servers / tunnelmind-data-api
TunnelMind Data API MCP server
communitystreamable_httpremotedestructive capablehealthy
Tracker / Sigil / Cross-lens — every TunnelMind Data API operation as one MCP surface.
01Tools · 78
| Tool | Risk | Side effects | Approval |
|---|---|---|---|
| sigil_verify_ads_txt_batch Runs up to 100 ads.txt verifications in a single call — the endpoint an
ad-buying agent uses for pre-bid checks across a whole campaign's supply.
Each item is the same shape as `sigil_verify_ads_txt`. Per-item
validation failures are reported inline; the batch never fails as a
whole. Publisher records are fetched once per unique domain.
Use this tool when:
- You are evaluating many supply paths at once (campaign setup, SPO sweep).
- You want one round-trip instead of N calls to `sigil_verify_ads_txt`.
Inputs:
- `items` (body, required): Array of 1–100 verification requests, each
`{ publisher_domain, exchange_domain, seller_id, seller_type? }`.
- `resolve_chain` (body, optional): Applies to every item — when true, a
matched RESELLER entry is cross-checked against the exchange's sellers.json.
Returns:
- `count`: number of result entries (matches `items` length, in order).
- `verified_count`: how many resolved to `verified: true`.
- `results`: array aligned to `items`. Each entry is either a verification
result with `ok: true` and `input_index`, or `{ ok: false, input_index,
error, message }` for an invalid item.
Cost:
- Counts as one request against the daily rate limit.
Latency:
- Typical: <150ms. With `resolve_chain: true`, add one sellers.json fetch
per unique exchange (edge-cached 12h after the first fetch).
| write | true | unknown |
| scan_injection Runs a curated signature corpus over a piece of untrusted text — content
an agent is about to consume, a retrieved document, a tool result, an
email body — and returns the matched injection patterns plus a bounded
0..1 risk score. This is a signal, never a policy decision: the caller
decides what to do with a flagged input.
Detected classes: instruction_override (ignore/override previous rules),
role_reassignment (you are now DAN / developer mode), exfiltration (leak
the system prompt or a secret to a URL), tool_smuggling (covertly invoke
a tool, delete/destroy data), boundary_spoof (fake system/assistant turn
delimiters). Input is normalized first to blunt cheap evasions (zero-width
characters, smart quotes, whitespace padding).
Use this tool when:
- You are an agent about to feed retrieved or third-party text into a model
and want to check it for embedded instructions first.
- You are triaging why a tool description or web page looks suspicious.
Do NOT use this tool when:
- You want a trust verdict on a domain or entity — use `cross_lens_verify`.
- You want to scan a whole MCP server's tools — use `scan_mcp`.
Inputs:
- `text` (body, required): the untrusted text to scan. Max 200,000 chars.
Returns:
- `flagged`: true if any signature matched.
- `score`: bounded 0..1 risk score (saturating — one high-severity hit is
already strongly flagged; many hits approach but never exceed 1).
- `severity_max`: highest severity among matches (`high`/`medium`/`low`) or null.
- `classes`: distinct injection classes matched.
- `matches`: each matched signature `{ id, class, severity, excerpt }`.
Cost:
- Free. No API key required. Pure edge computation, no external calls.
Latency:
- Typical <20ms.
| destructive | true | true |
| sigil_verify_ip_type Classifies an IPv4 or IPv6 address by network type — the high-value ad-fraud
signal being datacenter traffic posing as residential or living-room
(CTV) devices. IP→ASN resolution uses Team Cymru's public service; the
ASN is then classified by its registered organization name.
PRIVACY: the IP is used for lookup only — never logged, never stored.
Inputs:
- `ip` (query, required): IPv4 or IPv6 address.
Returns:
- `ip_type`: datacenter | residential | mobile | unknown.
- `confidence`: high | medium | low.
- `asn`, `asn_name`: the resolved autonomous system.
- `scry_signals`: reserved for Scry corpus cross-reference (empty in v1).
Latency:
- Typical: 100-250ms (two live DNS lookups).
| read | false | unknown |
| health_check Returns a minimal status object confirming the API is alive. Use this to verify
connectivity before chaining other calls, or as a liveness check in a workflow.
Use this tool when:
- You need to verify the API is reachable before starting a multi-step investigation.
- A prior call failed with a 503 or 504 and you want to confirm the service recovered.
- You are debugging connectivity from a new environment.
Do NOT use this tool when:
- You want actual tracker data — use `get_domain` or `search` instead.
- You want to check a specific domain — this returns nothing domain-specific.
Inputs:
- None.
Returns:
- `ok`: always true if the API is up.
- `ts`: ISO 8601 timestamp of the server's current time.
Cost:
- Free. No API key required. Not rate-limited.
Latency:
- Typical: <50ms, p99: <200ms.
| read | false | unknown |
| sigil_atap_register_ait Registers an ATAP v0.1 AIT for a media-buying agent under the
`sigil:media_buyer:v1` profile. Sigil validates the capability set and
constraints against the published profile, signs the AIT as the witness
(`OAI-2026-0000201`), stores it, and returns the signed token.
Sigil is the ATAP witness — there is no kernel observer. See
https://github.com/TunnelMind/atap-profiles.
| write | true | unknown |
| sigil_atap_roll_block Rolls every not-yet-blocked Witness Event for an AIT into one signed
ATAP Attestation Block with a profile `period_summary`, chained onto the
prior block.
| unknown | unknown | unknown |
| get_domain Returns the complete surveillance intelligence record for a domain name. If the
domain is in TunnelMind's tracker database (80,000+ entries), the response includes
tracker category, risk score, fingerprinting data, cookie persistence, IAB TCF
purposes, and the owning corporate entity. If the domain is not in the database,
a live probe is automatically run: RDAP registration data, DNS records (MX, SPF,
TXT verification tokens), HTTP headers, and CSP third-party actors are fetched
fresh from the edge and returned.
Use this tool when:
- You need to know whether a specific domain tracks users, and how aggressively.
- You are researching who owns a domain and what corporate entity controls it.
- You want to check HTTP security headers and third-party services embedded in a site.
- You are building a risk score for a domain before routing traffic through it.
Do NOT use this tool when:
- You want to search by keyword or category — use `search` instead.
- You want all domains for an entity — use `get_entity` instead.
Inputs:
- `domain` (path, required): Domain name. Strip `www.` prefix — it is removed automatically.
Subdomains are resolved to the parent: `ads.doubleclick.net` → `doubleclick.net`.
Examples: `doubleclick.net`, `google-analytics.com`, `intercom.io`.
Returns:
- Full `DomainRecord`. Free tier returns the domain, category, score, prevalence, and
entity name. Pro/enterprise additionally return `tcf_vendor_id`, `tcf_purposes`,
`tcf_features`, and `disconnect_cats`.
- If the domain is not in the tracker database, `live_lookup: true` is set and
RDAP/DNS/HTTP probe results are returned instead of tracker fields.
- 404 if the domain cannot be found via live probe either (unknown TLD, unreachable).
Cost:
- Free tier: included in 50 req/day limit. Pro/enterprise: included in plan.
Latency:
- Database hit: typical <100ms, p99 <300ms.
- Live probe: typical 2-5s, p99 10s (external DNS/HTTP calls).
| write | true | unknown |
| get_receipt Returns metadata for a TunnelMind surveillance receipt — a signed document proving
that a specific user's surveillance exposure was observed, measured, and recorded at
a specific time. Does NOT return the receipt's signature (anti-phishing protection).
To verify a receipt's content integrity, use `verify_receipt` with the hash and
signature from the receipt document itself.
Use this tool when:
- You have a receipt ID and want to confirm it was genuinely issued by TunnelMind.
- You need the issuance timestamp and signing key ID for a receipt.
- You want to check whether a receipt exists before attempting content verification.
Do NOT use this tool when:
- You have the full receipt document and want to verify it hasn't been tampered with —
use `verify_receipt` instead.
Inputs:
- `receipt_id` (path, required): The receipt ID from the receipt document. Alphanumeric
with hyphens, max 128 characters.
Returns:
- `status`: `FOUND` if the receipt is in the registry.
- `generated_at`: ISO 8601 timestamp of receipt issuance.
- `signing_key_id`: identifier of the Ed25519 key used to sign.
- `schema_version`: receipt schema version.
- `message`: human-readable summary with instructions for content verification.
- 404 if the receipt ID is not in the registry.
Cost:
- Free. No API key required.
Latency:
- Typical: <100ms, p99: <300ms.
| read | false | unknown |
| get_api_key Returns the tier, label, masked owner email, creation date, last-used timestamp,
today's request count, and daily request limit for the API key used in this request.
Useful for agents that need to monitor their own quota consumption.
Use this tool when:
- You want to check how many requests your key has used today.
- You need to know your current tier or daily limit.
- You want to confirm that your API key is active.
Do NOT use this tool when:
- You want to manage multiple keys — this endpoint only reflects the calling key.
- You need tracker data — use the tracker endpoints instead.
Inputs:
- No body or query parameters. Auth is from the `Authorization: Bearer` header.
Returns:
- `tier`: free, supporter, pro, or enterprise.
- `requests_today`: integer count from KV (best-effort; resets at UTC midnight).
- `limit_per_day`: null for enterprise (unlimited).
- `last_used`: ISO 8601 timestamp, may be null if never used.
Cost:
- Free. Does not count against the daily request limit.
Latency:
- Typical: <150ms, p99: <400ms.
| read | false | unknown |
| cancel_task Marks the task as `cancelled`. If the task is already in a terminal state
(`complete`, `failed`, `expired`), returns 409 Conflict. Only the identity
that created the task may cancel it.
Use this tool when:
- You submitted a probe with `?async=true` and no longer need the result.
- You want to free up a pending task before it expires.
Do NOT use this tool when:
- The task is already complete — cancellation is not possible.
Inputs:
- `task_id` (path, required): 26-char ULID.
Returns:
- `task_id` and `status: cancelled`.
Cost:
- Free.
Latency:
- Typical: <150ms.
| destructive | true | true |
| list_domains Returns a paginated list of domains from the tracker database. Results are ordered
alphabetically by domain name and support cursor-based pagination for full traversal.
Filtering by category and minimum score allows targeted data extraction.
Use this tool when:
- You want to enumerate all known ad-tech or analytics domains above a risk threshold.
- You need a dataset of tracker domains for offline analysis.
- You are paginating through a category to build a block list.
Do NOT use this tool when:
- You need data for a specific domain — use `get_domain` instead.
- You are searching by keyword — use `search` instead.
- You want domains belonging to a specific company — use `get_entity` instead.
Inputs:
- `category` (query, optional): Filter by surveillance category. One of: `ad_tech`,
`analytics`, `social`, `fingerprinting`, `content`, `cdn`, `other`.
- `min_score` (query, optional): Integer 0-100. Exclude domains scoring below this value.
- `limit` (query, optional): Number of results per page. Max 100 (paid), 20 (free). Default 50.
- `cursor` (query, optional): Pagination cursor from the previous response's `next_cursor` field.
Returns:
- Array of domain list items (domain, category, score, prevalence, entity summary).
- `meta.has_more`: true if more pages exist.
- `meta.next_cursor`: pass as `cursor` to get the next page.
- `meta.count`: number of results in this page.
Cost:
- Free tier: up to 20 results/page, 50 req/day. Pro/enterprise: up to 100 results/page.
Latency:
- Typical: <200ms, p99: <500ms.
| read | false | unknown |
| get_entity Returns an entity record for a surveillance company or data broker, including its
industry, estimated annual data value per user (in USD), categories of personal data
collected, and the full list of domains it controls. Free tier returns 5 domains,
paid returns up to 200.
Use this tool when:
- You want to understand what corporate entity owns or controls a tracker domain.
- You need to assess the total surveillance footprint of a company (e.g., Alphabet,
Meta, Oracle).
- You are building a corporate surveillance graph and need domain-to-entity mapping.
Do NOT use this tool when:
- You have a domain and need its category — use `get_domain` instead.
- You want to browse entities by industry — use `list_entities` instead.
- You are searching for an entity by name — use `search` instead.
Inputs:
- `slug` (path, required): URL-safe entity identifier (lowercase, hyphens). Examples:
`alphabet`, `meta`, `oracle-data-cloud`, `the-trade-desk`.
Returns:
- Full `EntityRecord` with data categories, estimated data cost, and associated domains.
- `domains`: array of top-scoring domains (5 for free tier, 200 for paid).
- Pro/enterprise additionally return `website` and `description` fields.
Cost:
- Free tier: included in 50 req/day limit. Pro/enterprise: included in plan.
Latency:
- Typical: <150ms, p99: <400ms.
| read | false | unknown |
| list_entities Returns a paginated list of corporate entities in the TunnelMind surveillance
database. Includes data categories, estimated data value, and industry classification.
Useful for enumerating the surveillance ecosystem by sector.
Use this tool when:
- You want to enumerate all entities in a specific industry (e.g., all ad-tech companies).
- You need a dataset of surveillance entities for analysis or reporting.
- You are building a comprehensive surveillance landscape map.
Do NOT use this tool when:
- You need the full profile of a specific entity — use `get_entity` instead.
- You are searching by entity name — use `search` instead.
- You need domain-level data — use `list_domains` instead.
Inputs:
- `industry` (query, optional): Filter by industry classification. Examples:
`ad_tech`, `analytics`, `data_broker`, `social`, `crm`.
- `limit` (query, optional): Results per page. Max 100 (paid), 20 (free). Default 50.
- `cursor` (query, optional): Pagination cursor from previous response's `next_cursor`.
Returns:
- Array of entity list items (slug, name, parent_company, industry, data_categories,
data_cost_usd).
- `meta.has_more` and `meta.next_cursor` for pagination.
Cost:
- Free tier: up to 20 results/page, 50 req/day. Pro/enterprise: up to 100 results/page.
Latency:
- Typical: <150ms, p99: <400ms.
| read | false | unknown |
| search Searches both the domains table and the entities table simultaneously. Returns
matching domains (by domain name) and entities (by name or slug) in a single
response. Minimum 2 characters, maximum 100 characters.
Use this tool when:
- You have a partial name and need to identify what tracker or entity it belongs to.
- You want to find all TunnelMind records related to a company name like "Google" or "Oracle".
- You are resolving an ambiguous domain (e.g., does `criteo.com` appear in the tracker DB?).
Do NOT use this tool when:
- You know the exact domain — use `get_domain` instead (faster, more complete).
- You know the exact entity slug — use `get_entity` instead.
- You want to browse by category or industry — use `list_domains` or `list_entities`.
Inputs:
- `q` (query, required): Search string, 2-100 characters. Matched against domain names
and entity names/slugs.
Returns:
- `domains`: array of matching domain records (list item format).
- `entities`: array of matching entity records (list item format).
- Both arrays may be empty if no matches found. No pagination — results are capped
at 20 per type.
Cost:
- Free tier: included in 50 req/day. Pro/enterprise: included in plan.
Latency:
- Typical: <200ms, p99: <500ms.
| read | false | unknown |
| intel_http Makes a live HEAD request to the target domain from the Cloudflare edge, follows
up to 5 redirects, and returns the full redirect chain, final HTTP status, key
response headers, a security header score, and any third-party surveillance
actors referenced in the Content-Security-Policy header.
Use this tool when:
- You want to verify whether a site enforces HTTPS and HSTS.
- You need to inspect what third-party scripts a site loads via its CSP header.
- You are assessing a domain's security posture before trusting it.
- You want to detect surveillance actors embedded in a site's CSP.
Do NOT use this tool when:
- You need tracker database data (category, score, entity) — use `get_domain` instead.
- You need the technology stack (CMS, framework) — use `intel_stack` instead.
- You need robots.txt AI crawler policy — use `intel_robots` instead.
Inputs:
- `domain` (query, required): Domain to probe. Can include or omit `https://`.
Examples: `nytimes.com`, `https://example.com`.
Returns:
- `reachable`: false if the domain did not respond within 6 seconds.
- `redirect_chain`: each hop with URL, status code, and Location header.
- `security_headers.score`: 0-100 based on presence of HSTS, CSP, X-Content-Type,
X-Frame-Options, Referrer-Policy.
- `security_headers.missing`: list of headers absent.
- `csp_actors`: known surveillance actors detected in the CSP header.
- `error`: set if the connection failed.
Cost:
- Free. No API key required.
Latency:
- Typical: 1-3s (outbound fetch), p99: 6s (timeout). Plan for async if chaining calls.
| write | true | unknown |
| intel_stack Fetches up to 32KB of the domain's HTML and response headers from the edge, then
fingerprints the content for known CMS platforms, JavaScript frameworks, CDN
providers, and analytics tools. Detection is based on meta generator tags, script
src patterns, response headers, and cookie names.
Use this tool when:
- You need to know what CMS (WordPress, Drupal, Shopify) a site runs.
- You are assessing a domain's infrastructure before a security review.
- You want to identify analytics or marketing tools a site embeds.
Do NOT use this tool when:
- You want HTTP headers and security posture — use `intel_http` instead.
- You want tracker database classification — use `get_domain` instead.
- You need robots.txt AI policy — use `intel_robots` instead.
Inputs:
- `domain` (query, required): Domain to fingerprint.
Returns:
- `cms`: detected content management system, or null.
- `frameworks`: JavaScript/backend frameworks detected.
- `cdn`: CDN provider detected, or null.
- `analytics`: analytics and tracking tools detected.
- `meta_generators`: raw meta generator tag values.
Cost:
- Free. No API key required.
Latency:
- Typical: 2-4s (HTML fetch), p99: 7s.
| read | false | unknown |
| intel_robots Retrieves the target domain's `robots.txt` file and parses it for AI crawler
disallow rules. Specifically detects policies for known AI crawlers (GPTBot,
ClaudeBot, CCBot, Bytespider, etc.) and returns a structured summary of the
crawling policy.
Use this tool when:
- You need to know whether a domain has opted out of AI training data collection.
- You want to check if a specific AI crawler is blocked before citing the domain.
- You are building a dataset of AI-accessible vs AI-blocked domains.
Do NOT use this tool when:
- You want training opt-out signals beyond robots.txt (TDM reservation, noai meta) —
use `intel_optout` instead.
- You want the full technology stack — use `intel_stack` instead.
- You need tracker database data — use `get_domain` instead.
Inputs:
- `domain` (query, required): Domain to probe.
Returns:
- `robots_txt_found`: false if the domain returned 404 or the file is empty.
- `ai_crawlers_blocked`: list of AI crawler user-agent names that are disallowed.
- `all_blocked`: true if `User-agent: *` with `Disallow: /` is present.
- `raw`: first 4096 characters of the robots.txt file.
Cost:
- Free. No API key required.
Latency:
- Typical: 1-2s, p99: 6s.
| read | false | unknown |
| intel_agent Probes a domain for known AI agent integration signals: `llms.txt`, `ai.txt`,
`/.well-known/ai-plugin.json`, `openapi.json`, `swagger.json`, MCP manifest, MCP
SSE endpoint. Returns a score based on the count of signals detected. Use this to
assess whether a domain is ready for agent-to-agent interaction.
Use this tool when:
- You want to know whether a domain exposes an MCP server or OpenAPI spec for agents.
- You are cataloguing the AI-agent-ready surface of a set of domains.
- You need to decide whether to attempt programmatic API access to a domain.
Do NOT use this tool when:
- You need tracker/surveillance data about the domain — use `get_domain` instead.
- You need the robots.txt AI crawler policy — use `intel_robots` instead.
- You need HTTP security posture — use `intel_http` instead.
Inputs:
- `domain` (query, required): Domain to probe.
Returns:
- Boolean flags per signal (`llms_txt`, `ai_plugin`, `openapi`, `mcp_manifest`,
`mcp_endpoint`, `mcp_sse`).
- `agent_surface_score`: integer 0-8, count of signals detected.
Cost:
- Free. No API key required.
Latency:
- Typical: 2-5s (parallel probes), p99: 8s.
| write | true | unknown |
| intel_inject Fetches a domain's homepage and checks for content patterns that could constitute
prompt injection attacks against AI agents that visit and ingest the page. Signals
include hidden text, invisible divs, `<!-- AI: ignore -->` style comments, and
known injection patterns.
Use this tool when:
- You are vetting a domain before feeding its content into an LLM context.
- You want to assess the prompt injection risk of a URL before browsing it with an agent.
- You are auditing a set of domains for adversarial AI content.
Do NOT use this tool when:
- You want tracker surveillance data — use `get_domain` instead.
- You want AI training opt-out signals — use `intel_optout` instead.
- You want the agent surface (MCP/OpenAPI) — use `intel_agent` instead.
Inputs:
- `domain` (query, required): Domain to scan.
Returns:
- `injection_signals`: list of signal types detected (e.g., `hidden_text`,
`ai_instruction_comment`, `invisible_div`).
- `risk_level`: `none`, `low`, `medium`, or `high` based on signal count and type.
Cost:
- Free. No API key required.
Latency:
- Typical: 2-4s (HTML fetch), p99: 7s.
| write | true | unknown |
| intel_optout Checks a domain for all known AI training data opt-out mechanisms beyond robots.txt:
TDM (Text and Data Mining) reservation headers, `<meta name="ai">` tags, Creative
Commons NonCommercial licenses, and other machine-readable opt-out signals.
Use this tool when:
- You need to determine whether a domain has opted out of AI training data collection.
- You are checking compliance before using a domain's content in a training dataset.
- You want a comprehensive opt-out status (robots.txt + TDM + meta tags combined).
Do NOT use this tool when:
- You only need robots.txt crawler policy — use `intel_robots` instead (faster).
- You need tracker data — use `get_domain` instead.
- You want injection risk assessment — use `intel_inject` instead.
Inputs:
- `domain` (query, required): Domain to probe.
Returns:
- `tdm_reservation`: true if the domain sends a `TDM-Reservation: 1` header.
- `noai_meta`: true if the HTML contains `<meta name="robots" content="noai">`.
- `license_detected`: string if a CC NonCommercial or similar license is detected,
otherwise null.
- `opted_out`: true if any opt-out signal is present.
Cost:
- Free. No API key required.
Latency:
- Typical: 2-4s, p99: 7s.
| read | false | unknown |
| verify_receipt Tamper-detection verification for TunnelMind surveillance receipts. Submit the
receipt ID, the SHA-256 content hash, and the Ed25519 signature from the receipt
document. The registry compares these against what was recorded at issuance time.
Returns VALID if both match exactly, INVALID with a specific mismatch reason otherwise.
Use this tool when:
- You received a surveillance receipt document and want to verify it hasn't been altered.
- You are programmatically checking receipt authenticity in an agent workflow.
- You want to prove to a third party that a receipt is genuine.
Do NOT use this tool when:
- You only want to check existence — use `get_receipt` instead (no body required).
Inputs:
- `receipt_id` (body, required): The receipt's ID field from the document.
- `content_hash` (body, required): SHA-256 hex hash of the receipt JSON. Max 256 chars.
- `signature` (body, required): Ed25519 signature from the receipt document. Max 512 chars.
Returns:
- `valid`: boolean. True only if both hash and signature match exactly.
- `status`: `VALID` or `INVALID`.
- `message`: human-readable explanation. On INVALID, specifies whether the hash
mismatched, the signature mismatched, or both.
Cost:
- Free. No API key required.
Latency:
- Typical: <100ms, p99: <300ms.
| read | false | unknown |
| revoke_api_key Permanently deactivates the API key used to make this request. This action is
irreversible. After revocation, the key will return 401 on all subsequent calls.
If you have an active Stripe subscription, you must separately cancel it at
stripe.com — revoking the key does not cancel billing.
Use this tool when:
- You want to rotate your API key (revoke old, then provision a new one).
- You believe your key has been compromised.
Do NOT use this tool when:
- You want to check quota — use `get_api_key` instead.
- You intend to keep using the API — this is permanent.
Inputs:
- No body or query parameters. Auth is from the `Authorization: Bearer` header.
Returns:
- `revoked`: true.
- `note`: reminder about Stripe subscription cancellation.
Cost:
- Free. Does not count against the daily request limit.
Latency:
- Typical: <150ms, p99: <400ms.
| destructive | true | true |
| get_task Returns the current status of a task created by an `?async=true` intel request.
Poll this endpoint until `status` is one of: `complete`, `failed`, `cancelled`,
`expired`. On `complete`, the `result` field contains the same payload the sync
endpoint would have returned. On `failed`, `error.message` explains the failure.
Use this tool when:
- You submitted an intel probe with `?async=true` and need to retrieve the result.
- You want to check whether a background task finished without opening an SSE stream.
Do NOT use this tool when:
- You want real-time event streaming — use `stream_task` instead.
- You have no task_id — submit a probe with `?async=true` first.
Inputs:
- `task_id` (path, required): 26-char ULID returned in the 202 response.
Returns:
- `status`: `pending` | `running` | `complete` | `failed` | `cancelled` | `expired`.
- `result`: populated when status is `complete`. Null otherwise.
- `error`: populated when status is `failed`. Null otherwise.
- `expires_at`: tasks expire 1 hour after creation.
Cost:
- Free. Does not count against rate limits.
Latency:
- Typical: <100ms.
| read | false | unknown |
| stream_task Opens a persistent SSE connection that emits events as the task progresses.
The stream closes automatically when the task reaches a terminal state or after
~90 seconds (timeout). Heartbeat comments are sent every ~15 seconds to keep
the connection alive through proxies.
Event types:
- `status` — emitted when status changes (pending → running → complete/failed)
- `result` — emitted on `complete` with the full result payload
- `error` — emitted on `failed`, `cancelled`, or `expired` with error info
- SSE comment (`: heartbeat`) — keepalive, no data
Use this tool when:
- You want real-time progress without polling.
- You are in an environment that supports SSE (EventSource API).
Do NOT use this tool when:
- You want a simple one-shot status check — use `get_task` instead.
- Your HTTP client doesn't support streaming responses.
Inputs:
- `task_id` (path, required): 26-char ULID.
Returns:
- SSE stream (`text/event-stream`). Each event is `event: <type>\\ndata: <json>\\n\\n`.
Cost:
- Free. Counts as one request against rate limits when the stream opens.
Latency:
- First event: <200ms. Stream duration: up to 90s.
| write | true | unknown |
| audit_export Returns NDJSON (one JSON object per line) of audit log entries. Each entry records
the operation called, the identity, hashes of the request and response, duration,
and an Ed25519 signature over the canonical entry JSON. Entries are hash-chained:
each entry's `prev_entry_hash` is SHA-256 of the previous entry's signature,
making deletion of any entry detectable offline.
Authenticated callers receive only their own entries (`identity_sub` match).
Admin key holders receive all entries.
Use this tool when:
- You want a tamper-evident record of your own API calls.
- You are auditing a sequence of requests for compliance or debugging.
- You want to verify the audit chain integrity offline.
Do NOT use this tool when:
- You are anonymous — authentication is required.
- You want task status — use `get_task` instead.
Inputs:
- `from` (query, optional): ISO 8601 start datetime. Default: 7 days ago.
- `to` (query, optional): ISO 8601 end datetime. Default: now.
- `limit` (query, optional): Max entries. 1–5000, default 1000.
Returns:
- NDJSON stream, one `AuditEntry` per line.
- `X-Total-Count` response header with entry count.
- `X-Took-Ms` response header.
Verify the chain offline:
- For each consecutive pair (A, B): `SHA-256(A.signature) == B.prev_entry_hash`.
- For each entry: verify Ed25519 signature against public key in `/.well-known/atap.json`.
Cost:
- Counts as one request against the daily limit.
Latency:
- Typical: <300ms for 1000 entries, p99: <1s.
| read | false | unknown |
| generate_receipt Looks up each submitted domain in the TunnelMind tracker database, aggregates risk
metrics (avg score, max score, fingerprinters, high-risk domains, entity ownership),
and issues a signed surveillance receipt. The receipt is stored in the public registry
and can be verified at `/verify/{receipt_id}`.
Use this tool when:
- You want a verifiable record of which trackers were observed in a context (page, app, session).
- You need a signed evidence artifact for a privacy audit or compliance report.
- You want to know the overall surveillance exposure level for a set of domains.
- You are generating a receipt to share with a user as evidence of tracker presence.
Do NOT use this tool when:
- You want full tracker details per domain — use `get_domain` instead.
- You want to look up an existing receipt — use `get_receipt` instead.
- You need live probes (HTTP headers, stack detection) — use `/v1/intel/*` instead.
Inputs:
- `domains` (body, required): Array of 1–50 fully qualified domain names.
Duplicates are deduplicated. URLs are stripped to host component.
- `domain` (body, alternative): Single domain string (shorthand for `domains: [domain]`).
Returns:
- `receipt_id`: Unique receipt ID (e.g. `rcpt_01JXYZ...`).
- `receipt`: Full receipt document including domains submitted, tracker findings,
high-risk domains, fingerprinters, unique entities, and exposure metrics.
- `content_hash`: SHA-256 of the canonical receipt JSON.
- `signature`: Base64 Ed25519 signature (empty string if signing key not configured).
- `signed`: Boolean — true if the receipt is cryptographically signed.
- `verify_url`: Path to retrieve this receipt from the public registry.
Exposure levels: `minimal` / `moderate` / `high` / `critical`
Based on average tracker score and proportion of high-risk domains (score ≥ 70).
Cost:
- Counts as one request against the daily limit regardless of domain count.
Latency:
- Typical: <100ms (pure D1 lookup, no outbound probing). p99: <300ms.
| write | true | unknown |
| sigil_verify_ads_txt Confirms whether an SSP/exchange is authorized to sell a publisher's
inventory according to that publisher's ads.txt. This is a cache lookup
against ads.txt files crawled daily across the top 10,000 publisher
domains — it does NOT fetch the publisher's ads.txt live, so it is fast
and adds no latency to a real-time bidding decision.
Use this tool when:
- You are an ad-buying agent and want to confirm, pre-bid, that a supply
path (publisher → exchange → seller_id) is legitimate.
- You are detecting domain spoofing or unauthorized resale in a bid stream.
- You want to check whether a seller is listed DIRECT or RESELLER.
Do NOT use this tool when:
- You want a full supply-path trust score — that endpoint is Sigil P31.
- You want surveillance tracker data for the domain — use `get_domain`.
Inputs:
- `publisher_domain` (body, required): Publisher domain, e.g. `nytimes.com`.
A `www.` prefix and scheme/path are stripped automatically.
- `exchange_domain` (body, required): The exchange/SSP domain as it appears
in ads.txt, e.g. `google.com`, `amazon-adsystem.com`.
- `seller_id` (body, required): The publisher's seller/account ID at that
exchange, e.g. `pub-4177862836555934`. Matched exactly.
- `seller_type` (body, optional): `DIRECT` or `RESELLER`. When supplied it
is checked against the ads.txt entry; a mismatch is reported as a warning.
- `resolve_chain` (body, optional): When true, a matched RESELLER entry is
cross-checked against the exchange's sellers.json (one authoritative hop).
Returns:
- `verified`: true (entry found), false (confidently not listed), or null
(ads.txt could not be retrieved — indeterminate).
- `confidence`: `high` | `degraded` | `low` | `unknown`.
- `seller_entry`: the matched ads.txt line (line number, raw text, parsed
fields) when `verified` is true; otherwise null.
- `ads_txt_parse_status`, `ads_txt_last_parsed`, `stale`: provenance of the
cached crawl this answer is derived from.
- `reseller_chain`: empty unless `resolve_chain: true` and the matched entry
is RESELLER — then it carries the sellers.json cross-check for the seller.
- `warnings`: actionable flags, e.g. `publisher_not_in_corpus`,
`publisher_has_no_ads_txt`, `seller_type_mismatch`, `ads_txt_cache_stale`.
Cost:
- Counts as one request against the daily rate limit.
Latency:
- Typical: <50ms (single cache lookup, no outbound fetch). p99: <120ms.
| read | false | unknown |
| traction Live traction numbers computed from sources the Worker owns: the
hash-chained D1 audit log (7-day call volume, distinct identified
callers, top operations), the stored-receipt table, and Stripe
(succeeded charges → paying customers, gross USD). Ed25519-signed
with the same attestation envelope as /v1/status so the numbers can
be replayed to an auditor.
Use this tool when:
- You are evaluating whether anyone actually uses and pays for this API.
- You need a signed, re-checkable statement of usage rather than a claim.
Returns:
- `traction.usage`: calls_7d, identified_callers_7d, anonymous_calls_7d,
top_operations_7d — or available:false with a reason.
- `traction.receipts`: stored receipt counts (total / 7d).
- `traction.revenue`: paying_customers, succeeded_charges, gross_usd,
`truncated` flag when the Stripe page is partial.
- `attestation`: Ed25519 signature over the canonicalized traction block.
Cost:
- Counts as one request against the daily rate limit. Cached 1h.
Latency:
- Typical: <100ms cached; up to ~2s on a cache miss (one Stripe read).
| read | false | unknown |
| verify_agent Reconciles a claimed bot User-Agent against the operator's OWN published
IP-range feed (Googlebot, GPTBot, OAI-SearchBot, ChatGPT-User,
PerplexityBot, Perplexity-User, Bingbot). A User-Agent is trivial to
forge; membership in the operator's published CIDR ranges is not. This
exposes the common attack: a scraper sending `User-Agent: Googlebot` from
an IP in none of Google's ranges.
Use this tool when:
- A request claims to be a search/AI crawler and you must decide whether
to trust that claim before serving, allowing, or logging it.
- You are separating genuine declared agents from impersonators.
Inputs:
- `ip` (path, required): the IPv4 or IPv6 address to check.
- `ua` (query, optional): the claimed User-Agent string. Omit to ask only
"is this IP a known published bot range?".
Returns:
- `verdict`: one of
- `verified` — the IP is inside the agent's published range (UA, if
given, agrees). It genuinely is that bot.
- `spoofed` — the UA claims a verifiable bot but the IP is in none of
its published ranges. Impersonation.
- `mismatch` — the IP is a real bot's range, but the UA names a
different bot.
- `unverifiable` — the UA names a real agent whose operator publishes
no authoritative IP feed (e.g. Anthropic's ClaudeBot). Neither
confirmed nor denied — never reported as spoofed.
- `unknown` — no recognized bot UA and the IP is in no known range.
- `is_verified_agent`, `is_spoofed`: booleans for the two actionable cases.
- `agent`, `agent_label`, `matched_agent`, `claimed_agent`: the resolved
identities.
- `reason`: one-line explanation of the verdict.
- `feeds_as_of_ms`: when the published ranges were last refreshed.
Cost:
- Counts as one request against the daily rate limit.
Latency:
- Typical: <50ms (one KV read + CIDR match). First call after a deploy may
take ~1s if it has to warm the range cache.
| write | true | unknown |
| list_subscriptions Returns the caller's active and inactive subscriptions (signing_key redacted). Requires an API key. | unknown | unknown | unknown |
| delete_subscription Cancel a subscription. | destructive | true | true |
| create_subscription Subscribe to a node (ip, domain, asn, or entity slug). On a recurring
sweep (~20 min) TunnelMind re-runs the fused `POST /v1/verify` verdict and,
when the *material* result changes — the verdict label flips, the trust
score crosses a band, or the signal set changes — POSTs a signed event to
your `callback_url`.
Webhook authenticity: every delivery carries an `X-TunnelMind-Signature:
sha256=<hex>` header, an HMAC-SHA256 over the raw request body keyed by the
`signing_key` returned ONCE at creation. Recompute and compare to trust it.
Delivery body: `{ subscription_id, node, event: "verdict_change",
previous, current, delivered_ms }` where `previous`/`current` are compact
verdict summaries `{ verdict, trust_score, signals }`.
Inputs (JSON body):
- `node` (required): the node to watch.
- `callback_url` (required): an https URL to receive deliveries.
- `events` (optional): reserved; defaults to `["verdict_change"]`.
Requires an API key. The baseline verdict is captured at creation, so the
first webhook fires on the first genuine change, not the initial state.
| write | true | unknown |
| get_subscription Read one of your subscriptions (signing_key redacted). | read | false | unknown |
| tracker_verify The Tracker lens-owned verify surface: a per-node verdict over the
normalized DDG Tracker Radar / IAB TCF / Disconnect.me corpus, with an
optional signed TunnelMind Receipt v1.0. This is the single-lens ground
truth the fused `POST /v1/verify` cites for its tracker block.
Use this tool when:
- You need to know whether a domain is tracking/surveillance infrastructure
and which entity operates it, without the full cross-lens fusion.
- You want a signed, offline-verifiable receipt for that single-lens answer.
Inputs:
- `node` (path, required): a domain (e.g. `doubleclick.net`) or an entity
slug (e.g. `google`). IPs and ASNs are not indexable by this lens.
- `receipt` (query, optional): `true` attaches a Receipt v1.0 envelope.
Returns:
- `tracking`: true (in the tracker corpus), false (queried, absent), or
null (not answerable — ip/asn node or backend unavailable; see `reason`).
- `tracker`: the lens record — domain {category, prevalence, score 0-100}
plus operating entity {slug, name, parent_company, industry, sources},
or entity + top_domains when queried by slug.
- `checked_at`: ISO 8601 timestamp of the corpus read.
- `receipt`: TunnelMind Receipt v1.0 (Ed25519, JCS) when requested.
Cost:
- Counts as one request against the daily rate limit.
Latency:
- Typical: <100ms (one or two D1 reads at the edge).
| write | true | unknown |
| sigil_verify_domain Confirms a publisher controls a domain by checking for a DNS TXT record
the owner publishes under `_tunnelmind.{domain}`. A DNS record can only
be set by whoever controls the zone, so its presence proves control — a
stronger signal than ads.txt, which is just a file anything in the
request path can serve.
Use this tool when:
- You want proof a publisher actually owns the domain it claims.
- You are distinguishing publishers who have opted into Sigil verification.
Inputs:
- `domain` (query, required): Publisher domain. `www.` and scheme stripped.
Returns:
- `verified`: true (record found), false (absent), or null (DNS lookup failed).
- `expected`: the exact TXT record the owner must publish to verify.
- `found_records`: TXT values currently present at `_tunnelmind.{domain}`.
- `checked_at`: ISO 8601 timestamp of the live DNS lookup.
Cost:
- Counts as one request against the daily rate limit.
Latency:
- Typical: <300ms (one DNS-over-HTTPS lookup).
| write | true | unknown |
| sigil_verify_adscert Reports whether a domain publishes ads.cert (IAB Tech Lab Authenticated
Connections) DNS records — a readiness signal showing the domain
supports cryptographically authenticated ad-tech connections. This is
not signature verification: ads.cert is pairwise, so verifying a signed
bid request requires Sigil to be a delegated participant (a future
build). DNS-only and stateless.
Inputs:
- `domain` (query, required): Domain to check.
Returns:
- `adscert_ready`: true | false | null (DNS lookup failed).
- `adscert_records`: TXT values at `_adscert.{domain}`.
- `delegation_records`: TXT values at `_delegated._adscert.{domain}`.
| read | false | unknown |
| cross_lens_verify A2 — the cross-lens join. TunnelMind owns multiple halves of the
open-web graph: Scry sees who is on every IP (attacker intelligence,
actor class, Augur threat-intel overlap); Sigil sees the supply graph
(publishers, SSPs, DSPs, ads.txt + sellers.json + SupplyChain Object);
GhostRoute sees routing integrity & sovereignty (RPKI origin validity,
BGP prefix, claimed sovereign zone, sanctions, AI-infrastructure
ownership, certificate CA). This endpoint fuses them into one verdict
on a single node key.
The response leads with a base record, then the lens views:
- `ip_intel` — the BASE: the commodity IP-intelligence + WHOIS record
(geo/ASN/company/WHOIS/routing/cert), every field provenance-tagged
`{value, tier, source}` (verified/derived/trusted) with a behaviour axis
from Scry. The lens blocks below are augmentation beside it. Committed in
the receipt payload. See `docs/IP-INTEL-RECORD.md`.
- `scry` — the single-lens Scry view (transparency).
- `sigil` — the single-lens Sigil view (transparency).
- `ghostroute` — the single-lens GhostRoute view (transparency).
- `cross_lens` — the fused verdict (the moat).
Fusion math: weighted-mean over evaluated components plus a
`co_observation_bonus` when both lenses independently flag the node.
GhostRoute adds a routing-integrity component with two hard safety
floors that cannot be averaged away: an RPKI-INVALID origin (a BGP
hijack signal) caps its trust at 0.15, and a sanctions match zeroes it.
Weights and thresholds are per-request overridable.
Lens unavailability is reported in-band: each lens fails
independently and the cross_lens block reflects degraded confidence
when fewer lenses have data (0.55 one lens / 0.80 two / 0.94 three).
GhostRoute has no routing surface for a bare entity_slug, so it drops
out and the remaining weights re-normalise. Returns 503 only when ALL
lenses are unavailable.
v1 lens coverage matrix:
- IP node — Scry: full; Sigil: not_indexed (v2 will reverse-DNS); GhostRoute: full.
- Domain node — Scry: deferred; Sigil: full (publisher/ssp/dsp + entity); GhostRoute: full (resolves to IP).
- entity_slug node — Scry: n/a; Sigil: full (entity + sell/buy presence); GhostRoute: n/a (no routing surface).
- ASN node — Scry: deferred (v2); Sigil: not_indexed; GhostRoute: origin-AS lookup.
| read | false | unknown |
| verdict_lookup The reconciliation layer in one call. Where `cross_lens_verify` answers
"what is this network destination," `verdict_lookup` answers a different,
sharper question about a key-addressed ACTOR: **does what this key claims
about itself match what the network has seen it do?**
It fuses two sides:
- **claim** — what the key can prove about itself: its `attestation_tier`
across roots of trust (bare Ed25519 self-attestation → a RATS/EAT
hardware/platform attestation). TunnelMind owns no silicon and reads
every root; the tier is always *measured/anchored*, never self-asserted
(a token claiming a higher tier than its trust anchor is trusted to
assert is capped down).
- **conduct** — what the graph has seen the key's subject do (Scry × Sigil
× GhostRoute), supplied via the optional `subject` parameter.
The response carries `reconciliation.contradictions` (e.g. a key that
attests `silicon-root` but behaves as a low-trust node →
`claim_exceeds_conduct`; a presented claim that fails to verify →
`unverified_claim`; claims presented with no proof of key control →
`key_control_unproven`), a `claim_vs_conduct_delta`, and a
`verdict {tier, reputation, flags, confidence}`.
Keys are linked to an identity ONLY when the actor cryptographically
proves control — never inferred from behavioral correlation. An EAT that
attests a *different* subject key is rejected, not silently merged.
The verdict is published as a self-verifying receipt: given the receipt
bytes + the witness public keys carried inline, anyone re-derives the
verdict and checks log inclusion OFFLINE with `scripts/verify-verdict.mjs`
— no call back to TunnelMind. A bare, unattested key still gets a verdict
(at `self-asserted` tier); attestation is never required to participate.
| unknown | unknown | unknown |
| sigil_verify_app_bundle Verifies that a mobile or CTV app bundle ID actually exists in the
relevant app store — used to detect bundle spoofing in bid requests.
Platform support (v1):
- `ios`: verified live via Apple's iTunes Lookup API.
- `android`: verified live via the Google Play store listing page.
- `ctv_*` / `web`: no public store API — returns verified=null.
Inputs:
- `bundle_id` (body, required): e.g. `com.nytimes.NYTimes`.
- `platform` (body, required): ios | android | ctv_roku | ctv_fire |
ctv_samsung | ctv_lg | ctv_vizio | web.
- `claimed_developer` (body, optional): checked against the store listing.
Returns:
- `verified`: true | false | null (not checkable on this platform).
- `store_listing`: name, developer, developer_match, store_url.
| read | false | unknown |
| cross_lens_lookup Returns all three lens views for a single node key without computing a
fused verdict. Use this when you want raw transparency — the Tracker
catalog presence, Scry attacker observations, and Sigil supply-graph
position — and intend to make your own decision. For an opinionated
verdict, call `cross_lens_verify` instead. For an agent-side
allow/caution/deny gate plus signed consultation receipt, call
`preflight_should_i_act`.
Coverage block exposes which lenses responded so agents can reason about
partial-data verdicts. `issued_by` carries the OAI of the answering
witness so the response is attributable.
| unknown | unknown | unknown |
| preflight_should_i_act The single call an agent makes before transacting with a destination
on the open web. Composes the cross-lens verdict with a bounded
Tracker-presence bonus, maps the adjusted trust score to a tri-state
decision (`allow` / `caution` / `deny`), and returns a 5-minute signed
consultation receipt (`sigil_token` with `sub: preflight:consulted`).
The receipt is the load-bearing artifact: the agent attaches it to
its action log as cryptographic proof that the destination was
consulted before action. The decision itself is commodity-shaped; the
*receipt of having asked* is what accountability requires.
When `ait` is supplied, the consultation additionally chains a
witness-tier `preflight:consulted` event onto the ATAP AIT, signed by
OAI-2026-0000201 — turning the consultation into a hash-chained,
replayable artifact.
Tracker presence applies a bounded `+0.05` trust bonus before decision
mapping (capped at 1.0). Absence is never a penalty — most of the open
web is not in the tracker corpus and that's expected.
Defaults: `allow >= 0.70`, `caution >= 0.40`, else `deny`. Thresholds
are overridable per request; weights are inherited from cross_lens_verify.
| unknown | unknown | unknown |
| sigil_verify_token Verifies the authenticity and expiry of a `sigil_token` returned by
`sigil_verify_supply_path`. Anyone can call this — no key needed; Sigil
verifies the Ed25519 signature server-side. Tokens live 5 minutes.
Returns `valid` (boolean), `reason` (when invalid: malformed / expired /
bad_signature / unsigned), and the decoded `payload`.
| unknown | unknown | unknown |
| explain_verdict Call this when you need to ACT ON a verdict and prove why. It returns the
exact verdict `/v1/verify/{node}` computes (same fusion, same weights)
PLUS a traced evidence chain: every claim is attributed to where it came
from — the attested sensor fleet (with attestation tier), a named Augur
threat feed, sellers.json/ads.txt supply-graph presence, the cross-lens
co-observation join, the DDG/IAB tracker corpus — and how much each item
moved the verdict (`weight`; null = supplementary, not scored).
The response is committed to by a P38 signed receipt via
`evidence_digest` (a hash of the exact evidence array), so an agent can
act on the verdict and leave behind a cryptographically verifiable trail
of the reasoning in the same request. Empty/`none` evidence is the honest
"no corpus presence", never a fabricated reason.
`node` is an IPv4/IPv6, ASN, domain, or entity_slug — the same key space as
`/v1/verify`.
| unknown | unknown | unknown |
| signal_tracker_density Observed component counts first, a labelled derived roll-up second. The
components — `data_categories`, supply-surface counts (ssp + publisher +
dsp + owns_seat + buys_through), and corroborating `sources` — are facts.
`derived.tracker_density` (0–100) is a weighted blend of those counts, not
a measurement; `data_cost_usd` is deliberately excluded (non-zero only for
a curated seed, so weighting by it would fabricate precision). Anchors the
`surveillance_bigtech` adversary class for the cross-lens classifier.
| unknown | unknown | unknown |
| signal_halo_score Scores an entity by the trust character of its neighbours — the SSPs its
publishers sell through and the DSPs it buys through. Reports neighbour
counts, mean/min neighbour trust, and how many neighbours are
adversary-classified (P46). `derived.halo_score` (0–100, or null when no
neighbour has a computed trust) is mean neighbour trust dragged down by
adversary-neighbour share. Evidence about an entity's company, not a
persisted verdict — no profile poisoning.
| unknown | unknown | unknown |
| sigil_verify_supply_path The core Sigil pre-bid call. Submit a supply path; Sigil composes its
individual checks into one trust verdict and returns a signed
`sigil_token` the agent can attach to its bid as proof of verification.
Checks composed:
- `ads_txt` — exchange authorized in the publisher's ads.txt.
- `datacenter_ip` — is the IP a datacenter posing as a real user.
- `fraud_signals` — is the IP in Scry's attacker-intelligence corpus.
- `bundle_verified` — does the app bundle exist in its store.
- `domain_authenticity` / `entity_reputation` — reserved, not evaluated in v1.
Each evaluated check yields pass/warn/fail; `trust_score` is their
weighted mean (override `weights` per request); `verdict` is
pass/warn/fail/unknown (override `thresholds`).
PRIVACY: `ip_address` is used for lookup only — never logged, never
stored, never placed in the sigil_token. `geo` is accepted but unused.
Returns: `trust_score` (0-1 or null), `verdict`, `checks`,
`recommendations`, `sigil_token` (signed, 5-minute lifetime).
| read | false | unknown |
| profile_entity Call this before routing traffic, bidding on inventory, or trusting a
counterparty. It fuses ALL THREE TunnelMind lenses for one subject —
Scry (attacker intelligence + threat feeds + open ports), Sigil
(ad-supply-chain position + trust score + ATAP witness count), and
Tracker (DDG/IAB catalog + prevalence + categories) — into a single
confidence-scored profile plus a signed P38 receipt.
The `cross_lens.hits` field tells you if the same infrastructure
appears in attack data AND supply-chain data — that's your
highest-confidence signal, and the one no siloed competitor can give
you. `cross_lens.flags` surfaces the actionable highlights
(`cross_lens_overlap:scry+sigil`, `in_threat_intel:...`,
`high_prevalence_tracker`, `corroborated_by_N_lenses`).
Confidence weighting: each lens contributes a base score; a 1.5×
multiplier applies when ≥2 lenses corroborate the same subject; and the
Scry contribution is weighted by the attestation tier of the sensors
that observed it (silicon_root 1.0 → self_asserted 0.5). Bounded [0,1]
and carried into the receipt.
Unlike `cross_lens_verify` (one node → one verdict) and
`cross_lens_lookup` (one node → raw three-lens view), profile_entity
takes the SUBJECT as any combination of ip / domain / entity and returns
the richest fused detail for a pre-transaction decision. At least one of
ip / domain / entity is required.
| read | false | unknown |
| signal_dark_pool_risk Reconciles every sell path a publisher declares (`sells_through`) against
each SSP's own sellers.json (`exchange_seat`) and keeps three classes
strictly separate: `corroborated` (seat present), `contradicted` (SSP
crawled but seller_id absent — real risk), and `unchecked` (SSP not yet
crawled — excluded from risk, lowers confidence). Combined with
publisher-side ads.txt opacity. Two-sided corroboration is the cross-lens
moat — it catches unauthorized resale a one-sided ads.txt read cannot.
| read | false | unknown |
| signal_team_signal Surfaces other entities that operate as a coordinated team with this one:
they share a NARROWLY-held direct seller account (2–8 entities — network
house accounts shared by hundreds are separated into
`house_accounts_excluded`, not counted) or co-own an exchange seat.
`derived.team_signal` (0–100) is a coordination magnitude over teammate
count, shared-account breadth, and co-owned seats.
| read | false | unknown |
| sigil_verify_supply_chain The bid-time contract. Pass the SupplyChain object from an OpenRTB bid
request (`source.ext.schain`) verbatim, plus the originating site domain
or app bundle. Sigil verifies, per node and in aggregate:
- origin ads.txt — the publisher's ads.txt authorizes node[0] (asi + sid).
- per node — the node's `asi` sellers.json declares the node's `sid`.
- owner-domain — node[0]'s sellers.json seller `domain` matches the
publisher's ads.txt OWNERDOMAIN / MANAGERDOMAIN (spec §3.5.1).
- `schain.complete` — an incomplete chain caps the verdict at `warn`.
OpenRTB field mapping: `site.domain` → `site_domain`; `app.bundle` →
`app_bundle`; `source.ext.schain` → `schain`. An app_bundle origin's
ads.txt check is `not_evaluated` pending app-ads.txt resolution.
Returns a per-node result array, an aggregate `verdict`
(pass/warn/fail/unknown), `recommendations`, and a signed `sigil_token`.
| unknown | unknown | unknown |
| get_stats One public "state of the corpus" readout — the whole graph in a single
call. Distinct from the Scry-only sensor stats at
api.tunnelmind.ai/v1/stats (which this reuses for the `scry` block): this
spans Scry, Sigil, and Tracker plus the attestation and routing layers.
Use it to cite live coverage — how many publishers / SSPs / DSPs / sell
paths / sellers.json seats are in the Sigil supply graph, how many tracker
entities and domains Tracker holds, how many ATAP witness events and OAIs
the attestation layer carries, and how many BGP watchlist resources and
routing events the monitor has recorded.
Every count is independent and null-tolerant: a momentarily-unavailable
lens reports `null`, never a silent zero. Cacheable for ~10 minutes.
| read | false | unknown |
| ghostroute_verify Retrieves a previously-issued, signed GhostRoute receipt by its
GR-YYYY-NNNNNNN id, for independent audit of a past sovereignty verdict.
Use this tool when:
- You hold a GhostRoute receipt id and want to confirm its contents/signature.
- You are reconciling an agent's action log against the attestation layer.
Inputs:
- `receipt_id` (path, required): GR-YYYY-NNNNNNN.
Returns:
- The full persisted receipt row (routing, cert, sovereignty fields + signature).
Latency:
- Typical <200ms (single indexed read).
| read | false | unknown |
| ghostroute_ai_lookup Checks whether a domain or ASN belongs to a known AI company's
infrastructure and what sovereignty it CLAIMS (program, zone, HQ), the
baseline GhostRoute scores routing reality against.
Use this tool when:
- You want to know "whose AI infrastructure is this, and what does it claim?"
- You are enriching an endpoint before deciding whether to send it inference.
Inputs:
- `entity` (path, required): a domain or ASN (AS####).
Returns:
- `matched`, `match_basis` (domain|asn), `ai_company`, `ai_product`,
`sovereign_ai_program`, `claimed_sovereign_zone`, `hq_country`, `verified_sovereign`.
Latency:
- Typical <300ms (cached corpus read).
| write | true | unknown |
| sigil_traverse Reconstructs the supply paths for a publisher domain from Sigil's own
crawl and returns them ITEMIZED — distinct from `sigil_verify_supply_chain`
(which verifies a schain the caller brings) and from `signal_dark_pool_risk`
(which returns only aggregate counts). Every SSP the publisher declares it
sells through is joined to that SSP's identity and classified two-sided
against the SSP's sellers.json: `corroborated` (seat present),
`contradicted` (SSP crawled but seller_id absent — real risk), `unchecked`
(SSP not yet crawled — not risk). Each returned path also carries
`resells_to`, one level of downstream reseller expansion.
The list is ordered riskiest-first (contradicted, then reseller) so a
truncated page is still the most useful; the `supply_paths` counts are
always over the FULL set. `in_supply_graph:false` when the domain is not
a known publisher.
| write | true | unknown |
| ghostroute_check GhostRoute is TunnelMind's fourth lens: routing-integrity / sovereignty
verification. It answers "is this infrastructure where it claims to be,
owned by who it claims, routing where it says — and does that match the
sovereign jurisdiction it asserts?" It resolves the originating ASN owner,
RPKI validity, the certificate-issuing CA's jurisdiction, and matches the
subject against a curated AI-infrastructure corpus to recover any
sovereignty CLAIM (e.g. an "EU-sovereign" AI service), then scores reality
against claim.
Use this tool when:
- An agent is about to route data/inference to an endpoint that claims a
jurisdiction (e.g. EU data residency, FedRAMP, sovereign-AI).
- You want to detect a US-fronted (Cloudflare/AWS/GCP) endpoint masquerading
as sovereign-EU infrastructure, an RPKI-invalid origin (possible hijack),
or a sanctioned operator.
Inputs:
- `entity` (path, required): an IPv4/IPv6, domain, ASN (AS####), or cert SHA-1/256.
- `receipt` (query, optional): when `true`, issues a signed, persisted
GhostRoute receipt (GR-YYYY-NNNNNNN) instead of an ephemeral verdict.
Returns:
- `sovereign_tier`: VERIFIED | PLAUSIBLE | MISMATCH | CRITICAL_MISMATCH (or null if no claim).
- `sovereign_integrity`: [0,1] score; `origin_as`, `rpki_status`, `cert_ca`,
`claimed_sovereign_zone`, `is_ai_infrastructure`, `ai_owner`, `sanctions_match`.
- `_meta.caveats` / `_meta.penalties`: what was and wasn't determinable.
Latency:
- Typical 300-900ms on a cold subject (live BGP/RPKI/cert lookups), faster when cached.
| read | false | unknown |
| ghostroute_asn_lookup Returns GhostRoute's ownership-graph record for an autonomous system: the
registrant/parent organisation, its HQ country and sovereign zone, RIR,
and cloud/AI-infrastructure flags. The long-term moat — who actually owns
the network a route originates from.
Use this tool when:
- You have an origin ASN and need its corporate owner + jurisdiction.
- You are assessing whether an ASN belongs to a cloud front or the real operator.
Inputs:
- `asn` (path, required): AS#### or a bare AS number.
Returns:
- `registrant_org`, `parent_org`, `parent_org_country`, `sovereign_zone`,
`rir`, `is_cloud_provider`, `is_ai_infrastructure`, or `{matched:false}`.
Latency:
- Typical <300ms (cached corpus read, RDAP fallback on a miss).
| read | false | unknown |
| ghostroute_ct_witness Returns GhostRoute's first-party Certificate-Transparency witness state:
the latest signature-verified Signed Tree Head (STH) for every trusted,
non-Google CT log TunnelMind independently witnesses, plus a regression
scan over our own append-only history. Proof the platform holds its own
signature-checked roots rather than reselling crt.sh/certspotter.
Use this tool when:
- You want corpus-wide CT witness health, not one cert.
- You need to know whether any CT log misbehaved (rewound, forked, or
served an STH whose signature did not verify) — a serious trust event.
Inputs:
- none.
Returns:
- `summary`: `logs_witnessed`, `verified_logs`, `unverified_logs`,
`all_verified`, `total_snapshots`, `regressions`, `last_observed_at`.
- `logs[]`: per-log latest STH (`log_url`, `log_operator`, `tree_size`,
`sth_timestamp`, `root_hash`, `signature_verified`, `snapshots`).
- `regressions[]`: detected violations — `kind` is `tree_size_rewind`,
`root_fork`, or `sth_signature_invalid` (empty array = healthy).
Latency:
- Typical <300ms (KV-cached 5m; the witness worker updates twice a day).
| read | false | unknown |
| ghostroute_ct_alerts Returns the durable, deduplicated ledger of CT equivocation events the
GhostRoute witness worker detects and pushes — a tree_size_rewind (an
append-only log shrank), a root_fork (one tree_size witnessed with two
different Merkle roots = a split-view log), or an sth_signature_invalid
(a log's latest Signed Tree Head failed signature verification). Where
`/v1/ghostroute/witness` shows live computed health, this is the immutable
first-detection log: each entry's `detected_at` is when TunnelMind first
raised the alarm. A healthy CT ecosystem returns an empty feed — any row
here is a serious trust event.
Use this tool when:
- You want a chronological record of CT trust violations, not live state.
- You're polling for new equivocation events (check `summary.last_detected_at`).
Inputs:
- `limit` (query, optional): max recent alerts, 1–200, default 50.
Returns:
- `summary`: `total`, `undelivered`, `rewinds`, `forks`, `bad_signatures`,
`last_detected_at`.
- `alerts[]`: each `kind`, `severity`, `log_url`, `log_operator`,
`from_tree_size`, `to_tree_size`, `distinct_roots`, `event_observed_at`,
`detected_at`, `delivered`.
Latency:
- Typical <200ms (KV-cached 1m).
| read | false | unknown |
| sigil_ads_txt_history Returns a publisher's ads.txt change log — one entry per crawl in which
its authorized-seller set changed. A publisher quietly adding a reseller
line is a real fraud signal; this is how a buyer audits supply over time.
Inputs:
- `domain` (path, required): publisher domain.
- `since` (query, optional): ISO date / date-time lower bound on `observed_at`.
- `limit` (query, optional): max entries — default 50, max 200.
Returns `changes[]`, newest first — each with `observed_at`,
`added_count`, `removed_count`, `additions`, `removals`,
`directive_changes`.
| write | true | unknown |
| sigil_score_entity Returns the pre-computed 0.0–1.0 trust score for one entity, its
component breakdown, and the 14-day trend. Scores are refreshed daily
by a database job — this endpoint never recomputes from raw data, so it
is fast and deterministic.
`entity_id` is `{entity_type}:{key}` — e.g. `publisher:nytimes.com` or
`ssp:pubmatic.com`. Entity types: `publisher`, `ssp`, `dsp`,
`app_bundle` (publishers and SSPs are scored today).
v1 evaluates structural components only (`ads_txt_health`,
`supply_chain_directness`, `historical_stability` for publishers;
`supply_reach`, `directness` for SSPs). The `not_evaluated` list names
spec components without an enrichment path yet.
Optional `weights` query param (URL-encoded JSON) re-weights the stored
components for this call.
| read | false | unknown |
| sigil_score_batch Scores up to 200 entities in one round-trip — built for agents
evaluating many supply sources during campaign setup. Per-item parse
failures are returned inline; the batch never fails as a whole.
An optional `weights` object re-weights every entity in the call.
| unknown | unknown | unknown |
| ghostroute_ct_proofs Returns GhostRoute's per-cert inclusion proofs: each is a cryptographic
demonstration that the exact certificate a host serves is included in an
append-only CT log whose root TunnelMind signature-verified — upgrading
"a monitor said this cert exists" to "proven in a log we witness". Failed
attempts are included with a `reason`; a cert that suddenly cannot be
proven is itself a signal.
Use this tool when:
- You want to know whether a specific AI host's live cert is provably
logged (pass `domain`), or
- You want the corpus-wide proof rollup across watched hosts (omit `domain`).
Inputs:
- `domain` (query, optional): a hostname to filter to; omit for corpus-wide.
- `limit` (query, optional): max recent rows, 1–200, default 50.
Returns:
- `domain` (echo, null when corpus-wide).
- `summary`: `total_attempts`, `proven`, `unproven`, `domains`, `last_observed_at`.
- `recent[]`: recent attempts (`log_operator`, `leaf_index`, `tree_size`,
`sth_root_hash`, `inclusion_proven`, `reason`, ...).
- `by_domain[]`: per-host `attempts` / `proven` rollup.
Latency:
- Typical <300ms (KV-cached 5m).
| read | false | unknown |
| get_bgp_events Returns the routing anomalies the bgp-monitor has observed against
TunnelMind's BGP watchlist — the witnessability layer's routing
dimension. The monitor polls RIPEstat (RIPE NCC) on a cron, self-baselines
each watched prefix's origin set on first sight, then records an event
whenever a later poll deviates from that baseline.
Use this to check whether a prefix or ASN you depend on (an SSP's egress,
a publisher's network, your own infrastructure) has shown a hijack-shaped
routing event. `event_type` is one of:
- `origin_change` — an origin AS not in the baseline is announcing the
prefix (severity `critical` if that announcement also fails RPKI,
else `high`).
- `rpki_invalid` — a current announcement fails RPKI ROA validation.
- `withdrawn` — a previously-announced prefix is no longer visible.
- `new_more_specific` / `visibility_drop` — reserved for a later monitor pass.
`prev_origins` is the baseline the event deviated from. `count` is the
full filtered set; `events` is bounded by `limit`, newest first. An empty
`events` array means no anomalies in the window — the honest "all clear".
| write | true | unknown |
| sigil_score_weights Returns the active, versioned default weights used to combine an
entity's trust-score components, plus the list of spec components that
are not yet evaluated. Pass a custom `weights` object to
`sigil_score_batch` to re-weight without changing the defaults.
| read | false | unknown |
| compliance_ledger Returns your hash-chained decision records — one per verdict-bearing call
(/v1/verify, /v1/explain, /v1/preflight, /v1/profile) made while compliance
is enabled. Each entry carries its node, verdict, scores, receipt_id, the
full decision record, and the chain hashes (prev_hash, entry_hash). Filter
with from/to (ISO8601) and page with cursor (a seq) + limit (≤1000).
| unknown | unknown | unknown |
| sigil_atap_witness Ingests one agent-reported event (`bid:submitted`, `bid:won`,
`bid:lost`, `budget:decremented`) into an AIT's hash-chained
attestation log. Sigil validates the payload (rejecting any PII per
ATAP §7.6), classifies the evidence tier — `anchored` if a
`bid:submitted` cites a valid Sigil token issued for this AIT and
matching the bid's supply path, otherwise `asserted` — derives any
`constraint:violated` events, then chains and signs each event.
`supply:verified` / `supply:rejected` are witness-emitted by
`sigil_verify_supply_path`, never accepted here — that is what makes
the `witnessed` tier non-bypassable.
| unknown | unknown | unknown |
| sigil_atap_ait_status Returns an AIT's status, chain head hash, event count, pending-event
count, per-tier event counts, and the anchored-bid coverage ratio.
| read | false | unknown |
| sigil_receipt_generate Assembles the ATAP v0.1 §7.5 Receipt ZIP for an AIT — the signed
Receipt (`manifest.json`), the AIT, the Attestation Block chain, the
witness public key, a tier-graded `summary.json`, the bundled
`verify.sh` reference verifier, and the witness events + sigil_tokens
as profile artifacts. Any pending events are rolled into a final block
first.
The ZIP verifies offline — unpack it and run `verify.sh`; keys are at
https://tunnelmind.ai/atap/keys. The summary grades every event as
`witnessed`, `anchored`, or `asserted` and reports the anchored-bid
coverage ratio.
| write | true | unknown |
| compliance_profile Returns your current compliance configuration (regime, retention_days,
export_formats, enabled) and the catalog of supported regimes (EU AI Act
Art.12, DORA, NYDFS 500, HIPAA, PCI DSS, SOC 2, generic) and export
formats (signed_json, csv, eat, stix). Authenticated. The compliance
ledger is a tamper-evident, retained record of every verdict you make —
configure it once, then it self-maintains.
| unknown | unknown | unknown |
| compliance_configure Set the customizable knob: which regulatory regime your auditor maps to,
how long to retain decision content, and which export formats to offer.
Body: { enabled?, regime?, retention_days?, export_formats? }. retention_days
is 1..3650; regime is one of the catalog ids; export_formats is a non-empty
subset of [signed_json, csv, eat, stix]. No bespoke engineering — you pick,
the ledger adapts.
| write | true | unknown |
| compliance_export Generates a signed export bundle of your ledger over an optional time
window, mapped to your regime's field names and citation, with a manifest
+ chain-integrity proof + the latest signed checkpoint. Choose the format
with ?format= (signed_json | csv | eat | stix; defaults to your profile's
first) and override the regime with ?regime=. The response is a downloadable
artifact your auditor can verify independently against the spec.
| unknown | unknown | unknown |
| compliance_verify Recomputes your entire hash chain server-side and reports integrity
({ intact, entry_count, chain_head_hash } — plus reason + first_break_seq
if a record was altered or deleted), alongside the most recent Ed25519
checkpoint signed with the TunnelMind receipt key. This is the auditor's
"prove it" button — and even TunnelMind cannot rewrite history before a
signed checkpoint without detection.
| unknown | unknown | unknown |
| get_analyst_config Returns the TunnelMind analyst config bundle. Configures any LLM
(Claude, GPT, Gemini, local) to behave as a TunnelMind analyst that
knows the data graph, follows the 5-call golden path, and surfaces
attestation_tier on every claim.
The bundle is signed inline (Ed25519, key_id from
/.well-known/receipt-signing-key.json). Add `?receipt=true` to wrap
the response in a Receipt v1.0 envelope for end-to-end audit.
Use this tool when:
- You want to configure a new LLM runtime to act as a TunnelMind analyst
- You want to verify the system prompt you're running matches what TunnelMind serves
- You're building a BYOM (bring-your-own-model) deployment and need the canonical config
Do NOT use this tool when:
- You want to call individual TunnelMind data tools — use the tools directly
- You want to verify a specific receipt — use check_receipt_revoked or @tunnelmindai/receipt-verify
Inputs (all optional):
- `surface` (query): "data" (default, full surface), "scry", or "sigil"
- `version` (query): pin a specific bundle version (e.g. "1.0.0" or "1" for latest 1.x.y)
- `receipt` (query): "true" to wrap the response in a signed Receipt v1.0 envelope
Content negotiation (via Accept header):
- `application/json` (default) — full bundle JSON
- `text/markdown` — system prompt only (Anthropic flavor)
- `application/vnd.anthropic.config+json` — Anthropic-shaped subset
- `application/vnd.openai.config+json` — OpenAI-shaped subset
Returns:
- `version`, `schema`, `issuer`, `surface`, `surface_label`
- `system_prompts.{anthropic,openai,generic}` — three encodings of the same semantic prompt
- `tools.surface_subset` — array of operationIds for this surface (null = all)
- `response_format` — JSON Schema the analyst's verdicts must conform to
- `attestation_tiers` — the 4-tier vocabulary (self_asserted → silicon_root)
- `graph_state` — live corpus counts at serve time
- `references` — URLs to the rest of the open-protocol layer
- `bundle_signature` — inline Ed25519 signature for offline verification
- `pin_recommended` — stable supply-chain identifier (survives hourly graph_state updates)
Headers: `X-Bundle-Version`, `X-Pin-Recommended`, `ETag`, `X-RateLimit-*`.
Cost:
- Free, anonymous-accessible. Rate-limited on a SEPARATE counter from data-API calls
(`cfg:ip:<ip>` identity) so a config refetch loop can't burn your data quota.
Latency:
- Typical <100ms (cached); cold fetch <500ms (live Supabase counts).
| write | true | unknown |
| check_receipt_revoked Single-item revocation lookup per Receipt Format v1.0 §8.2. Verifiers that
do not want to maintain a local mirror of `/.well-known/receipt-revocations.json`
call this endpoint instead. The response includes `feed_version` for cache
coherence.
Use this tool when:
- You are verifying a receipt and need to confirm its `signature.key_id` is still trusted.
- You are verifying a receipt and need to confirm the specific `receipt_id` was not retracted by its issuer.
- You hold receipts long-term and want to recheck trust before acting on them.
Do NOT use this tool when:
- You want the full revocation set — fetch `/.well-known/receipt-revocations.json` directly.
- You want to *publish* a revocation — that is operator-controlled and not exposed via this API.
Inputs:
- `key_id` (query, optional): Receipt-format key_id (e.g., `tm-receipt-2026-05`). Provide one of `key_id` or `id`.
- `id` (query, optional): UUIDv7 of a specific receipt. Provide one of `key_id` or `id`.
Returns:
- `revoked`: boolean.
- When revoked: `revoked_at` (ISO 8601), `reason` (human-readable), `replacement_key_id` (for keys).
- Always: `checked_at` (ISO 8601), `feed_version` (integer).
Cost:
- Free; rate-limited like the rest of the data API. Edge-cached 60s.
Latency:
- Typical <100ms (warm cache); p99 <500ms (cold fetch from well-known).
| write | true | unknown |
| scan_mcp Connect to a caller-supplied MCP server (Streamable-HTTP transport),
read its advertised tools, and run the injection corpus over every tool
name / description / input schema — plus a capability heuristic that
flags broad, dangerous powers (shell execution, filesystem write,
credential access, arbitrary network, destructive DB ops). Returns a
per-tool safety report. A caution to review, never a verdict.
This is a single-target, caller-initiated scan. It is NOT a crawler and
does not follow links or enumerate other servers. Loopback / private /
internal hosts are rejected.
Use this tool when:
- You are about to connect an agent to a third-party MCP server and want
to inspect its tools for embedded instructions or excessive powers first.
Do NOT use this tool when:
- You only have a blob of text — use `scan_injection`.
- You want a trust verdict on a domain or entity — use `cross_lens_verify`.
Inputs:
- `url` (body, required): the MCP server endpoint (http/https).
Returns:
- `server`: `{ name, version }` reported by the server, if any.
- `tools_scanned`: number of tools inspected.
- `flagged_count`: tools with an injection hit or a flagged capability.
- `risk`: worst per-tool risk across the server (`high`/`medium`/`low`/`none`).
- `score`: max injection score across tools (0..1).
- `tools`: per tool `{ name, risk, injection{...}, capabilities[] }`.
Cost:
- Free. No API key required.
Latency:
- Bounded by the target server's handshake; typically <2s.
| write | true | unknown |
| get_feedback Public read of the crowd-sourced outcome aggregate for a node — how
callers reported their real-world results after acting on its verdict.
Advisory signal, not a trust verdict. An empty aggregate returns cleanly
with `total: 0` and `signal: none`.
`signal` is derived: `none` (no reports), `insufficient` (<3),
`positive` / `negative` (score past ±0.3), or `mixed`.
| read | false | unknown |
| submit_feedback Close the loop: after you acted on a TunnelMind verdict, tell us how it
went. Reports aggregate per node into an advisory second opinion that any
caller can read back via `GET /v1/feedback/{node}`.
Advisory only. In v0 a negative aggregate does NOT silently lower the
fused trust score — it's a human-weighable signal beside the verdict, not
an automatic reweight.
Use this tool when:
- You acted on a verdict and want to record the real-world outcome
(honored, defrauded, no issue) to help future callers.
Inputs:
- `node` (body, required): the subject — ip, domain, asn, or entity slug.
- `outcome` (body, required): one of `positive`, `negative`, `neutral`.
- `receipt_id` (body, optional): the verdict receipt this outcome refers to.
- `note` (body, optional): free-text context, max 500 chars.
Returns the updated advisory aggregate `{ node, counts, total, score, signal }`.
Cost:
- Free. Requires an API key (authenticated callers only).
| read | false | unknown |
| x402_echo Validates an agent's x402 v1 client implementation against a TunnelMind
surface end-to-end. Two operating modes:
- `mode: "demo"` — HMAC over a nonce against a publicly-published secret.
Does not move USDC. Smoke proves the WIRE works, not money movement.
- `mode: "x402"` — real Coinbase facilitator dispatch (gated on
operator wallet provisioning; currently returns "facilitator not configured").
Without an `X-PAYMENT` header, the endpoint returns HTTP 402 with a standards-
compliant `accepts[]` array (USDC on Base, $0.001).
With a valid `X-PAYMENT` header (base64-encoded payment payload), echoes the
request body and returns an `X-PAYMENT-RESPONSE` settlement header.
Use this tool when:
- You are validating your agent's x402 v1 client implementation against a real
public endpoint.
- You want to demonstrate the full 402 → retry → settle wire end-to-end.
Do NOT use this tool when:
- You need a real paid operation — no TunnelMind production endpoint is gated
behind x402 yet.
Inputs:
- `X-PAYMENT` (header, optional): base64(JSON) per the x402 v1 spec. Without it,
a 402 challenge is returned.
- Request body (optional): any JSON object to be echoed back on successful payment.
Returns:
- On no header: HTTP 402 + `{ x402Version, accepts: [...] }`.
- On valid payment: HTTP 200 + `{ ok: true, data: { echoed, paid_micro_usdc, x402 } }`
and an `X-PAYMENT-RESPONSE` header carrying the settlement record.
- On invalid payment: HTTP 402 + `{ error: "invalid payment", reason }`.
Discovery:
- `https://tunnelmind.ai/.well-known/x402.json` carries the public demo secret
and the HMAC construction recipe.
Cost:
- Free in demo mode (no USDC moved). $0.001 USDC in real-mode (when activated).
Latency:
- Typical <100ms (demo mode); real mode is bounded by facilitator latency.
| write | true | unknown |
02Install & source
https://mcp-data.tunnelmind.ai/mcp
remote_url03Access granted
Manage GitHub · writeQuery a database · writeScrape a website · writeManage cloud infra · writeProcess payments · destructiveWorkflow automation · writeMaps & location · writeRead & write files · writeFinancial data · write
The access this server can exercise, inferred from its verified tools — not a declared OAuth scope.
05Provenance & freshness
sourcesOfficial MCP Registry [p1]
last_checked2026-07-06 20:51Z
next_check2026-07-08 20:41Z
cadenceevery 48h
verifiedtools_list:passed handshake:passed metadata:failed
index_statusindex — 6 unique facts >= 5
06Badge
Add the “as seen on MCPExplorer” badge to your README.
[](https://mcpexplorer.com/servers/tunnelmind-data-api)
Next step
This is one server. A loadout combines the right servers, governance, and proven plays for a whole job — assembled deliberately, not tool-dumped.
Explore loadouts →