The Six Things Stopping Your Website From Being Fully Agent-Ready (and Why Most Businesses Should Stop at Four)
The Cloudflare Agent Readiness Score has six "Capabilities" checks that determine whether autonomous AI agents can do anything on your website beyond reading it. They cover MCP servers, Agent Skills indexes, OAuth discovery, API catalogs, and WebMCP. Almost every website in the world scores zero out of six in this category. For most UK businesses, two of those six are worth shipping and four are not, no matter what the score gauge tells you.
This article explains what each of the six checks does, the realistic effort to ship it, and the verdict: implement, consider, or skip. We do this because chasing 100 out of 100 on the Agent Readiness Score by building OAuth servers and API catalogues that nobody is calling is a waste of money for most businesses, and the score itself does not tell you that.
The six Capabilities checks at a glance
# | Check | What it does | Effort | Verdict for most SMBs
1 | Agent Skills index | Tells agents what tools your site exposes | 4 to 6 hours | Consider
2 | MCP Server Card | Advertises your MCP server endpoint | 6 to 10 hours | Skip unless you run an MCP server
3 | WebMCP | In-browser tools for agents using a browser | 3 to 4 hours | Skip
4 | API Catalog (RFC 9727) | Lists your public APIs at a well-known endpoint | 3 to 4 hours | Skip unless you have public APIs
5 | OAuth Discovery (RFC 8414) | Tells agents where your auth server is | 40+ hours | Skip
6 | OAuth Protected Resource (RFC 9728) | Declares OAuth-protected resources | 8 hours | Skip
For a normal small or medium business website, the right move is to ship one (Agent Skills) if you want a credibility signal, and skip the other five. That gets you no points on the score for the skipped items but is the rational answer for any business that does not actually have public APIs, an MCP server, or an OAuth identity provider.
We will go through each in detail.
1. Agent Skills index
What it is. A JSON file at /.well-known/agent-skills/index.json listing the skills your website exposes to AI agents. Each skill is a named capability with a description, an input schema, and an endpoint to call. For example: book-discovery-call (input: name, email, preferred date; calls Cal.com), or get-pricing (input: service slug; returns current prices).
What it does. When an autonomous agent visits your site on behalf of a customer, it can read the index and discover that your site exposes specific tools beyond passive content. The agent then knows it can call those tools to complete the customer's task without scraping forms.
Effort. Roughly 4 to 6 hours to publish a basic index with 2 or 3 skills, assuming the underlying endpoints already exist.
Verdict: Consider. This is the only capability check we recommend for most marketing and service businesses. It is a credible positioning move ("we expose AI-callable skills") and the underlying infrastructure is small. Even if no agent calls your skills today, the index sits as a positive signal for future-leaning prospects who are watching this space.
We have not shipped one on tynesidemarketing.co.uk yet. We may, in May 2026, as a positioning move. We are not in a hurry.
2. MCP Server Card
What it is. A JSON file at /.well-known/mcp/server-card.json advertising an MCP server endpoint that agents can connect to. Includes the server name, the transport type (typically Streamable HTTP), the available tools, and the authentication requirements.
What it does. Lets an MCP-compatible agent discover and connect to your server before it even calls a tool. The card tells the agent everything it needs to know.
Effort. Roughly 6 to 10 hours to ship a basic MCP server with 2 or 3 tools, plus the card. More if you want production-grade rate limiting, logging, and abuse protection.
Verdict: Skip unless you genuinely run an MCP server. Publishing a card with no server behind it is dishonest and confusing. If you do not currently expose any MCP-callable tools, an MCP Server Card pointing at nothing scores you points on the readiness check and adds no real value.
The right time to ship one is after you have already shipped Agent Skills and want to make those skills callable through MCP, not before.
3. WebMCP
What it is. An in-browser API (navigator.modelContext.provideContext()) that exposes page-level tools to AI agents using a browser context, such as Claude with computer use or the Comet browser.
What it does. Lets an agent that has opened your site in a browser session call your tools through the browser, without scraping the DOM or filling out forms. Useful for booking flows, checkout flows, and any interaction that today requires the agent to drive the UI.
Effort. 3 to 4 hours, assuming you reuse the same skill logic from the Agent Skills index.
Verdict: Skip for now. WebMCP only works when the agent is operating through a browser context, which is rare today. The standard is also still finalising. Worth revisiting in 2027 once browser-driven agents become more common.
4. API Catalog (RFC 9727)
What it is. A JSON file at /.well-known/api-catalog listing your public APIs and linking to their documentation, OpenAPI specs, and status endpoints.
What it does. Saves agents from having to crawl your developer portal to discover what APIs you expose.
Effort. 3 to 4 hours, assuming you have public APIs and OpenAPI specs already.
Verdict: Skip unless you actually have public APIs. A catalog pointing at private endpoints or boilerplate is filler, not value. Most marketing and service businesses do not have public APIs and never will. If you are a SaaS product or a developer tools business, this becomes a "yes, ship it" rather than a "skip it".
5. OAuth Discovery (RFC 8414)
What it is. A standard endpoint (/.well-known/oauth-authorization-server) that publishes OAuth 2.0 authorization server metadata, telling agents where to send users for authentication.
What it does. Lets an autonomous agent send a customer through an OAuth flow to grant the agent access to a logged-in part of your site.
Effort. 40+ hours, because to publish OAuth metadata you need to actually run an OAuth identity provider. That means user accounts, login flows, token issuance, scope management, and the security model that goes with it.
Verdict: Skip. Building an OAuth server purely to score points on the agent readiness check is one of the worst engineering investments we can think of. If you already run OAuth (because you have a logged-in product), then yes, publish the discovery metadata. Otherwise, skip without hesitation.
This is the check that pushes the realistic ceiling on the Agent Readiness Score from 100 down to 85, for most non-developer-tools businesses.
6. OAuth Protected Resource (RFC 9728)
What it is. Companion to OAuth Discovery. Declares which resources on your site are OAuth-protected and which authorization server protects them.
What it does. Together with the discovery endpoint, gives agents a complete picture of how to authenticate before accessing protected content.
Effort. 8 hours on top of the OAuth server you would already need.
Verdict: Skip. Same logic as OAuth Discovery. If you do not have OAuth, do not pretend.
Why most businesses should stop at four
By "stop at four", we mean: pass the four scored categories that actually apply to a normal website (Discoverability, Content, Bot Access Control, and one or two of the six Capabilities checks), and walk away from the other four or five.
Specifically:
- Marketing or service business: pass Discoverability, Content, Bot Access Control, and consider Agent Skills. Skip everything else. Realistic ceiling: 60 to 70 out of 100.
- Local business: same as above. Realistic ceiling: 55 to 65.
- Ecommerce store without a public API: same as above plus the optional commerce protocols (x402, ACP) when they mature. Realistic ceiling: 65 to 75.
- Developer tools or SaaS product: ship most of the six. The ceiling is 85 to 100, and the work is justified.
- Documentation site: focus on Markdown content negotiation, llms.txt, and Agent Skills indexes. The ceiling is 80 to 95.
The Cloudflare score itself does not differentiate by business model. It treats every site the same. That is intentional: it is benchmarking the full standard, not telling you which parts apply to you. The interpretation work is on you, or on whoever is helping you with this.
We have done this exercise on tynesidemarketing.co.uk. Our score went from 33 to 50 after we shipped two Phase 1 fixes (Link response headers and Markdown content negotiation). Our realistic ceiling is 60 to 70. We may add Agent Skills index in May. We will not be building an OAuth server.
How to actually move the needle
If you want to improve your own Agent Readiness Score sensibly:
- Run the Cloudflare scan and read the per-check breakdown.
- Ship the easy Discoverability and Bot Access Control wins (Link response headers, Content Signals, AI bot rules). A few hours, probably 25 to 35 score points.
- Ship Markdown content negotiation. Three to eight hours depending on stack, big AEO upside as well as score points.
- Decide on Agent Skills. If you want a positioning signal, ship a basic index. If you do not, do not.
- Stop. Re-run the scan, document the improvement, and move on.
If you want this done for you, we ship these changes for clients as part of our AEO retainer or as a one-off implementation. Get in touch via the free audit form and we will scope it from your current score.
Common questions
Do small businesses really need an MCP server?
No. An MCP server makes sense if you have specific tools you want autonomous agents to call (booking flows, pricing lookups, status checks). For most small businesses these tools either do not exist or are reachable through a simpler approach like Agent Skills. Build the MCP server only if you have real demand for agent-callable tooling, not because Cloudflare's score wants it.
What is the difference between Agent Skills and an MCP Server Card?
Agent Skills are a discoverable list of capabilities your site exposes, published as a static JSON file with input schemas and endpoints. An MCP Server Card advertises a live MCP server that agents can connect to over a streamable HTTP transport. Skills are a directory; MCP is a runtime protocol. You can have skills without MCP, but a server card is meaningless without a server.
Should I implement OAuth discovery for agent readiness?
Only if you already run an OAuth identity provider. Building one purely to score points on the Cloudflare Agent Readiness check is a 40-plus hour engineering project with no business case. Skip it.
What is the API Catalog (RFC 9727)?
A standard format for publishing a list of your public APIs at /.well-known/api-catalog. Useful if you are a SaaS or developer tools company. Useless if you do not expose public APIs. Most marketing and service businesses fall into the second group.
Can I get a 100 Agent Readiness Score without building any infrastructure?
No. The score is partly aspirational. The Capabilities category requires real infrastructure (OAuth server, API catalog, MCP server) to pass fully. For most non-developer-tools businesses, the realistic ceiling is 60 to 85, not 100.
Is WebMCP worth implementing on a marketing website?
Not yet. WebMCP only operates when the agent is using a browser context, which is rare today. Revisit when browser-driven agents become more common, probably 2027.
How long does it take to add an Agent Skills index?
About 4 to 6 hours for a basic index with 2 or 3 skills, assuming the underlying endpoints (booking, pricing, contact) already exist. Most of the time goes into deciding which skills to expose and writing the input schemas, not the publishing infrastructure.
Will Google or ChatGPT use these standards directly?
Not yet, in most cases. Google AI Overviews and ChatGPT search use traditional web crawling and indexing today. The agent readiness standards are designed for autonomous agent traffic (Claude with computer use, Comet browser, agentic ChatGPT modes), which is growing but still niche. Implementing the standards positions you for that growth without immediate ROI on the answer-engine side.
Should I implement x402 if I sell things online?
Worth tracking, not worth shipping yet for most stores. x402 is a payment protocol designed for AI agents to pay servers directly. It is genuinely interesting and Cloudflare has put real weight behind it, but adoption is early. Consider it once your store is comfortably above the AEO and AXO basics.
Which two of the six checks should every business consider?
Most businesses should look at Agent Skills (the easy positioning signal) and skip the rest. If you sell to developers, also look at API Catalog and MCP Server Card. If you run a logged-in product with OAuth already, then OAuth Discovery and Protected Resource are simple wins. Beyond those edge cases, four or five of the six are not worth your engineering time.
Related reading
- Cloudflare's Agent Readiness Score: What It Means, and What Happened When We Scored Our Own Site
- Agent Experience Optimisation vs Answer Engine Optimisation: Two Different AEOs, Explained
- What Is Answer Engine Optimisation? A Plain English Guide
External references
More on AEO
Agent Experience Optimisation vs Answer Engine Optimisation: Two Different AEOs, Explained
AEO has started to mean two different things in 2026: Answer Engine Optimisation (the established meaning) and Agent Experience Optimisation (the new one). Here is the difference.
Cloudflare's Agent Readiness Score: What It Means, and What Happened When We Scored Our Own Site
Cloudflare's new Agent Readiness Score grades how AI-friendly your site is. We took our own site from 33 to a perfect score in an hour. Find out how we did it here.
Blog, Article, or Listicle? A Small Business Guide to Content Types, Intent, and AI Search
What's the difference between a blog and an article? What is a listicle? Why do AI Overviews appear on some searches and not others? A plain-English guide for small business owners.