EcoCitizenZ
HomeAgent Trust Card
Setup examples · No secrets

Agent Trust Card

Safe placeholder setup examples for the three resolver-identifiable surfaces ECZ-ID supports today: /.well-known/ecz-agent.json, /.well-known/ecz-mcp.json, and OpenAPI x-ecz-id. These examples are illustrative. They are not live credentials. ECZ-ID keeps setup, verification state, and public proof separated by design. The Agent Trust Card is documentation only.

Never embed in these files:
  • No secrets.
  • No private keys.
  • No API keys.
  • No webhook secrets.
  • No raw logs.
  • No raw telemetry.

/.well-known/ecz-agent.json

Discovery manifest published on the agent’s authorised origin. Discovery only — it is not proof. Resolver projects current state.

/.well-known/ecz-agent.json
{
  "schema_version": "ecz-agent-json-v1",
  "type": "agent",
  "parent_ecz_id": "<ECZ-XX-XXXXXX>",
  "agent_credential_id": "<ECZ-XX-XXXXXX::AGENT-XXXXXX>",
  "manifest_url": "https://<your-origin>/.well-known/ecz-agent.json",
  "public_keyset_url": "https://<your-origin>/.well-known/jwks.json",
  "issued_at": "<ISO-8601 timestamp>",
  "reverify_before_reliance": true,
  "do_not_infer": [
    "safety",
    "certification",
    "approval",
    "insurance",
    "full_compliance",
    "platform_endorsement"
  ]
}

/.well-known/ecz-mcp.json

Discovery manifest published on the MCP server’s operator origin. Discovery only — it is not proof. No secrets.

/.well-known/ecz-mcp.json
{
  "schema_version": "ecz-mcp-json-v1",
  "type": "mcp_server",
  "parent_ecz_id": "<ECZ-XX-XXXXXX>",
  "mcp_binding_id": "<ECZ-XX-XXXXXX::MCP-XXXXXX>",
  "operator_origin": "https://<your-origin>",
  "manifest_hash": "sha256:<hash-of-canonical-manifest>",
  "package_ref": "<npm-or-pypi-or-other-package@version>",
  "repo_ref": "<git-host>/<org>/<repo>@<commit-sha>",
  "container_ref": "<registry>/<image>@sha256:<digest>",
  "reverify_before_reliance": true,
  "do_not_infer": [
    "safety",
    "certification",
    "approval",
    "insurance",
    "full_compliance",
    "platform_endorsement"
  ]
}

OpenAPI x-ecz-id

OpenAPI 3.1 extension fields that reference the parent ECZ-ID, API Passport, optional Agent Credential, and the recheck-before-reliance flag.

openapi.yaml
openapi: 3.1.0
info:
  title: Example API
  version: "1.0.0"
  x-ecz-id:
    parent_ecz_id: <ECZ-XX-XXXXXX>
    api_passport_id: <ECZ-XX-XXXXXX::API-XXXXXX>
    api_origin: https://api.example.com
    spec_hash: sha256:<hash-of-canonical-spec>
  x-ecz-api-passport: <ECZ-XX-XXXXXX::API-XXXXXX>
  x-ecz-agent-credential: <ECZ-XX-XXXXXX::AGENT-XXXXXX>
  x-ecz-reverify-before-reliance: true
Start setup in TrustOps ↗Open Resolver ↗View OpenAPI x-ecz-id docs →
ECZ-ID keeps setup, verification state, and public proof separated by design. TrustOps handles setup. Resolver remains the public proof surface. Local policy decides. Re-check before reliance. Canonical TrustOps handoff: https://trustops.ecocitizenz.com/start.