Agent integration: the 0/13 frontier
Hidden Layer audited 118 domains across 12 industries. Every single one scored 0/13 on agent integration. The frontier is completely open.
Hidden Layer audited 118 domains across 12 industries. Every single one scored 0/13 on agent integration. Not one B2B SaaS company. Not one Developer Tools platform. Not one AI company. The agent integration category is the only one where the maximum score equals the minimum score across every domain in the dataset — and both are zero.
This isn't about companies doing it badly. It's that no one has started.
What agent integration actually means
Agent integration means making your services discoverable and callable by AI agents through standardised protocols. Three files do most of the work:
- MCP server card (/.well-known/mcp.json) — declares your MCP server's capabilities, tools, and connection requirements to any agent that checks. The Model Context Protocol launched Nov 2024.
- A2A agent card (/.well-known/agent-card.json) — Google's Agent-to-Agent protocol, launched Apr 2025. Tells external agents your agent's name, skills, and how to invoke it.
- OpenAPI spec (/openapi.json) — a standard 3.1+ description of your REST API at a well-known path. Most companies publish this at /api/swagger or /docs — not the standardised location agents look for.
The three protocols are independent and complementary. MCP is about tool access. A2A is about agent-to-agent delegation. OpenAPI is about raw API discoverability. A B2B SaaS company could implement all three in a day.
The 7 checks, ranked by opportunity
| Check | Points | What it requires | Est. time |
|---|---|---|---|
| OpenAPI spec | 3 | /openapi.json with OpenAPI 3.1+ spec | 20 min if spec exists |
| A2A agent card | 2 | /.well-known/agent-card.json (Google A2A spec) | 10 min |
| OAuth protected resource | 2 | /.well-known/oauth-protected-resource (RFC 9728) | 15 min |
| API catalog | 1 | /.well-known/api linking to API resources | 5 min |
| MCP server card | 1 | /.well-known/mcp.json declaring MCP capabilities | 10 min |
| Web Bot Auth | 1 | /.well-known/http-message-signatures-directory (IETF draft) | 10 min |
| Listed in MCP registry | 1 | Submit to registry.smithery.ai | 5 min |
Who moves first?
Companies with existing REST APIs are already halfway there. Twilio and Stripe both have OpenAPI specs — they just live at non-standard paths. Moving them to /openapi.json is a one-line Nginx/Cloudflare rewrite. Adding an agent-card.json is JSON authoring.
Developer tools platforms (Cloudflare, Vercel, Render) are structurally ready. Their APIs are already public, documented, and designed for machines. Adding MCP and A2A discovery is a config file, not a product decision.
Content-only sites (media, fashion, consumer brands) are furthest away — they'd need to build APIs first. But most don't need to. Their play is llms.txt and entity linking, not MCP servers. Agent integration points are honestly irrelevant for a brand like Adidas.
The irony remains: AI companies (OpenAI D/57, Anthropic D/48) — whose products depend on agent interoperability — have zero agent integration signals on their own domains. The 0/13 applies to them as much as to anyone.
First mover advantage is real
Today's 0/13 vs 0/13 looks equal. In 12 months it's 10/13 vs 0/13 — and the gap is permanent for the companies who move. Agent discovery works like SEO in 2004: the companies that invested early hold positions that are structurally hard to displace.
The Hidden Layer audit will add weight to these checks as adoption rises. Currently they're low-weighted because sub-1% of the web uses them — the methodology doesn't punish you for missing protocols that don't exist yet. But as Smithery grows, as A2A adoption rises, the weight increases. The first 30 companies in each industry to hit 5/13 will own that category's agent discovery ranking.
How to implement the two highest-value checks
Start with A2A agent card (2 pts) and OpenAPI spec (3 pts). Together they're 5/13 — already ahead of 100% of the current web.
Create /.well-known/agent-card.json:
{
"name": "Your Service Name",
"description": "What your service does in one sentence",
"url": "https://yourdomain.com",
"version": "1.0.0",
"skills": [
{
"name": "primary-capability",
"description": "What agents can do with your service"
}
]
}Create /.well-known/mcp.json:
{
"mcpVersion": "1.0.0",
"server": {
"name": "Your MCP Server",
"version": "1.0.0",
"description": "What tools your MCP server exposes"
},
"capabilities": {
"tools": { "listChanged": true }
}
}Both files serve as static JSON from your web root. No backend logic required. Add a Nginx location block or a Cloudflare Pages static file and you're done. Run your domain at hidden-layer-blogs.pages.dev after deploying — you should see 3/13 immediately (A2A card + MCP card + at least one from the OpenAPI path check).
See how your domain scores against these checks →
Run a free audit