XRPL Activity Pattern Classifier
XR-Sentinel reads an XRPL wallet's recent on-ledger behavior and tells you how automated it looks. Quiet human-paced activity, mixed traffic, or the high-frequency pattern of an exchange, market maker, or bot. Behavioral classification, not a risk score.
Click an address above or paste your own. Free from this page. Agents pay $0.10 per scan over the x402 API at sentinel.xrpl-utilities.io.
Operator-curated. Addresses verified against XRPScan well-known and live on-chain ledger reads at the dates noted. RWA issuer wallets are point-in-time observations; trustline counts and on-chain obligations move continuously. The gallery is descriptive, not an endorsement.
Sentinel reads a wallet's last 90 days of on-chain activity and tells you what kind of actor it looks like. Bots, retail wallets, exchanges, AMM pools, issuers, and market makers each leave a distinct signature.
You get back an activity level (Low / Medium / High / Dormant / Unknown), a 0–100 score, structured signal flags, and a short AI narrative tying it together.
Agents pricing OTC trades. Market makers vetting counterparties before quoting. Researchers writing about XRPL flows. Treasuries deciding whether a wallet is shaped like a service they'd integrate with. Anyone who's about to send funds to an address they don't fully recognize and wants 90 seconds of due diligence before clicking send. Not compliance officers; see the panel to the right for what this isn't.
Not a risk score, sanctions screen, AML determination, or credit rating. A "High" activity level usually means an exchange, market maker, or bot, not a warning. The full signal catalog is at /schema; consumers set their own thresholds.
XR-Sentinel implements x402 v2 with the
exact scheme on XRPL mainnet.
Verification and settlement are delegated to the
t54 XRPL facilitator.
POST /scan returns 402 Payment Required with two options: XRP (dynamic, ≈ $0.10 spot) or RLUSD (flat 0.10).
PAYMENT-SIGNATURE.
200 with the report and a PAYMENT-RESPONSE header.
POST /scan/history uses the same x402 flow and price. It returns up to 25 prior recorded scans for an address so agents can read trajectory without scanning the wallet N times themselves. Recording began with schema 2.1.0; older paid scans were not persisted.
xrpl_sentinel_scan · $0.10xrpl_sentinel_scan_history · $0.10
Or skip the integration: call either tool above from an
MCP client (Claude Desktop etc.) via
@xrpl-utilities/mcp
or the hosted endpoint at mcp.xrpl-utilities.io/mcp. Same x402 model, just wrapped as MCP arguments.
from x402_xrpl import X402RequestsSession from xrpl.wallet import Wallet session = X402RequestsSession( wallet=Wallet.from_seed(seed), rpc_url="https://YOUR_XRPL_RPC", payment_requirements_selector="XRP", ) report = session.post( "https://sentinel.xrpl-utilities.io/scan", json={"address": "r..."}, ).json() print(report["activity_level"]) print(report["signals"]) print(report["reasoning"])
activity_score: 0 to 100, scaled to how automated and service-like the wallet behavesactivity_level: Low / Medium / High / Dormant / Unknownconfidence: low / medium / high tier based on transaction depthsignals: array drawn from a published, versioned catalog (35 entries today)features: tx types, IN/OUT split, currencies, dust counts, offer churn, time span, TrustSet / AMM / NFT op counts, failed-tx ratio, median seconds between txs, per-currency net flows, and (for issuers) live outstanding-IOU obligations under issuer_summarygenesis: account-genesis block; activator address + public label, initial XRP funded, activation timestamp + age, and the multi-hop activator chain (terminates at first labeled venue or 5 hops)top_counterparties: top 20 with verified public labels and directionreasoning: AI-generated narrative tying the signals to the score_delta: present when XR-Sentinel has a recorded prior paid scan for the same address. Carries score change, level change, tx-count change, cadence change, and hours since prior scan, so agents can track wallet trajectory without scanning N times themselves.
Full field-level details at /schema. Live manifest at /agents.json.
Click to expand. 35 flags in plain English.
XR-Sentinel reports include a signals array. Short flags drawn from a versioned catalog that describe what kind of behavior the on-chain history looks like. None of these are risk, compliance, or sanctions assessments.
COUNTERPARTY_INSTITUTIONAL. Catches institutional-scale relationships when the counterparty isn't on the curated watchlist but the volume signature is unmistakable. Behavioral context, not a risk verdict.
Fires when: aggregate XRP + RLUSD Payment volume with at least one top counterparty clears $10M USD within the scan window. XRP is valued at current spot; RLUSD is added at $1.00 (issuer-pegged stablecoin). Other (non-RLUSD) IOU Payments are excluded.
INSTITUTIONAL_SCALE_FLOW. Captures institutional-scale escrow relationships rather than direct Payments; useful for catching the vesting / settlement / DvP pattern where value moves through Escrow ledger entries rather than Payment txs. Behavioral context, not a risk verdict. The two signals can co-occur, and that's meaningful: mixed Payment + escrow flow with one counterparty is a stronger institutional signature than either alone.
Fires when: aggregate XRP + RLUSD escrow value with at least one top counterparty clears $10M USD within the scan window. Sums EscrowCreate Amount (when the scanned wallet is creator) plus the underlying Escrow ledger object's Amount on EscrowFinish (recovered from meta.AffectedNodes). Other-IOU escrows excluded; no oracle.
trusted flag is true. Not currently observable in upstream advisory data; reserved for forward compatibility.
lsfRequireAuth and lsfAllowTrustLineClawback set on its AccountRoot flags. Surfaced in the response's features.account_flags.
lsfDepositAuth is set AND at least one DepositPreauth object exists. Surfaced in features.wallet_config.
lsfHighDeepFreeze or lsfLowDeepFreeze. Detected from the same on-chain object scan as the configuration classifier above.
wallet_config.permissioned_offer_count is at least 1. The owning domain_id(s) are returned alongside so consumers can drill through to the XR-Trust directory.
permissioned_domain field of the same /scan response.
INSTITUTIONAL_SCALE_FLOW: the latter fires from this wallet's own scan window, this one captures whale activity Pulse already saw network-wide.
Fires when the wallet has at least one event in Pulse's whale stream above the WHALE_MOVE floor ($1M USD) within the last 30 days. The full block (event count, tier counts, direction counts, total USD volume, last-event timestamp, per-event counterparty list) lands on the top-level whale_context field of the same /scan response.
age_days is less than 30.
age_days is below 90, and the chain does not terminate at a labeled venue.
trusted set to true. Not currently observable; reserved for forward compatibility.
XR-Sentinel produces behavioral pattern classification, not risk assessment. It is not a compliance, AML, sanctions, or forensic service. A "High" activity level is not a risk signal. It typically indicates an exchange, market maker, AMM, validator, or trading bot.
Users are responsible for complying with local digital asset and AI regulations, including the California Digital Financial Assets Law and the Colorado AI Act where applicable.