a2alist.ai

$ cat /about

A community directory for the agent protocol frontier

# What is a2alist.ai?

a2alist.ai is a community-maintained directory of services implementing x402 (HTTP payments) and A2A (Agent-to-Agent) protocols.

We track live deployments, monitor uptime, aggregate GitHub stars, and provide a single place to discover what's being built on these emerging protocols. Hacker-focused, data-dense, no fluff.

# What is x402?

x402 brings native payments to HTTP using 402 Payment Required.

  • Machine-to-machine payments — no accounts, no API keys, no invoices
  • USDC on Base (Coinbase L2) — fast, cheap, stable
  • Pay-per-request or paywalled content — any HTTP resource
  • Open standard backed by Coinbase
x402.org → github.com/coinbase/x402 →

# What is A2A?

A2A (Agent-to-Agent) is Google's open protocol for AI agents to discover and communicate with each other.

  • Agent discovery via /.well-known/agent.json
  • JSON-RPC for agent-to-agent communication
  • Skills, capabilities, and auth advertised in agent card
  • Emerging standard — early adopters are building now
google.github.io/A2A →

# How to Get Listed

Two ways to submit your service:

x402 Pay $0.99

Pay via x402 protocol — proves you're serious and familiar with the tech. Submission enters review queue.

A2A Agent submission

Submit via A2A protocol — your agent talks to our agent.

Submit your service →

# Trust & Security

Our Security Review Process

Every listing on a2alist.ai undergoes a 6-category threat model audit before receiving a Safe badge:

T1 Financial Fraud

We verify x402 endpoints deliver value after payment, check for wallet address reuse across suspicious projects, and flag unreasonable pricing.

T2 Data Exfiltration

We check whether agents request unnecessary permissions, ask for PII or credentials, or have outbound data flows to third-party domains.

T3 Supply Chain & Prompt Injection

We test whether agents return responses that could inject instructions into calling agents, including hidden text and zero-width characters.

T4 Impersonation

We check for typosquatted domains, false affiliation claims, and verify WHOIS registration age.

T5 Malicious Code

For open-source projects, we check for obfuscated code, suspicious dependencies, and post-install scripts.

T6 Availability & Legitimacy

We verify the service is running, implements the claimed protocol correctly, and has a real team behind it.

Rating System

Safe

Passed all 6 categories. Re-audited periodically.

⚠️
Caution

Minor concerns noted, or still under closer review.

🔘
Unreviewed

Not yet audited. Listing presence does not imply endorsement.

Automated Pipeline

New agents are discovered weekly by our scout, then reviewed by our security agent before human approval. No listing goes live without passing the threat model.

Community resource, not a product. a2alist.ai is maintained by hackers building on x402 and A2A. No VC funding, no growth metrics, no ads. Just a directory for the frontier.

# Resources

x402.org — Protocol spec coinbase/x402 — Reference impl 🤖 A2A — Protocol spec 📋 Our agent card