Agentifact - How We Score
Scoring Methodology
Every listing in Agentifact is scored across five dimensions on a 0-100 scale. Scores are derived from direct testing, not vendor self-reporting. The composite trust score is the unweighted average of all five dimensions.
What "Verified" means
A "Verified" badge means Agentifact has directly tested the tool's API endpoint or integration, checked the documentation against actual behavior, and confirmed the scoring dimensions are current. Verified status is not self-reported by vendors.
Stale policy
Listings are automatically flagged Stale when more than 90 days have passed since the last verified date. We re-verify stale listings on a rolling schedule, highest traffic first.
Score color guide
The five dimensions
Can an AI agent reliably call this tool without supervision? Measures API quality, structured output schemas, error codes that are machine-parsable, retry behavior, and whether the tool exposes an OpenAPI or MCP-compatible interface.
| Score | What it means |
|---|---|
| 0-19 | No machine interface. Requires human configuration. |
| 20-39 | Basic REST API. Inconsistent error codes. No schema. |
| 40-59 | Documented API with some structured outputs. Partial schema. |
| 60-79 | OpenAPI spec available. Predictable errors. Retryable endpoints. |
| 80-89 | MCP or A2A compatible. Full schema. Rate limit headers exposed. |
| 90-100 | Native MCP server or A2A endpoint. Structured outputs, retry signals, tool manifest. |
Is this tool trustworthy as an infrastructure component? Covers ownership verification, documentation currency, known incident history, changelog maintenance, and whether the vendor actively maintains the integration.
| Score | What it means |
|---|---|
| 0-19 | Anonymous vendor. No changelogs. Known security incidents unaddressed. |
| 20-39 | Verified vendor identity. Sparse docs. No public incident record. |
| 40-59 | Active maintenance. Some documentation gaps. Minor incidents disclosed. |
| 60-79 | Regular releases. Clear ownership. Docs updated within 90 days. |
| 80-89 | SOC 2 or equivalent. SLA published. Incident post-mortems public. |
| 90-100 | Verified ownership, active maintenance, public SLA, disclosed incidents, enterprise trust signals. |
How many protocols and integration surfaces does this tool expose? Scores MCP support, A2A compatibility, REST API coverage, webhook support, and OpenAPI specification completeness.
| Score | What it means |
|---|---|
| 0-19 | Single proprietary integration only. |
| 20-39 | Basic REST. No standard protocols. |
| 40-59 | REST + webhook. Partial protocol coverage. |
| 60-79 | MCP or A2A support. REST documented with OpenAPI. |
| 80-89 | MCP + REST + webhooks. A2A compatible. SDK available. |
| 90-100 | Full MCP + A2A + REST. OpenAPI spec. Multiple SDKs. Embeddable tool manifest. |
What security controls protect this tool when called by an agent? Evaluates authentication mechanisms, PII handling policies, data retention practices, audit logging, and compliance certifications.
| Score | What it means |
|---|---|
| 0-19 | No auth. Unknown PII policy. No audit trail. |
| 20-39 | API key auth only. Basic privacy policy. No logs. |
| 40-59 | OAuth or JWT. Privacy policy published. Basic logging. |
| 60-79 | mTLS or PKCE. Explicit PII controls. Structured audit logs. |
| 80-89 | Enterprise auth (SSO, RBAC). PII masking configurable. Logs exportable. |
| 90-100 | SOC 2 Type II, HIPAA, or GDPR certified. Fine-grained RBAC. Immutable audit trail. Data residency controls. |
Can an AI agent use this tool based on its documentation alone without human interpretation? Scores machine-parsable docs, runnable examples, error message quality, and changelog completeness.
| Score | What it means |
|---|---|
| 0-19 | No docs. Or docs exist but are unmaintained. |
| 20-39 | README only. No runnable examples. |
| 40-59 | Docs site. Some examples. Changelog sparse. |
| 60-79 | Full API reference. Code examples in 2+ languages. Active changelog. |
| 80-89 | OpenAPI spec + interactive playground. Machine-parsable error catalog. |
| 90-100 | OpenAPI + AsyncAPI spec. Runnable examples. Error catalog. Changelog with breaking change notices. SDK typedocs. |
Approval Control Mode
This field is separate from trust score. It answers: "If I give this to my agent, will it run fully autonomously, or require human confirmation?"
Can be delegated to an AI agent with no human confirmation.
Requires at least one approval gate before execution.
Human involvement is required through the workflow.
Approval mode is not applicable for this tool type.
Machine-queryable endpoint
GET /api/toolsQuery parameters:
| category | MCP_SERVER | HITL_PROVIDER | A2A_AGENT | FRAMEWORK |
| approvalMode | FULL_AUTO | REQUIRES_APPROVAL | HUMAN_IN_LOOP |
| minScore | 0-100 - minimum composite trust score |
| mcp | true - only MCP-compatible tools |
| workflow | booking | data-processing | customer-service | ... |
| limit | 1-100 (default 20) |