Everything The Peptide Watch knows is open to machines: a public no-auth REST API, a CC BY 4.0 dataset, an MCP server, and agent-discovery manifests. No key, no login.
GET https://thepeptidewatch.com/data/vendors.json, the full audit (headline finding + every vendor with verdict, COA type, Trustpilot, BPC-157 £/mg, audit URL). CC BY 4.0, CORS-open.
POST https://thepeptidewatch.com/api/check-coa with JSON { "image": "data:image/...", "vendor": "example.com" } → forensic verdict (genuine-independent / self-made / borrowed / fabricated / stale …). No auth; 30 requests/day/IP. OpenAPI: /openapi.json.
POST https://thepeptidewatch.com/mcp, Model Context Protocol over Streamable HTTP (JSON-RPC 2.0). Tools: lookup_vendor, list_vendors, get_headline_finding. Server card: /.well-known/mcp/server-card.json.
/.well-known/api-catalog (RFC 9727) · /.well-known/agent-skills/index.json · /auth.md · /llms.txt · /llms-full.txt. Every page also advertises these via an RFC 8288 Link response header.
None, see /auth.md. The APIs are deliberately public; the only limit is 30 COA checks/day per IP.