Software & API Trust Add-on
Extended trust coverage for software components and API endpoints. Attaches software supply chain evidence to the identity spine.
Who it is for: Operators extending an active passport stack.
In plain terms
Software & API Trust Add-on attaches Resolver-verifiable identity and policy metadata to your software repositories and API surfaces, so a counterparty can resolve the operator behind a build artefact, container image, or live endpoint.
The real-world problem
What this removes
Counterparties consuming your software or APIs cannot tell, at integration time, who is accountable for the artefact, what policies it is bound to, or whether the credential behind it is current. Procurement, partner onboarding, and platform reviews stall on uncheckable supply-chain identity.
Why this causes delay or loss
Integration approvals slip while reviewers chase repository ownership, build provenance, and API operator identity by email and PDF. Software supply-chain incidents extend because there is no Resolver-verifiable pointer to the responsible operator.
Ambiguity removed
Removes ambiguity about who is accountable for a software artefact or API endpoint, and which passports and policies are bound to it.
What it binds / includes
Scope of accountability
Software repository ownership, build artefacts, container images, and API endpoints to the parent passport, child passports (Software Supply Chain, API Passport), and any declared policies, with current state resolvable through Resolver.
Parent requirement: Requires an active ECZ-ID Business Passport™ and the relevant child passports (per TrustOps).
Detailed inclusions are confirmed in TrustOps. Developer Gateway documents the model only.
Typical buyers / operators
- Software vendors selling into regulated buyers
- API providers serving partner integrations
- Platforms enforcing supplier supply-chain identity
Pre-mandate value
Lets serious buyers and partners verify the operator behind your software and API surfaces before integration, without manual repository or domain-ownership review.
Stack contributions
What PulseGuard™, LedgerCore™, and Resolver contribute
PulseGuard™
PulseGuard™ contributes present-state monitoring such as liveness, freshness, revocation or suspension state, and posture changes where supported by the activated passport/package.
LedgerCore™
LedgerCore™ records decisive lifecycle and evidence events where supported, such as issuance, activation, authority changes, child passport creation, revocation, bundle activation, badge state changes, or receipt references.
Resolver
Resolver shows current state for this product where supported — including active/suspended status, parent linkage, attached child passports/packages/add-ons, and the most recent receipt references. Current proof must be checked in Resolver.
Badge / mandate plate
Where this product has an ECZ-ID badge or mandate plate, the badge is an embeddable visual pointer to the Resolver state. The badge is not proof by itself; the Resolver check is the proof surface.
Insurability Readiness™ impact
Insurability Readiness™ is derived, free, non-sellable, and not manually editable. It is earned from the active passport stack, PulseGuard state, and LedgerCore evidence where supported. You do not buy readiness; you earn it.
Customer questions
What buyers and counterparties ask
Does this prove my software is secure?
No. It proves the operator behind the software, the bound passports, and the declared policies — all resolvable through Resolver. Security assessment is separate.
Do I need this if I already have an SBOM?
They are complementary. SBOM describes contents; this add-on lets a counterparty resolve the accountable operator.
Boundary of claim
What this product does not claim
- · Does not certify the software is safe, secure, or free of vulnerabilities.
- · Does not constitute approval by GitHub, npm, PyPI, or any other platform.
- · Does not replace SBOM, code review, or vulnerability scanning processes.
- · Does not change canonical state into Resolver — current state must still be checked there.
Guided flow
Six steps from need to resolved state
- 01
Understand the need
Decide what commercial friction you are trying to remove. Developer Gateway documents the model. It does not determine eligibility, issue credentials, or create entitlements.
- 02
Confirm parent requirement
Every child passport, package, and add-on attaches to an active ECZ-ID Business Passport™. Verified or Assured may be required (per TrustOps).
- 03
Review what this product does
Check what is bound, what is included, and what it does not claim. No safety, certification, approval, or partnership claim is made on this page.
- 04
Continue to TrustOps
Acquisition, activation, payment, and lifecycle happen in TrustOps. Developer Gateway only routes the handoff.
- 05
Return to Developer Gateway
After TrustOps, return here for next-step docs and related guidance. Developer Gateway still does not prove current state.
- 06
Check current proof in Resolver
Current proof must be checked in the public Resolver. Copied metadata, screenshots, or website claims do not replace Resolver.
TrustOps midpoint
Acquisition, setup, payment, and lifecycle happen in TrustOps
Developer Gateway only routes. It does not host checkout, change canonical state, issue credentials, or replace Resolver proof. TrustOps owns the operational state for this product.
Browse add-ons and services in TrustOps ↗TrustOps URL: https://trustops.ecocitizenz.com/start
Return path
Come back here for next-step docs
After TrustOps completes acquisition or activation, return to Developer Gateway for related docs and guided next steps. Developer Gateway still does not prove current state. Current proof remains in Resolver.
Resolver proof
Current proof must be checked in Resolver
Copied metadata, screenshots, badges on third-party websites, or any claim made on Developer Gateway do not replace Resolver. The Resolver is the sole public proof surface for ECZ-ID.
Open Resolver ↗Resolver URL: https://resolver.ecocitizenz.org
Recommendation
Find your recommended starting point
Enter your website URL. TrustOps will use it to recommend a starting point. Developer Gateway sends the URL only; TrustOps handles the recommendation, setup, payment, and lifecycle controls.
Developer Gateway does not host checkout, change canonical state, issue credentials, or replace Resolver proof. Current proof must be checked in Resolver.