AgenticMarketEvery call is verified, isolated,
and protected.
AgenticMarket doesn't just list MCP servers — we route every call through isolated infrastructure with SSRF protection, rate limiting, health monitoring, and automatic refunds on failure. Your IDE never talks to upstream servers directly.
How every MCP call is routed
Six pillars of trust
Every feature below is live in production today — not a roadmap item.
Secure Routing
Every MCP server call routes through our Cloudflare Workers infrastructure. Your IDE never connects to upstream servers directly. We handle authentication, routing, and execution in an isolated environment.
- Per-request authentication via API key
- Upstream URL never exposed to client
- Request ID tracing across all logs
- TLS-only connections to upstream servers
SSRF Protection
All upstream server URLs are validated and sanitized at registration time. Internal network ranges, localhost, and metadata endpoints are blocked. No server can redirect calls to internal infrastructure.
- Block RFC 1918 private ranges (10.x, 172.16.x, 192.168.x)
- Block cloud metadata endpoints (169.254.169.254)
- URL scheme restricted to HTTPS only
- DNS rebinding protection
Health Monitoring
Every listed server is continuously monitored by our probe engine. We run MCP protocol handshakes, tool discovery, resilience tests, and latency measurements. Degraded servers are flagged automatically.
- State machine: active → degraded → inactive → recovered
- MCP initialize handshake verification
- Tool schema validation (tools/list)
- Latency grading per health check
- Creator email alerts on state changes
Auto-Refund on Failure
If an upstream MCP server fails to respond or returns an error, your credits are automatically refunded. You never pay for a failed call. Period.
- Atomic balance deduction — charge only on success
- Automatic credit restoration on upstream 5xx
- Automatic credit restoration on timeout
- Full audit trail in ledger table
Rate Limiting
Per-user rate limiting prevents abuse and protects upstream servers from being overwhelmed. Default: 20 calls per minute per user. Creators can request custom limits.
- 20 req/min default per user per server
- Cloudflare Workers KV-backed counters
- 429 response with retry-after header
- No charge on rate-limited requests
Server Verification
Every submitted server goes through automated probe testing and manual review before listing. We check MCP protocol compliance, security headers, secret enforcement, and response quality.
- Automated MCP handshake + tools/list check
- Secret enforcement validation (x-agenticmarket-secret)
- Bad JSON and unknown method resilience tests
- Manual review by founding team within 24h
What we don't do
How we protect your server
When you list on AgenticMarket, your upstream URL is never exposed. We validate every incoming request before forwarding it to your server.
Secret Enforcement
Your server receives an x-agenticmarket-secret header on every call. Reject any request without it.
Weekly Digest Emails
Automated reports: calls served, uptime %, earnings, tool changes detected, and any incidents.
Probe Alerts
If your server degrades or goes down, you get an immediate email with details and recommended actions.
Questions about security?
Reach out to our team. We're happy to discuss our security architecture in detail, provide additional documentation, or address specific compliance requirements.