Browser-based tooling for the two layers of the agent stack: building MCP servers and integrating agentic payment rails. Lint tool definitions and a server.json, audit OAuth and transport security, scan for tool poisoning, score ship-readiness, compare and build the payment protocols (AP2, ACP, x402, Visa TAP, Mastercard Agent Pay), decode an x402 flow, and validate an A2A agent card — all deterministic, client-side, zero PII.
A path for developers shipping MCP-native, payment-capable agents: define and publish your server, then choose and integrate a payment rail. The security, spec, and readiness tools span every stage.
Fifteen deterministic, client-side tools. Each validates pasted artifacts against published specs — no live handshake, token, or network. All export a Policy Mandate JSON for agent ingestion.
Lint a tool definition against JSON Schema 2020-12 and the current naming, output-schema, and annotation rules. Designs a consistent annotation set.
Open tool →Validate a server.json against the 2025-12-11 schema and registry rules — reverse-DNS namespace, _meta 4KB cap, allowlisted base URLs, MCPB fileSha256 — then scaffold a skeleton.
Open tool →Put AP2, ACP (Shared Payment Token), x402, Visa TAP, and Mastercard Agent Pay side by side across credential, signing, scope, rail, and audit — with a crosswalk and scenario recommender.
Open tool →Decode x402 headers, lint an exact-scheme PaymentPayload, walk the HTTP-402 verify/settle flow, and check the scheme×network matrix.
Open tool →Validate RFC 9728 protected-resource-metadata, visualize the discovery chain, check RFC 8707 audience binding, and self-assess token passthrough and the confused deputy.
Open tool →Decode and validate HTTP Message Signatures, lint a Web Bot Auth JWKS directory (Ed25519), and score readiness — the substrate under Visa's Trusted Agent Protocol.
Open tool →Score against a target revision (2025-06-18 / 2025-11-25 / 2026-07-28 RC) and get a breaking-change advisor for the stateless protocol core.
Open tool →Validate an ACP checkout-session object and lint a Shared Payment Token for the four properties that keep it safe: single-use, merchant-bound, amount-capped, short-lived.
Open tool →Scan a tool description for poisoning and injection smells — instruction overrides, hidden unicode, role-play framing, tool-shadowing, exfiltration hints. Maps to OWASP ASI01.
Open tool →Validate an Agent2Agent agent-card.json against the v1.0 shape, check the signed-card signatures, and confirm AP2 / x402 extension declarations — the discovery layer AP2 rides on.
Open tool →Audit Streamable HTTP for Origin/Host validation, loopback binding, DNS-rebinding protection, and token passthrough — the vuln classes behind real rmcp / mcp-toolbox CVEs.
Open tool →Build and validate Google's AP2 Checkout and Payment Mandate Verifiable Digital Credentials (Open/Closed) — the external Google/FIDO spec, distinct from the suite's Policy Mandate.
Open tool →Parse a Visa TAP signature, surface the agent-recognition signature and replay-protection parameters, and score TAP readiness. Built on RFC 9421.
Open tool →Build and lint a Mastercard Agentic Token scope — agent-ID, merchant scope, and consent policy (limit, merchants, expiry, velocity) — without exposing the PAN.
Open tool →One ship-readiness scorecard rolling up tool definitions, server.json, OAuth, transport, tool poisoning, and spec compliance into a graded report with per-section sub-scores and gap links.
Open tool →Engineers shipping Model Context Protocol servers who need their tool definitions, server.json, auth, transport, and security posture to pass review.
Teams adding payment capability to agents and choosing or building across AP2, ACP, x402, and the card-network protocols.
Architects mapping the fragmenting agentic-commerce landscape onto their existing rails and compliance posture.
Anyone auditing tool poisoning, OAuth confused-deputy risk, transport hardening, or agent identity — or who needs a fast, citable orientation.
Open T274, resolve every error, then validate your server.json (T275).
Run the Readiness Scorecard (T288) for a single graded report and a prioritized gap list before you ship.