v0.2.1 — Draft Specification — NIST CAISI Submission

Agent Trust Protocol

Open specification for machine-readable agent trust certification. Cryptographically verifiable. Standards-compatible. Designed for the multi-agent web.

Read the Specification View on GitHub

Overview

What is ATP?

The Agent Trust Protocol (ATP) defines a machine-readable, cryptographically signed certificate format that enables autonomous agents to prove quality, security, and operational fitness to other agents and platforms — without exposing sensitive internal data.

ATP certificates are to agent services what SSL certificates are to web endpoints: verifiable, time-bounded assertions of trustworthiness issued by an authority that can be validated by any consumer. The internet’s trust model evolved in layers — TCP/IP for connectivity, TLS for channel security, X.509 for server identity, OAuth for user identity. ATP addresses the missing layer: quality and safety trust between autonomous agents.

Built on W3C Verifiable Credentials 2.0, signed with Ed25519, and discoverable via RFC 8615 .well-known/, ATP is designed to integrate with the agent ecosystem as it exists today — no greenfield adoption required. A2A Agent Cards, MCP server manifests, and any service capable of serving JSON from a well-known path can publish and consume ATP certificates.

ATP is proposed as an open framework. The specification is published under Apache 2.0 / CC BY 4.0. SyncTek LLC submitted ATP to the NIST Collaborative AI Safety Initiative (CAISI) in March 2026 as a starting point for community-led standardization.

Design Principles

Built on six invariants

Every ATP design decision traces back to these principles.

Verifiable over claimed

Every metric must be backed by a cryptographic proof or attestation chain. Self-reported claims are explicitly marked as such and carry reduced weight.

Selective disclosure

Agents can prove facts about their quality without revealing source code, test suites, or internal architecture. Proving “coverage ≥ 80%” does not require revealing the exact figure.

Composable

Certificates are modular. A quality certificate, a security certificate, and a compliance certificate from different issuers can coexist and be independently verified.

Time-bounded

Every certificate has an explicit validity period. Stale certificates are invalid. No perpetual trust. Platinum and Gold certificates expire in 30 days.

Anti-gaming

Third-party attestation is required for high tiers. Self-certification carries a 0.7x weight penalty. Consistency cross-checks detect metric theater. Historical trend requirements block anomalous score jumps.

Interoperable

Built on JSON-LD and W3C VC 2.0. Discoverable via RFC 8615. Compatible with A2A Agent Cards and MCP server manifests. Implementable without SyncTek tooling.

Trust Tiers

Five tiers, one composite score

The trust score (0–100) is a weighted composite of quality (35%), security (30%), operational (20%), and governance (15%) profiles.

Tier Score Max Validity Key Requirements
Platinum 95–100 30 days Zero critical/high vulns. Zero incidents (30d). Audit grade A. VTE pass rate ≥ 90%. Third-party security attestation.
Gold 80–94 30 days Zero critical vulnerabilities. Audit grade A or B+. Test pass rate ≥ 95%. Code coverage ≥ 70%.
Silver 60–79 60 days Zero critical vulnerabilities. Audit grade B− or above. Test pass rate ≥ 85%.
Bronze 40–59 90 days Test pass rate ≥ 70%. Security review within 90 days.
Unrated 0–39 30 days Missing required metrics or fails Bronze threshold. Certificate is valid but marks low confidence.

Certificate Architecture

Four trust profiles

Each ATP certificate contains four independently-attestable profiles, each signed by the relevant authority.

Quality Profile

Automated test pass rates, code coverage, VTE (virtual test environment) scenario results, and documentation completeness. Answers: Does it do what it claims?

🔒

Security Profile

Vulnerability counts by severity, authentication posture, encryption status, incident history, and secrets exposure risk. Answers: Is it safe to work with?

📈

Operational Profile

Uptime SLA vs. measured, P95 response latency, incident counts over 30 days, and monitoring infrastructure. Answers: Will it be available?

📋

Governance Profile

System health audit grade, gate completion rate, separation-of-duty enforcement, ledger integrity, and violation counts. Answers: Is it operating under meaningful oversight?

Submitted to NIST CAISI — March 2026

ATP was submitted to the NIST Collaborative AI Safety Initiative (CAISI) Request for Information as a proposed framework for establishing agent trust as a formal standard category. SyncTek proposes that NIST evaluate minimum trust tier requirements for government agent deployments and establish a multi-stakeholder trusted issuer registry.

Resources

Specification & schemas

All resources are static and freely accessible. No registration or API key required.

📄 Full Specification
Complete normative ATP specification including certificate structure, proof system, threat model, and verification flows.
spec/v0.2/ →
🛠 JSON Schema
JSON Schema (draft 2020-12) for ATP certificate validation. Use to validate certificates in your verifier implementation.
v0.2/schema/agent-trust-certificate.json →
🔗 JSON-LD Context
JSON-LD context extending W3C VC 2.0 with ATP-specific terms. Reference in your @context array.
v0.2/context →
🌐 Issuer Registry
Trusted issuer registry. Required for Gold and Platinum tier certificate validation. Updated as issuers are registered.
registry/issuers.json →
🔑 Quality Assurance DID
DID document for the quality-assurance issuer. Contains verification methods for signature validation.
issuers/quality-assurance/did.json →
🐦 GitHub Repository
Specification source, issue tracker, and contribution guidelines. Apache 2.0 (implementation) + CC BY 4.0 (spec).
github.com/SyncTek-LLC/atp →