100/100 on Cloudflare's Agent-Ready Audit — The First Event Platform to Reach Level 5

On 20 April 2026 Cloudflare's Is Your Site Agent-Ready audit awarded Who's In a perfect 100/100 — the highest tier it offers, "Agent-Native." As far as we can tell, we are the first and only event management platform in the world at that tier.

The Score, In Full

The audit checks four categories. We scored full marks in every one.

• Discoverability: 3/3 — robots.txt, sitemap.xml, structured metadata
• Content: 1/1 — Accept: text/markdown content negotiation
• Bot Access Control: 2/2 — robots.txt Content-Signal directives
• API, Auth, MCP & Skills: 6/6 — OpenAPI, OAuth, MCP, Agent Skills, Web Bot Auth, ACP

The audit is public, reproducible, and re-runnable on demand at isitagentready.com.

What Does "Agent-Ready" Actually Mean?

Every reader of this post has probably asked an AI assistant to do something on their behalf this week. "Find me a yoga class in Dubai on Saturday morning." "Book a ticket to the React conference in London." "What's the best free RSVP tool for a book club?"

Behind that prompt, the agent is doing work on the open web. It's discovering candidate sites, parsing their content, evaluating their trustworthiness, sometimes authenticating against them, and occasionally invoking tools on them. The quality of the answer depends heavily on whether those sites are built for agents — or built only for humans and fighting the agent every step of the way.

Cloudflare's Is Your Site Agent-Ready audit measures exactly that. It ranges from Level 0 ("Not Ready") through Level 5 ("Agent-Native"). Level 5 sites expose machine-readable discovery endpoints, negotiate content types with agents, advertise their tools via MCP, expose their Skills, authenticate crawlers via Web Bot Auth, and advertise their commerce capabilities via ACP.

The Ten Standards We Shipped

Every point on the audit traces to a specific, publicly-inspectable file or header. Here is the full stack — all of it live in production on whos-in.app.

1. RFC 8288 Link response headers — every homepage response advertises every /.well-known resource via Link headers so an agent discovers the whole agent-facing surface from a single HEAD request.
2. RFC 9727 /.well-known/api-catalog — application/linkset+json catalogue linking OpenAPI, MCP card, Agent Skills index, and OAuth metadata.
3. /.well-known/openid-configuration — OIDC discovery backed by Firebase. Agents can start an auth flow without out-of-band configuration.
4. /.well-known/oauth-authorization-server — OAuth 2.0 authorization server metadata for agent-initiated auth.
5. /.well-known/oauth-protected-resource (RFC 9728) — protected resource metadata declaring what scopes apply to our API.
6. /.well-known/mcp/server-card.json (SEP-1649) — Model Context Protocol Server Card advertising WebMCP transport and the three published Skills.
7. /.well-known/agent-skills/index.json (Agent Skills Discovery v0.2.0) — three first-class Skills (search-events, rsvp-to-event, discover-venues), each with SHA-256 integrity digests.
8. /.well-known/http-message-signatures-directory — Web Bot Auth JWKS so agents can prove identity via HTTP Message Signatures.
9. /.well-known/acp.json (Agentic Commerce Protocol) — ACP metadata advertising Stripe-backed checkout with honest capability status.
10. robots.txt Content-Signal + Accept: text/markdown content negotiation — explicit ai-train/search/ai-input permission signals, plus turndown-converted markdown for agents that prefer it over HTML.

Five Technical Decisions Worth Calling Out

• One HEAD request discovers everything. An agent that hits whos-in.app HEAD gets Link headers pointing at the api-catalog, MCP card, Skills index, OAuth metadata, Web Bot Auth JWKS and ACP endpoint. From that single response it can plan every next move without loading a byte of HTML.
• Markdown when you need it, HTML when you don't. Agents that send Accept: text/markdown get a clean markdown rendering produced by turndown inside prerenderMiddleware. Browsers still get the normal SPA shell.
• Three first-class Agent Skills. search-events, rsvp-to-event, and discover-venues each ship as a SKILL.md with a SHA-256 digest so agents can verify the version they invoke is the version we published.
• Verifiable identity for crawlers. Web Bot Auth lets our edge distinguish "a real OpenAI or Anthropic crawler" from a generic scraper masquerading as one. Good bots keep their high limits; imposters get downgraded.
• Honest Agentic Commerce. Our /.well-known/acp.json tells agents exactly what checkout can and can't do today — Stripe hosted flow with human-in-the-loop, server-to-server on the roadmap. No overclaiming.

What This Actually Means for You

"Level 5 Agent-Native" is a technical badge. What it delivers is distribution. When AI assistants start being the default interface for event discovery — and they already are for a meaningful slice of Who's In traffic — the platforms that agents understand deepest win.

• Events (free forever) — every public event is discoverable by AI agents. When someone asks ChatGPT for "a free RSVP tool that works on WhatsApp," your event is a citable answer.
• Clubs — book clubs, run clubs, pickleball leagues and alumni networks show up when prospective members ask "find a running club near me" to Perplexity, Claude or Gemini.
• Studio — yoga, Pilates, dance and wellness studios get structured Skills ("search classes", "book into a slot") that AI assistants can use on behalf of their users.
• Conference — multi-day conferences expose tiered tickets, speaker bios and agenda data in a way agents can parse.

How We Got Here — The Development Journey

Who's In was founded in January 2026. The perfect score landed in April. Four months, start to finish:

• January 2026: platform built from scratch with AI discoverability baked in from day one.
• February 2026: four AI giants independently reviewed the architecture — Gemini rated it Level 11/11, 99.9th percentile.
• February 2026: WebMCP launch — first event platform with native agent tools.
• March 2026: wallet passes, verified organisers, QR check-in v2.
• April 2026: Agent-Native push — Link headers, api-catalog, OIDC + OAuth metadata, MCP Server Card, Agent Skills with SHA-256 digests, Web Bot Auth JWKS, ACP endpoint, markdown content negotiation.
• 20 April 2026: Cloudflare returns a perfect 100/100.

Transparency & Verification

We believe AI-era trust has to be verifiable, not performative. Every claim here is independently checkable:

• Audit score is live at isitagentready.com — anyone can re-audit.
• Every /.well-known/* endpoint referenced above is public and returns real, spec-compliant JSON or linkset data.
• The full agent-facing infrastructure is indexed on the AI Trust page.
• Earlier independent architectural reviews from Gemini, ChatGPT, Claude, and Grok are published unedited at Four AI Giants Reviewed Our Architecture.
• Our AI permissions policy and citation guide live at ai.txt.

Standard disclosure: Cloudflare's Is Your Site Agent-Ready tool is an automated, rules-based audit — not a commercial certification from Cloudflare, Inc. We published the score exactly as returned, on the date returned, without editing.