Do I need an API key or authentication?

No. Every endpoint is public and unauthenticated. Just send a GET request. There is no signup, no key, no OAuth dance.

Yes. The API sends Access-Control-Allow-Origin: * and accepts GET / OPTIONS from any origin. You can call it directly from a browser without a proxy.

Can I use this API commercially?

Yes. Commercial use is allowed. There is no licence fee. We only ask that you do not abuse the rate limit. If you are running sustained workloads above 1000 req/hr, please reach out so we can plan capacity.

How do I call this API from Claude Code, Cursor or another AI agent?

Paste a curl example into your agent conversation. Claude Code, Cursor and Codex can all execute curl directly. There is no MCP server required, but the API is also designed to be safe to expose via MCP because every endpoint is read-only and rate-limited.

[ API — V1 ]

ZeroKit.dev API

Q: What are the rate limits?

30 requests per minute per client IP, across all endpoints. Exceeding the limit returns HTTP 429 with a JSON error body. There is no daily cap. If you need sustained higher throughput, contact us.

Fifteen endpoints covering AI readiness scoring, llms.txt generation, Schema.org JSON-LD inspection, the Top 100 AI Readiness leaderboard, an SVG status badge, full website grading and classic DNS / SSL / WHOIS / HTTP diagnostics. No auth. No API key. 30 requests per minute per client IP. CORS enabled for any origin. JSON by default.

Base URLhttps://zerokit.dev

AuthNone

Rate limit30 req / min / IP

CORSAllow-Origin: *

[ 01 — QUICK START ]

Hit your first endpoint in 10 seconds

Every endpoint is a plain GET request. No headers required. Pick your favourite client and run one of the snippets below — you should get a JSON response back instantly.

// curl

curl -s 'https://zerokit.dev/api/ai-readiness?url=https://example.com' \
  | python3 -m json.tool

// JavaScript (browser)

const r = await fetch(
  'https://zerokit.dev/api/ai-readiness?url=' +
  encodeURIComponent('https://example.com')
);
const data = await r.json();
console.log(data.score, data.grade);

// Python (stdlib)

import json, urllib.parse, urllib.request

url = 'https://example.com'
api = ('https://zerokit.dev/api/ai-readiness?url='
       + urllib.parse.quote(url, safe=''))
data = json.loads(urllib.request.urlopen(api).read())
print(data['grade'], data['score'])

[ 02 — AI AGENTS ]

Using the API from Claude Code, Cursor or any AI dev agent

Every endpoint is a stateless GET. There are no headers, no signatures, no key rotations. That makes the API trivially safe to expose to a coding agent — you can paste the curl into your agent conversation and it will Just Work.

If you are pairing with Claude Code, Cursor, Codex or any other AI dev agent, you can drop a sentence like this into your conversation and the agent will run the request itself:

“Check the AI readiness of https://example.com using the ZeroKit API at https://zerokit.dev/api/ai-readiness?url=<URL> and tell me which categories scored lowest.”

Behind the scenes the agent will execute something like:

curl -s 'https://zerokit.dev/api/ai-readiness?url=https://example.com&extended=1' \
  | jq '{grade, score, categories: (.categories | to_entries | map({k:.key, s:.value.score, max:.value.max}))}'

Because the response is plain JSON with stable keys (score, grade, categories, recommendations), the agent can read it, summarise it, and even open follow-up tasks — for example fetching /api/llms-txt to draft a starter file, or /api/schema-inspect to find missing JSON-LD types.

For a hand-on walkthrough of wiring AI-readiness into your stack, see the companion guide: Three files that make any site AI-ready in 2026.

[ 03 — ENDPOINTS ]

All 25+ public endpoints

Grouped by purpose. The AI-focused endpoints are the ones you probably came for; the classic diagnostics block is the legacy DNS / SSL / WHOIS surface that powers the older browser tools. Everything is read-only.

[ AI — READINESS, LLMS.TXT, SCHEMA, BADGES ]

GET /api/ai-readiness

Scans a URL and returns an AI Readiness score (0–100) plus a letter grade (A+ to F), broken down across five categories: robots_txt, llms_txt, structured_data, content_citability and ai_meta_directives. Add &extended=1 to also run the wayback / knowability / cloaking modules used by the leaderboard.

Parameters

Name	Required	Description
`url`	required	Absolute http:// or https:// URL to scan. Private / loopback IPs are rejected.
`extended`	optional	Set to `1` to include wayback stability, knowability and cloaking modules. Slower (2–6 s).

Example

curl -s 'https://zerokit.dev/api/ai-readiness?url=https://zerokit.dev'

Response (truncated, real)

Show response JSON

{
  "url": "https://zerokit.dev",
  "hostname": "zerokit.dev",
  "checked_at": "2026-04-11T09:20:28Z",
  "score": 90,
  "grade": "A+",
  "total_points": 90,
  "max_points": 100,
  "scanner_version": 2,
  "categories": {
    "robots_txt": {
      "score": 27, "max": 30,
      "details": {
        "exists": true,
        "sitemap_refs": ["https://zerokit.dev/sitemap.xml"],
        "ai_bots": {
          "GPTBot":         { "status": "allowed",  "company": "OpenAI" },
          "ClaudeBot":      { "status": "allowed",  "company": "Anthropic" },
          "Google-Extended":{ "status": "allowed",  "company": "Google" },
          "PerplexityBot":  { "status": "allowed",  "company": "Perplexity" },
          "Bytespider":     { "status": "blocked",  "company": "ByteDance" }
        }
      }
    },
    "llms_txt":         { "score": 19, "max": 20 },
    "structured_data":  { "score": 25, "max": 25 },
    "content_citability": { "score": 13, "max": 15 },
    "ai_meta_directives": { "score": 6,  "max": 10 }
  },
  "recommendations": []
}

GET /api/badge

Returns an SVG badge (shields.io style) showing the live AI Readiness grade and score for any URL. Content-Type is image/svg+xml, edge-cached for 6 hours. Drop the URL straight into a markdown image link or an HTML <img> tag.

Parameters

Name	Required	Description
`url`	required	Domain or full URL. Bare domains like `zerokit.dev` work; we will normalise the protocol.

Example (markdown)

![AI Ready](https://zerokit.dev/api/badge?url=zerokit.dev)

Response (raw SVG)

HTTP/2 200
content-type: image/svg+xml; charset=utf-8
cache-control: public, max-age=21600

<svg xmlns="http://www.w3.org/2000/svg" width="160" height="20"
     role="img" aria-label="AI Ready: A+ 90">
  <title>AI Ready: A+ (90/100) -- ZeroKit.dev</title>
  ...
</svg>

GET /api/leaderboard

Returns the Top 100 AI Readiness leaderboard as JSON. Source data is the state-of-ai-crawlers-2026.csv dataset, scanned across the world’s largest sites. Includes per-domain AI bot policies, llms.txt presence, knowability score and wayback stability. Use this to embed a live leaderboard, build a comparison widget, or seed a model with current AI-readiness baselines.

Parameters

Name	Required	Description
`limit`	optional	Integer 1–100. Returns the first `N` ranked results. Defaults to all 100.

Example

curl -s 'https://zerokit.dev/api/leaderboard?limit=3'

Response (real, limit=3)

Show response JSON

{
  "source": "State of AI Crawlers 2026",
  "source_url": "https://zerokit.dev/blog/state-of-ai-crawlers-2026.html",
  "leaderboard_url": "https://zerokit.dev/blog/leaderboard-ai-readiness-2026.html",
  "scanned_at": "2026-04-10",
  "methodology_url": "https://zerokit.dev/tools/ai-readiness.html",
  "stats": {
    "count": 100,
    "max": 74,
    "median": 33,
    "avg": 30.0,
    "llms_txt_pct": 31.0
  },
  "results": [
    {
      "rank": 1,
      "domain": "kaspersky.com",
      "score": 74, "grade": "B",
      "llms_txt": true,
      "bots": {
        "gptbot": "allowed",
        "claudebot": "allowed",
        "perplexity": "allowed",
        "google_extended": "allowed"
      },
      "wayback_stability": 10,
      "knowability_level": "high",
      "cloaking_severity": "minor",
      "ai_bot_blocked": false
    },
    {
      "rank": 2,
      "domain": "wordpress.com",
      "score": 74, "grade": "B",
      "llms_txt": true,
      "bots": { "gptbot": "allowed_by_default", "claudebot": "allowed_by_default" }
    }
  ]
}

GET /api/llms-txt

Generates a starter llms.txt file for any URL. We fetch the page, pull the title / description / canonical, sort internal versus external links, and emit a draft you can review and publish. JSON by default; pass &format=text to get back a downloadable text/plain file.

Parameters

Name	Required	Description
`url`	required	Absolute URL of the page to seed the llms.txt from (usually the homepage).
`format`	optional	Set to `text` to receive `text/plain` with `Content-Disposition: attachment; filename="llms.txt"`.

Example

curl -s 'https://zerokit.dev/api/llms-txt?url=https://example.com'

Response (real)

Show response JSON

{
  "url": "https://example.com",
  "host": "example.com",
  "name": "Example Domain",
  "description": "Example Domain",
  "internal_link_count": 0,
  "external_link_count": 1,
  "bytes": 362,
  "llms_txt": "# Example Domain\n\n> Example Domain\n\n## External\n\n- [Learn more](https://iana.org/domains/example)\n\n## About\n\nThis llms.txt was generated by ZeroKit at https://zerokit.dev/tools/llms-txt-generator.html ..."
}

GET /api/schema-inspect

Parses every <script type="application/ld+json"> block on a page, walks nested @graph entities, and scores AI-citation coverage 0–100. Returns the schemas found, the AI-relevant schemas missing, and a prioritised list of types to add. Used by ChatGPT, Perplexity and Google AI Overviews to ground citations.

Parameters

Name	Required	Description
`url`	required	Absolute URL of the page to inspect.

Example

curl -s 'https://zerokit.dev/api/schema-inspect?url=https://www.nytimes.com'

Response (real, truncated)

Show response JSON

{
  "url": "https://www.nytimes.com",
  "hostname": "www.nytimes.com",
  "total_blocks": 2,
  "valid_blocks": 2,
  "invalid_blocks": 0,
  "schemas_found": [
    { "type": "ListItem",     "count": 38 },
    { "type": "ImageObject",  "count": 8  },
    { "type": "Organization", "count": 3  },
    { "type": "WebSite",      "count": 1  }
  ],
  "ai_citation_coverage": {
    "score": 25,
    "max": 100,
    "level": "minimal"
  },
  "ai_schemas_present": ["Organization", "WebSite"],
  "ai_schemas_missing": [
    "NewsArticle", "FAQPage", "HowTo", "BreadcrumbList",
    "Product", "Person", "Review"
  ],
  "recommendations": [
    { "type": "NewsArticle", "points": 20, "priority": "high",
      "why": "Time-sensitive news content. Article-equivalent for AI grounding." },
    { "type": "FAQPage",     "points": 15, "priority": "high",
      "why": "Direct quotable answers. Lifted verbatim into AI responses." }
  ]
}

GET /api/grade

Full website grader. Combines performance (response time), security headers, SSL config and SEO basics into a single weighted score and letter grade. Useful as a one-shot health check for any URL.

Parameters

Name	Required	Description
`url`	required	Absolute URL to grade.

Example

curl -s 'https://zerokit.dev/api/grade?url=https://example.com'

Response (real, truncated)

Show response JSON

{
  "url": "https://example.com",
  "final_url": "https://example.com",
  "hostname": "example.com",
  "grade": "D",
  "score": 64,
  "checked_at": "2026-04-11T09:20:46Z",
  "categories": {
    "performance": {
      "score": 100, "grade": "A+", "weight": "20%",
      "details": { "response_time_ms": 185, "status_code": 200 }
    },
    "headers": {
      "score": 0, "grade": "F", "weight": "25%",
      "details": {
        "headers_missing": [
          "Strict-Transport-Security",
          "Content-Security-Policy",
          "X-Frame-Options"
        ]
      }
    }
  }
}

[ CLASSIC — DNS / SSL / HTTP DIAGNOSTICS ]

GET /api/dns

Resolves A, AAAA and PTR records for a domain, plus mail-server hints. Uses authoritative resolvers, no caching layer.

Parameters

Name	Required	Description
`domain`	required	Bare domain (e.g. `example.com`). Do not include a protocol.

Example

curl -s 'https://zerokit.dev/api/dns?domain=example.com'

Response (real)

{
  "domain": "example.com",
  "records": {
    "A":    ["172.66.147.243", "104.20.23.154"],
    "AAAA": ["2606:4700:10::6814:179a", "2606:4700:10::ac42:93f3"],
    "PTR":  null,
    "mail_hint": []
  }
}

GET /api/ssl

Inspects the live SSL/TLS certificate served by a domain on port 443. Returns subject, issuer, SAN list, validity window, serial and negotiated cipher suite.

Parameters

Name	Required	Description
`domain`	required	Bare domain to connect to.

Example

curl -s 'https://zerokit.dev/api/ssl?domain=example.com'

Response (real, truncated)

Show response JSON

{
  "hostname": "example.com",
  "valid": true,
  "subject": { "commonName": "example.com" },
  "issuer": {
    "countryName": "US",
    "organizationName": "CLOUDFLARE, INC.",
    "commonName": "Cloudflare TLS Issuing ECC CA 1"
  },
  "san": ["example.com", "*.example.com"],
  "not_before": "Apr 2 21:18:57 2026 GMT",
  "not_after":  "Jul 1 21:24:46 2026 GMT",
  "serial": "6520589EF17EB55C664433F29F2E684A",
  "cipher": { "name": "TLS_AES_256_GCM_SHA384" }
}

GET /api/headers

Performs a HEAD request against a URL and returns the full response header set, the status code and any redirect target. Useful for cache and security-header audits.

Parameters

Name	Required	Description
`url`	required	Absolute URL.

Example

curl -s 'https://zerokit.dev/api/headers?url=https://example.com'

Response (real, truncated)

{
  "url": "https://example.com",
  "status": 200,
  "headers": {
    "Content-Type": "text/html",
    "Server": "cloudflare",
    "cf-cache-status": "HIT",
    "Age": "13702"
  },
  "redirect_url": null
}

GET /api/whois

Returns parsed WHOIS for a domain plus the raw record. Includes registrar, creation / update / expiry dates, nameservers and DNSSEC status.

Parameters

Name	Required	Description
`domain`	required	Bare domain.

Example

curl -s 'https://zerokit.dev/api/whois?domain=example.com'

Response (real, truncated)

{
  "domain": "example.com",
  "parsed": {
    "domain_name": "EXAMPLE.COM",
    "whois_server": "whois.iana.org",
    "updated":  "2026-01-16T18:26:50Z",
    "created":  "1995-08-14T04:00:00Z",
    "expires":  "2026-08-13T04:00:00Z",
    "registrar": "RESERVED-Internet Assigned Numbers Authority",
    "dnssec": "signedDelegation",
    "nameservers": [
      "elliott.ns.cloudflare.com",
      "hera.ns.cloudflare.com"
    ]
  }
}

GET /api/redirect

Walks the full redirect chain for a URL up to a sane hop limit. Each hop reports its status code, headers and resolved URL. Perfect for debugging vendor short links and tracking parameters.

Parameters

Name	Required	Description
`url`	required	Absolute starting URL.

Example

curl -s 'https://zerokit.dev/api/redirect?url=https://github.com'

Response (real, truncated)

{
  "original_url": "https://github.com",
  "final_url":    "https://github.com",
  "total_redirects": 0,
  "chain": [
    {
      "step": 1,
      "url": "https://github.com",
      "status": 200,
      "status_text": "OK",
      "headers": { "Content-Type": "text/html; charset=utf-8" }
    }
  ]
}

GET /api/status

Lightweight up/down probe with response time, IP, server header and content type. Cheap to call — ideal for an external monitoring loop.

Parameters

Name	Required	Description
`url`	required	Absolute URL.

Example

curl -s 'https://zerokit.dev/api/status?url=https://example.com'

Response (real)

{
  "url": "https://example.com",
  "status": "up",
  "status_code": 200,
  "response_time_ms": 194,
  "ip": "2606:4700:10::ac42:93f3",
  "server": "cloudflare",
  "content_type": "text/html"
}

GET /api/email-validate

Validates an email address: syntax check plus a live MX-record lookup against the domain. Does not send mail, does not verify mailbox existence — just confirms the domain can in principle receive email.

Parameters

Name	Required	Description
`email`	required	Full email address.

Example

curl -s 'https://zerokit.dev/api/email-validate?email=test@example.com'

Response (real)

{
  "email": "test@example.com",
  "valid": true,
  "domain": "example.com",
  "mx_records": [{ "priority": 0, "server": "" }]
}

GET /api/tech-detect

Detects the tech stack of a URL by inspecting response headers, common cookies and well-known file paths. Returns a list of recognised technologies plus the security headers we observed.

Parameters

Name	Required	Description
`url`	required	Absolute URL.

Example

curl -s 'https://zerokit.dev/api/tech-detect?url=https://github.com'

Response (real, truncated)

{
  "url": "https://github.com",
  "technologies": [
    { "name": "github.com",   "category": "Server",   "source": "Server header" },
    { "name": "GitHub Pages", "category": "Platform", "source": "GitHub header" }
  ],
  "security_headers": {
    "Strict-Transport-Security": "max-age=31536000; includeSubdomains; preload",
    "Content-Security-Policy":   "default-src 'none'; ..."
  }
}

[ META — HEALTH ]

GET /api/health

Liveness probe. Returns instantly. Use this for uptime monitors and Kubernetes-style health checks.

Parameters

None.

Example

curl -s 'https://zerokit.dev/api/health'

Response (real)

{
  "status": "ok",
  "timestamp": "2026-04-11T09:20:27Z"
}

[ AI READINESS EXTENDED — 2026 ADDITIONS ]

POST /api/batch

Scan up to 10 URLs in parallel. Returns a sorted mini leaderboard with category scores for each host. Used by the Batch Scanner tool.

Example

curl -s -X POST 'https://zerokit.dev/api/batch' \
  -H 'Content-Type: application/json' \
  -d '{"urls":["https://zerokit.dev","https://github.com"]}'

GET /api/llms-txt-validate

Validate a live /llms.txt against the spec. Returns score 0-20 with per-check pass/fail list and specific fixes. Uses the same rubric as the llms.txt slot in /api/ai-readiness.

Example

curl -s 'https://zerokit.dev/api/llms-txt-validate?url=https://example.com'

GET /api/robots-txt-validate

Validate a live /robots.txt for explicit coverage of the 10 major AI crawlers. Returns score 0-100 with per-bot allowed/blocked/missing status.

Example

curl -s 'https://zerokit.dev/api/robots-txt-validate?url=https://example.com'

GET /api/og-inspect

Parse og:* and twitter:* meta tags on a page. Reports present, missing, and malformed tags plus a preview of how the share card will render.

Example

curl -s 'https://zerokit.dev/api/og-inspect?url=https://example.com'

GET /api/cloak

Fetches a URL four times with different User-Agents (browser, Googlebot, GPTBot, ClaudeBot) and diffs the responses. Detects content cloaking between human visitors and AI crawlers.

Example

curl -s 'https://zerokit.dev/api/cloak?url=https://example.com'

[ LEADERBOARD APIs — LIVE DATA ]

GET /api/leaderboard/live

Top 20 hosts by score plus 10 recently-scanned. Updated on every successful scan. Edge cached 30 seconds.

Example

curl -s 'https://zerokit.dev/api/leaderboard/live'

GET /api/leaderboard/rank

Single-host rank on the live leaderboard. Returns {rank, total, percentile, above, below, score, grade} for the given host.

Example

curl -s 'https://zerokit.dev/api/leaderboard/rank?host=zerokit.dev'

GET /api/leaderboard/history

Full scan history for a single host ordered oldest-first. Up to 30 points per call. Powers the timeline chart on /tools/history.html.

Example

curl -s 'https://zerokit.dev/api/leaderboard/history?host=zerokit.dev&limit=30'

GET /api/leaderboard/movers

Hosts whose score changed most in the last N days. Filters out flat hosts automatically. Used by the weekly movers blog generator.

Example

curl -s 'https://zerokit.dev/api/leaderboard/movers?days=7'

GET /api/stats/public

Aggregate metrics across all scans: total hosts, total scans, average score, grade distribution, 10-bucket score histogram, top improvers last 30 days. Edge cached 5 minutes.

Example

curl -s 'https://zerokit.dev/api/stats/public'

[ 04 — ERRORS ]

Error codes

All errors return JSON with an error field describing what went wrong. The HTTP status reflects the failure category.

Status	Meaning	Typical cause
`400`	Bad request	Missing required param, malformed URL, unsupported scheme.
`400`	SSRF rejected	The supplied URL or domain resolves to a loopback or RFC1918 private IP. We will not scan it.
`429`	Rate limited	You exceeded 30 requests per minute from this IP. Retry after the cool-down.
`500`	Internal error	An unexpected module failure. We log it. If you can reproduce it, please tell us.
`502`	Upstream	The target site is unreachable, timed out, or returned an unrecoverable error.

[ 05 — LIMITS & CORS ]

Rate limits and CORS policy

Hard limit: 30 requests per minute per client IP, across all endpoints combined. Exceeding the limit returns HTTP 429 with a JSON error body. There is no daily cap.

CORS is wide open: the API sends Access-Control-Allow-Origin: * and Access-Control-Allow-Methods: GET, OPTIONS. You can call any endpoint directly from a browser without a proxy. All endpoints are GET-only; there is no POST surface.

[ 06 — PRICING ]

Pricing & commercial use

Every endpoint is free. Commercial use is allowed — no licence fee, no attribution requirement, no signup. If you are running sustained workloads above ~1000 req/hr, please email us so we can plan capacity (or talk about a managed tier with higher limits and an SLA). Otherwise: just call it.

All scoring (AI Readiness, Schema coverage, Website Grade) is heuristic and based on public data scanned at request time. Results are best-effort and not a substitute for a professional audit. Endpoints may evolve; field names are stable, new fields may be added without notice.