Why Scoring Caps at 39: The HTTPS and Endpoint Requirements That Kill Agent Readiness
The Agent Readiness scoring model has two hard capsthat override everything else. No TLS means the score cannot exceed 39. No callable endpoints means the score cannot exceed 29. Both caps exist because AI agents enforce them at runtime, not because the scoring model is punitive. Here is how the caps work, how many businesses hit them, and the cheapest way to remove both.
The Two Hard Caps
The Agent Readiness Score is a weighted combination of 9 dimensions on a 0-100 scale. Most dimensions move the score in small increments. But two checks are binary gates — they do not just reduce the score, they cap it. No matter how well a business scores on everything else, if either cap triggers, the total cannot climb past the cap value.
This is intentional. Agent Readiness is not a beauty contest across 9 factors. It is a measurement of whether an AI agent can successfully use the business. Two failure modes break that entirely: (1) the agent cannot connect because the transport is insecure, and (2) the agent cannot do anything because there is no endpoint to call. Either failure makes the other 7 dimensions irrelevant.
No TLS Cap
If any agent-facing endpoint is served over HTTP (or has a broken TLS setup), the total score is capped at 39. Stays in the “Not Scored” tier regardless of other signals.
No Endpoints Cap
If the business has no callable JSON endpoint anywhere — no API, no MCP server, no webhook receiver — the total score is capped at 29. Stays in ARL-0 (Dark) territory.
Why These Caps Exist
Both caps are downstream of how AI agents actually behave, not of scoring philosophy. When Claude, ChatGPT, or any modern agent runtime encounters an endpoint, it runs two checks before anything else: is the transport secure, and is there a callable surface. Fail either, and the agent abandons the interaction — no retry, no fallback, just a different business.
The TLS checkis a security default. Agents handle user data, credentials, and payment tokens. They cannot responsibly send that over HTTP. The runtime blocks the connection at the HTTP client layer. This is the same policy browsers have enforced for years with mixed-content warnings, HSTS, and marking HTTP as “Not Secure” in the address bar. AI agents inherited the policy and made it stricter.
The endpoints checkis a capability default. Agent Readiness asks “can the agent use this business?” and the minimum required affordance is one callable endpoint. A static website is readable by an agent but not usable. The agent can tell a user “here is what this business offers,” but it cannot book, quote, order, or transact. That is not agent readiness — that is just a website that happens to be crawlable. The 29 cap keeps those two categories distinct.
Related dimensions that still cost you: Below the caps, the normal scoring model still applies. D7 Security (weight 0.12) and D2 API Quality (weight 0.15) both penalize heavily when TLS and endpoints are missing — so a business hitting a cap usually scores far below the cap value too, because those two dimensions alone represent over a quarter of the total score.
Who Hits These Caps
Of the 500 businesses AgentHermes has scanned, 199 score below Bronze (under 40). Many of those 199 are capped at 29 or 39. Here are the five patterns we see repeatedly in cap-driven scores.
Marketing-only site
A modern marketing website with beautiful copy, schema.org markup, and solid SEO — but no API, no MCP server, no callable endpoints. The business exists only as readable HTML.
HTTP-only legacy business
An older business still serving its primary domain over plain HTTP. Redirects to HTTPS may exist on some subpages but the main entry is unencrypted. AI agents refuse to connect.
Mixed-content site
HTTPS on the main site but the API endpoint or webhook URL is HTTP. Even one insecure URL in the agent-facing surface triggers the cap because agents refuse the insecure connection.
Phone-and-email only
A professional services business whose only interaction surface is a phone number and a contact form that emails a mailbox. No endpoint an agent can call, no structured response it can parse.
PDF-based menu or catalog
A business whose product or service catalog is a PDF download or an image. The information exists but cannot be programmatically queried. The agent has no way to get a structured answer.
The pattern across all five: these are businesses that have not yet built anything for the agent channel. They may have a great website, a strong SEO program, and real human customers. The agent channel requires a different kind of infrastructure — secure transport and executable interfaces — and both caps are designed to make that requirement visible in the score.
How to Remove Each Cap
Both caps are cheap to remove — free in most cases, and a single afternoon of engineering time. Fix these before investing in any other dimension, because every other improvement is worthless while a cap is active.
No TLS (cap: 39)
- 1Enable free HTTPS via Cloudflare — point nameservers, enable full SSL, done in under 30 minutes
- 2Or use Let's Encrypt via certbot for a one-line cert on your own server
- 3Force HTTP to HTTPS with a 301 redirect so agents always land on the secure URL
- 4Add HSTS header (Strict-Transport-Security: max-age=31536000) to signal permanent HTTPS commitment
- 5Verify with SSL Labs (ssllabs.com/ssltest) — aim for A or A+ grade
No callable endpoints (cap: 29)
- 1Expose at least one JSON endpoint — even a simple /api/hours or /api/services is enough to clear the cap
- 2Return structured JSON (Content-Type: application/json) with predictable field names
- 3Document the endpoint in an OpenAPI spec at /openapi.json or /.well-known/openapi.json
- 4Add the endpoint to your agent-card.json or publish an llms.txt that references it
- 5Require auth if the data is sensitive — a 401 response with a JSON error body scores 87% of a 200 response
Order matters. Fix TLS first if you have the 39 cap — it is the smaller effort and blocks every other improvement from being counted. Once TLS is live, expose one callable endpoint to clear the 29 cap. Together these two fixes typically move a business from below 40 to somewhere in the 50s, because the scanner can now credit D7 Security, D2 API Quality, and D8 Reliability at their true values instead of zero.
After both caps are removed, the 10-step improvement playbook tells you what to fix next — usually an OpenAPI spec, an agent-card.json, and an llms.txt at root. Those three files alone move most businesses from Bronze into Silver.
The Auth-Aware Scoring Rule
One scoring detail worth knowing when you remove the 29 cap: your endpoint does not need to be public. AgentHermes is auth-aware — a protected endpoint that returns a structured 401 with a JSON error body scores 87% of what a public 200 response scores. The scoring model rewards protected-but-structured APIs almost as highly as public ones.
This matters for businesses worried that exposing an endpoint means leaking data. You can expose /api/quote behind Bearer token auth, return a structured 401 error when the token is missing, and get 87% of the D2 credit. The agent knows the endpoint exists, knows how to authenticate, and can negotiate credentials through your onboarding flow — all without you giving away anything.
What the model penalizes is unstructuredfailure. A 404, a blank response, a proprietary HTML error page, or a timeout all score near zero. The signal agents need is not “public access,” it is “predictable response shape.” That is the gap between no endpoints (cap 29) and protected endpoints with structured auth (87% of full credit).
Frequently Asked Questions
Why does AgentHermes cap scores at 39 without TLS?
AI agents refuse to connect to unencrypted endpoints as a security default. Modern browsers have warned about HTTP for years, and AI agent runtimes (Claude, ChatGPT, and others) follow the same policy — they will not send user data or credentials over an unencrypted channel. A business on HTTP is not just insecure, it is unreachable. The 39 cap encodes that reality. No matter how strong the other 8 dimensions are, if an agent cannot connect, the business is not agent-ready.
Why does AgentHermes cap scores at 29 without callable endpoints?
Agent Readiness measures whether an AI agent can use your business programmatically. If there is no callable endpoint — no JSON API, no MCP server, no webhook receiver — then there is nothing for the agent to call. The agent can read your HTML page and tell the user what you offer, but it cannot book, quote, order, or transact. That is a fundamentally different category of business from one that exposes even a single endpoint. The 29 cap encodes that gap. Below 29 is ARL-0 (Dark) territory.
How do I know if I am hitting a scoring cap?
Run a free scan at agenthermes.ai/audit. If your total score is exactly 39 or 29, or clusters within 1-2 points of those numbers, you are cap-limited. The dimension breakdown will also show D7 Security heavily penalized (TLS cap) or D2 API Quality at near-zero (endpoints cap). The scanner also returns an explicit cap flag when it detects either condition. The fix is always the same: remove the cap-driver before improving any other dimension.
Can I get above 39 with a partial HTTPS setup?
No. The cap triggers on TLS failure at any agent-facing entry point. If your main site is HTTPS but your API is HTTP, the agent-facing endpoint fails the check and the cap still applies. Similarly, self-signed certificates, expired certificates, and certificates that fail chain validation all trigger the cap. The check is binary: either the agent can complete a valid TLS handshake on every endpoint it needs to touch, or it cannot. Partial setups fail.
What is the cheapest way to remove both caps?
Cloudflare gives you free HTTPS with a 10-minute setup — point your nameservers, enable full SSL, and the 39 cap is gone. For the 29 cap, the cheapest path is a single serverless function (Vercel, Cloudflare Workers, AWS Lambda) returning JSON for one query. A plumber could ship /api/service-areas returning the ZIP codes they serve. A restaurant could ship /api/hours. That one endpoint, behind HTTPS, clears both caps and takes a single afternoon. Total cost: $0 if you stay in free tiers.
Find out if you are cap-limited
Run a free scan in 60 seconds. If your score is exactly 39 or 29, you are hitting a cap — and the fix is cheaper than you think.