see no agent calls.
- MCP server operators who registered their server but cannot tell whether agents are actually able to discover and pay it.
- Agent storefront owners who recently rotated their
payTo address and want to confirm registries reflect the change.
- Builders who shipped an x402 endpoint and want an independent second pair of eyes on its discovery surface before announcing it.
What the audit checks
- well-known/x402.json reachability — present? valid? declares
x402Version, site, payment_gated, paid_resource_urls?
- Live 402 body shape — paid URL returns HTTP 402?
accepts[] populated? x402Version: 2? CAIP-2 network? maxTimeoutSeconds? extensions object?
- Payment-terms extraction —
payTo / amount / asset / network / scheme all readable from the 402 body without payment?
- x402scan listing — listed at all? stale (registry
payTo different from live 402 payTo)? not found?
- MCP Registry listing — present at
registry.modelcontextprotocol.io?
- Machine-discovery files —
/llms.txt reachable? /openapi.json or /.well-known/openapi.json present? /agents.json or /.well-known/agents.json present?
Sample audit output (JSON)
Output schema is stable. Optional fields are returned as null when the audit cannot quantify them — the audit does not invent values.
{
"url": "https://example.com/api/x402/example",
"audit_timestamp": "2026-05-26T00:00:00Z",
"audit_depth": "quick",
"well_known_x402": "missing",
"payment_required_body": "ok",
"payTo": "0xexample...",
"amount": "10000",
"asset": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
"network": "eip155:8453",
"scheme": "exact",
"x402scan_status": "stale",
"x402scan_listing_url": "https://www.x402scan.com/server/...",
"x402scan_listed_payTo": "0xolder...",
"mcp_registry_status": "not_found",
"machine_discovery_files": {
"llms_txt": "missing",
"openapi": "missing",
"agents_json": "missing"
},
"visibility_score": 35,
"max_visibility_score": 100,
"top_3_recommendations": [
{
"priority": "critical",
"issue": ".well-known/x402.json status: missing",
"action": "Publish /.well-known/x402.json declaring x402Version, site, payment_gated, paid_resource_urls."
},
{
"priority": "high",
"issue": "x402scan listed payTo differs from live 402 payTo",
"action": "Re-submit the x402scan listing so the recorded payTo matches the current live 402."
},
{
"priority": "medium",
"issue": "MCP Registry: not_found",
"action": "Publish the MCP server in registry.modelcontextprotocol.io so client agents discover it."
}
]
}
Why these checks
A buyer agent that wants to call an x402 endpoint does roughly this:
- Discover the endpoint (via x402scan, Coinbase Bazaar, MCP Registry,
llms.txt, openapi.json).
- Fetch the paid URL and read the 402 body to learn price, asset, payTo, network, scheme.
- Sign a payment over the advertised terms.
- Retry with the signed payment and expect a 200.
If any step in that chain has a leak — registry stale, 402 body malformed, payTo drift, machine-discovery file missing — the agent silently moves on. The audit is just a structured way to find which step has the leak on a given endpoint, before that endpoint loses any more agent traffic.
Price hypothesis
- Quick audit (current spec)
- $0.05 USDC per audit on Base mainnet (50000 atomic units) — not yet publicly launched
- Free first-pass
- Available on request during private beta — email LION to request
- Deeper audit
- Roadmap. Pricing will depend on whether the quick tier converts
What this audit is not
- It is not a discovery registry. x402scan, Coinbase Bazaar, and the MCP Registry already do that. The audit just checks whether your existing listings are healthy and complete.
- It is not a security audit of your code. SSRF, prompt injection, or business-logic vulnerabilities are out of scope. The audit only looks at the public discovery and payment surface.
- It is not a recommendation to use any specific facilitator, marketplace, or chain. The audit reports what is observable; the seller decides what to fix.
- It is not a paid promotion. LION does not custody funds, does not move funds, does not sign transactions on the seller's behalf, and does not auto-publish anywhere.
Request a free first-pass audit
During the private beta, LION will run a free first-pass visibility audit against any public x402 or MCP endpoint, on request. The output is the same JSON shape shown above. No account, no API key, no payment.
How to request
Email lionmaster.operations@gmail.com with subject line [LION Visibility Audit Request] and the following in the body:
- endpoint URL you want audited
- service name
- expected
payTo (if known)
- x402scan / MCP Registry listing URL (if any)
- preferred reply channel
Machine-readable agent metadata
{
"service": "LION Marketplace Visibility Audit",
"url": "https://gleaming-cassata-d41682.netlify.app",
"spec_page": "https://gleaming-cassata-d41682.netlify.app/x402-marketplace-visibility-audit/",
"status": "private_beta",
"audit_depth_supported": ["quick"],
"price_hypothesis_usdc": "0.05",
"price_hypothesis_atomic_usdc": "50000",
"network_hypothesis": "eip155:8453",
"asset_hypothesis": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
"scheme_hypothesis": "exact",
"output_shape": {
"url": "string",
"audit_timestamp": "ISO-8601",
"audit_depth": "quick",
"well_known_x402": "ok | missing | invalid | unavailable",
"payment_required_body": "ok | invalid | unavailable",
"payTo": "address | null",
"amount": "atomic string | null",
"asset": "address | null",
"network": "CAIP-2 string | null",
"scheme": "string | null",
"x402scan_status": "listed | stale | not_found | unavailable",
"mcp_registry_status": "listed | not_found | unavailable",
"machine_discovery_files": {
"llms_txt": "ok | missing | invalid | unavailable",
"openapi": "ok | missing | invalid | unavailable",
"agents_json":"ok | missing | invalid | unavailable"
},
"visibility_score": "0..100",
"top_3_recommendations": "array of {priority, issue, action}"
},
"request_channel": "mailto:lionmaster.operations@gmail.com",
"request_subject_template": "[LION Visibility Audit Request]",
"request_body_template_fields": [
"endpoint URL you want audited",
"service name",
"expected payTo (if known)",
"x402scan / MCP Registry listing URL (if any)",
"preferred reply channel"
],
"machine_descriptor": "https://gleaming-cassata-d41682.netlify.app/lion-mcp/visibility-audit.json",
"human_overview": "https://gleaming-cassata-d41682.netlify.app/lion-mcp/visibility-audit.md",
"src_tag": "audit_spec"
}
Build: LION_MARKETPLACE_VISIBILITY_AUDIT_SPEC_PAGE_001=2026_05_27_CTA_FIX