Live, priced, and machine-readable.
GET https://synthr.online/health → 200, static, freeSynthr is a small x402 API surface for dependency risk, active exploitation, secure implementation guidance, and endpoint trust checks. Agents send compact JSON. Synthr returns sourced, machine-actionable JSON.
GET https://synthr.online/health → 200, static, free/llms.txt, /openapi.json, or /x402-catalog.json.
X-PAYMENT-RESPONSE; the agent records the receipt and caches the result.
Focused routes, predictable schemas, explicit prices. Built to be called by CI, coding agents, and x402-aware tool routers.
/v1/x402/endpoint-checkChecks whether an x402 endpoint is documented, reachable, and likely worth paying before an agent spends. The thing other x402 builders will call.
Why it matters: trust-before-pay reduces wasted USDC and bad routing decisions.{
"endpointUrl": "https://synthr.online/v1/cyber/breaking",
"expectedMethod": "GET"
}
=> trustScore, payabilityStatus, recommendation, evidence[]/v1/cyber/stack-briefFull stack risk summary with OSV findings, EPSS exploit probability, KEV flags, and agent-surface scoring.
Any OSV ecosystem supported: npm, pypi, go, cargo, maven, and more.{
"stackSummary": { "criticalFindings": 1 },
"prioritizedRisks": [...],
"agentActions": [...]
}/v1/cyber/audit-depsDependency audit for known vulnerabilities and malicious package signals. Useful as an install or pre-deploy gate.
{
"dependencies": [
{ "name": "express", "version": "4.18.2", "ecosystem": "npm" }
],
"includeMalicious": true
}/v1/cyber/breakingRecent CISA KEV additions enriched with EPSS and short notes for agentic builders.
Why it matters: stay ahead of actively exploited CVEs without reading bulletins.GET https://synthr.online/v1/cyber/breaking?days=14&limit=5
=> cve, epss, percentile, requiredActionA complete round trip: 402 challenge → pay → 200 + structured JSON + payment receipt. This is what an x402-aware client does internally.
# 1) unpaid protected call → 402 challenge curl -i -X POST https://synthr.online/v1/cyber/stack-brief \ -H "content-type: application/json" \ --data '{ "stack": { "dependencies": [{ "name": "express", "version": "4.18.2", "ecosystem": "npm" }] } }' HTTP/2 402 payment-required: eyJ4NDAyVmVyc2lvbiI6Mi... # 2) client satisfies the requirement with a signed USDC payment header curl -X POST https://synthr.online/v1/cyber/stack-brief \ -H "content-type: application/json" \ -H "X-PAYMENT: <signed x402 payment>" \ --data '{ "stack": { "dependencies": [{ "name": "express", "version": "4.18.2", "ecosystem": "npm" }] } }' HTTP/2 200 x-payment-response: eyJyZWNlaXB0IjoiMHg... content-type: application/json { "stackSummary": { "criticalFindings": 1, "totalDeps": 1 }, "prioritizedRisks": [ { "id": "GHSA-...CVE-...", "package": "express", "patchPriority": "P0", "agentSurface": "high", "epss": 0.94, "kev": true, "fixVersion": "4.19.2", "recommendedAction": "block deploy; bump express" } ], "agentActions": [ "bump express to 4.19.2", "re-run stack-brief after upgrade" ], "sources": ["OSV", "EPSS", "CISA KEV"] }
These examples show the raw API shape. Use an x402-aware fetch client for paid execution.
# service health curl https://synthr.online/health # agent instructions curl https://synthr.online/llms.txt # endpoint catalog curl https://synthr.online/x402-catalog.json # OpenAPI spec curl https://synthr.online/openapi.json
curl -i -X POST https://synthr.online/v1/x402/endpoint-check \ -H "content-type: application/json" \ --data '{ "endpointUrl": "https://synthr.online/v1/cyber/breaking", "expectedMethod": "GET" }' HTTP/2 402 payment-required: eyJ4NDAyVmVyc2lvbiI6Mi...
No prose-only output. Responses are designed for branching decisions in harnesses and CI.
| Field | Where it appears | How to use it |
|---|---|---|
patchPriority |
stack-brief |
Route P0/P1 findings into blocking deploy checks or urgent dependency updates. |
agentSurface |
stack-brief, breaking |
Prioritize vulnerabilities likely to affect tool servers, auth flows, APIs, LLM SDKs, and data access paths. How it's scored → |
epss / kev |
security endpoints | Use real-world exploitation likelihood and known active exploitation as sorting signals. |
payabilityStatus |
endpoint-check |
Decide whether an autonomous agent should call, avoid, retry, or request human review before paying. |
sources[] |
all major responses | Show provenance, store evidence, or let a human inspect the records behind the recommendation. |
agentSurface is scoredPlain OSV wrappers stop at "is there a CVE." Synthr goes one step further.
For each finding we collect the affected package metadata, the calling context field submitted
with the request (e.g. "agent harness with auth tools"), and structured signals from OSV descriptions
(auth, RCE, prototype pollution, request smuggling, path traversal, SSRF). We then flag findings most
likely to land on an agentic attack surface: tool servers with public endpoints, auth flows, JSON/HTTP
SDK boundaries, file access, and command-execution paths.
The result is a coarse low / medium / high / critical surface score — not a CVSS replacement,
but a router signal: is this likely to bite this agent specifically?
Failure shapes agents can branch on. All error bodies are JSON, not HTML.
Protected endpoint hit without a valid X-PAYMENT header. Body is a structured x402 payment requirement describing the price, network, and payee. Reattempt after satisfying the requirement.
402 Payment Required payment-required: eyJ4NDAy... { "error": "payment_required", "price": "$0.005" }
Too many calls against /v1/* within the window. Body includes retryAfterMs. Back off linearly and retry; the call is not charged.
429 Too Many Requests { "error": "rate_limited", "retryAfterMs": 1500 }
Malformed JSON, missing required stack or dependencies, or unsupported ecosystem. No payment is taken for failed validation.
400 Bad Request { "error": "invalid_stack", "message": "dependencies[] is required" }
Upstream OSV/EPSS timeouts or internal failures. Retries on 5xx are free — the failed response includes no receipt. Retry with the same payment or wait for an upstream recovery.
503 Upstream Unavailable { "error": "upstream_unavailable", "upstream": "OSV" }
Transparent, low-friction, worth every micro-payment.
/health, /llms.txt, /openapi.json, /x402-catalog.json, and /meta.json are always free and unauthenticated — agents can scout before bringing a wallet.
Base price $0.005 per request. /v1/cyber/advice is $0.0075 due to deeper synthesis. No tiers, no commitments.
4xx due to malformed input: not charged. 5xx and upstream timeouts: not charged, safe to retry. Only successful 2xx responses settle USDC.
Everything important is machine-readable and stable enough for agents to cache.
x402 readyBase Sepolia testnet · eip155:84532$0.005$0.00752026-07-04