EcoCitizenZ
Agent Trust · Public hub

ECZ-ID Agent Trust

Make AI agents, APIs, MCP servers, and tool surfaces resolver-verifiable. Developer Gateway explains the model, documents the discovery surfaces, and routes acquisition to TrustOps and proof to Resolver. It does not write truth. It does not host checkout. It does not replace Resolver.

Start guided Agent Trust flow →Set up in TrustOps ↗Open Resolver ↗

ECZ-ID Agent Credential™

A resolver-verifiable reference for one logical agent, bound to an accountable operator. One Agent Credential equals one logical agent. Acquisition and lifecycle live in TrustOps. Current proof lives in Resolver.

ECZ-ID API Passport™

A resolver-verifiable reference for one authorised API surface. One API Passport equals one authorised API surface. Required when the agent exposes or depends on authorised API surfaces under ECZ-ID rules.

How the model works

Manifests are discovery only

Manifest, JSON, and header signals help relying parties find the credential reference. They are not proof.

Copied JSON does not copy trust

A manifest moved to another origin or frozen in time does not transfer the underlying credential.

Resolver is proof

Current state — including authorised origins and lifecycle status — is confirmed in Resolver.

TrustOps owns lifecycle

Acquisition, activation, billing, suspension, and lifecycle control happen in TrustOps.

Developer Gateway documents and routes

No checkout here. No proof clone here. No truth writing here. No marketplace approval claims here.

One credential = one logical thing

One Agent Credential per logical agent. One API Passport per authorised API surface.

Supported Agent Trust surfaces

Each surface is discovery, local check, education, or routing. None of them write truth. None of them replace Resolver.

VS Code extension
Local workspace scan, gap check, manifest scaffold guidance, Resolver link.
GitHub App / GitHub Marketplace
Repo and PR discovery, scaffold, routing. Free listing only.
Browser extension
Active-tab manifest detection and Resolver proof panel.
MCP Verifier
Fail-closed verifier for MCP and tool endpoints.
Subscription / commerce surfaces
Acquisition routing only. No verification state. No checkout drift.
GPT / helper surface
Education and setup guidance only.
AWS / Bedrock docs
Documentation, metadata, and checker positioning only.
NVIDIA / NIM / NGC docs
Documentation, metadata, and checker positioning only.

Documentation

Public reference for the discovery surfaces, the API Passport rules, the TrustOps handoff, the Resolver proof model, the forbidden-claims governance, and the abuse-report path.

Discovery only · Resolver is proof
Manifest & Discovery Surfaces
Manifests are discovery only. They help relying parties find an Agent Credential or API Passport reference. They are not proof.
Schema reference · Discovery only
ecz-agent.json — Schema Reference
Required and recommended fields for the /.well-known/ecz-agent.json discovery manifest. The example below is illustrative only and is not a live credential.
Discovery metadata · Not proof
OpenAPI x-ecz-id Extensions
How to declare ECZ-ID Agent Credential and API Passport references inside OpenAPI documents using the x-ecz-id family of extensions.
Required when API surfaces are involved
API Passport — When and Why
One API Passport equals one authorised API surface. API Passports are required when the agent exposes or depends on authorised API surfaces under ECZ-ID rules.
Verifier wedge · Resolver-checked
MCP Verifier
A fail-closed verifier for MCP server and tool endpoints. It checks discovery surfaces and resolves current state via Resolver before allowing high-risk calls to proceed.
Discovery and routing · Free listing
GitHub App
Repository-level discovery and PR check annotations that route maintainers to TrustOps for setup and to Resolver for current proof.
Local discovery · Privacy-first
VS Code Extension
Local workspace scan for agent and API trust metadata gaps, with manifest scaffold guidance, Resolver links, and TrustOps handoff.
Active-tab only · Minimal permissions
Browser Extension
Active-tab proof check. Detects discovery manifests and headers on the current site and surfaces a Resolver proof panel for the referenced credentials.
Routing only · No checkout here
TrustOps Handoff
Acquisition, activation, billing, and lifecycle live in TrustOps. Developer Gateway only routes there. There is no checkout on this site.
Sole public proof surface
Resolver Proof
Resolver is the sole public proof surface. Anything that looks like proof but is not Resolver is not proof.
Content governance · Mandatory
Forbidden Claims & Safe Wording
Public copy must not overclaim certification, safety, monitoring, partnership, or quantum properties. This page lists prohibited phrases and the safe wording to use instead.
Intake only · No takedown promise
Abuse Report
Report suspected misuse of ECZ-ID discovery surfaces, manifests, or proof references. Reports do not themselves decide truth.
Architecture map
Surface Map
Where each ECZ-ID surface fits, and which surface is allowed to write truth, control lifecycle, prove state, or merely route.
Public guidance · Badge = gateway · Resolver = proof
How to use ECZ-ID badges safely
A badge is a resolver-linked verification gateway. It is not proof by itself. This page explains the safe rules for customers, developers, platforms, procurement teams, and agents — and gives copy-paste embed examples.

Developer Gateway does

  • Explain the Agent Trust model
  • Document the discovery surfaces and schema
  • Guide developers and operators through setup choices
  • Route acquisition and lifecycle actions to TrustOps
  • Route proof checks to Resolver
  • Document the abuse-report path

Developer Gateway does not

  • Write truth or issue credentials
  • Host acquisition, billing, or lifecycle control
  • Replace Resolver as the proof surface
  • Operate as a marketplace checkout
  • Certify safety, security, lawfulness, or platform approval
  • Make partnership claims that are not proven

Next steps

Use the guided Agent Trust flow to identify which passports your situation needs. Use TrustOps to set up. Use Resolver to confirm current proof.

Start guided flow →Set up in TrustOps ↗Open Resolver ↗Manifest docs →API Passport docs →Resolver proof docs →Forbidden claims →Report abuse →