Documentation

Everything you need to understand, integrate, and verify ProofClaw trust infrastructure.

What is ProofClaw?

ProofClaw is trust infrastructure for AI agents. It lets publishers prove what their agent does — and lets platforms and users verify those claims independently.

Agents declare their identity, permissions, and capabilities.
An independent notary reviews the declaration and signs a Trust Card — a portable JSON attestation.
Runtime enforcement policies gate what the agent can actually do at deploy time.
Anyone can verify a badge or Trust Card against the transparency log.

Core concepts

Trust Card: A portable JSON attestation that binds an agent's identity, version, permissions, and shield score to an Ed25519 signature. It travels with the agent and can be verified by anyone.
Notary: An independent review function that examines an agent's declared capabilities and signs the Trust Card if they pass validation. The notary's public key is published in the transparency log.
Runtime enforcement: Shield policies that gate network access, secret handling, and tool risk at deploy time. Outcomes are allow, block, or needs_approval. Enforcement happens before the agent runs — not after.
Badge: A visual representation (SVG) of the Trust Card's status, designed for embedding in READMEs and marketplace listings. It contains the same Ed25519 signature and can be verified programmatically.
Shield score: A deterministic score (0–100) reflecting the risk profile of an agent's declared permissions: network access, secret handling, tool risk, and data retention. Higher scores indicate lower risk.
Transparency log: An append-only, hash-chained record of every notarization, revocation, badge issuance, and key rotation. Entries cannot be silently removed or modified.

Quickstart

Get a local ProofClaw environment running in five steps.

1
Install the CLI
Install the AgentShield CLI from the GitHub releases page or via your package manager.
```
npm install -g agentshield
```
2
Register your agent
Declare your agent's identity, version, and capabilities in a manifest file.
```
agentshield init --name "my-agent" --version 1.0.0
```
3
Submit for notarization
Send your manifest to the notary for review. The notary validates your declaration and signs a Trust Card.
```
agentshield notarize --manifest agent.json
```
4
Build the portal bundle
Compile your Trust Card, badge, and metadata into a portal bundle for serving.
```
agentshield portal-build --trust-root trust/ \
  --out artifacts/portal
```

Serve and verify

Start the trust server and verify your badge locally.

agentshield trust-serve --root artifacts/portal

# In another terminal:
agentshield verify-badge-file --file badge.svg \
  --trust-root trust/

Need help? See the expanded quickstart guide for environment variables and local development tips.

Verify a badge

ProofClaw badges and Trust Cards use Ed25519 signatures. You can verify them via the CLI, the web verifier, or programmatically.

CLI verification

1.Obtain the badge SVG or Trust Card JSON from the agent's listing, README, or publisher.
2.Run the verification command against the trust root.
3.Check the output for signature validity, revocation status, and shield tier.

# Verify a Trust Card
agentshield verify-trust-card --file trust_card.json \
  --trust-root trust/ --require-keyring

# Verify a badge file
agentshield verify-badge-file --file badge.svg \
  --trust-root trust/

# Verify entire portal integrity
agentshield verify-portal --root artifacts/portal

Web verifier

1.Go to the ProofClaw web verifier.
2.Enter the agent ID or paste the Trust Card JSON.
3.The verifier checks the signature, revocation status, and displays the trust summary.

API verification

1.Call the trust endpoint with the agent ID.
2.The response includes the Trust Card, signature status, and shield score.
3.Validate the Ed25519 signature against the notary public key.

curl https://www.proofclaw.io/api/trust/my-agent-id

Badges show provenance; they don't guarantee safety.

Always review high-risk tools independently, even if the agent is verified.

Revocation checks require network access. Offline verification confirms the signature only.

For the full verification flow, see the Trust Center or try the web verifier.

Integration

Embed ProofClaw trust signals in your platform, marketplace, or developer portal.

Embed a badge

Add a verified badge to your agent's README or listing page. The badge SVG is self-contained and includes the Ed25519 signature.

<!-- Markdown -->
![ProofClaw Badge](https://www.proofclaw.io/api/badge/my-agent-id)

<!-- HTML -->
<img src="https://www.proofclaw.io/api/badge/my-agent-id"
     alt="ProofClaw verified" />

Fetch a Trust Card

Retrieve the full Trust Card JSON for an agent via the API. Use this for programmatic trust checks in your CI/CD pipeline or platform middleware.

curl https://www.proofclaw.io/api/trust/my-agent-id

# Response includes:
# - agent identity + version
# - shield score + tier
# - Ed25519 signature
# - revocation status

Verify endpoint

Use the verification endpoint to check an agent's trust status before deployment or installation.

GET /api/trust/{agentId}

# Returns:
# 200  — verified Trust Card
# 404  — agent not found
# 410  — Trust Card revoked

See the integration guide for embed snippets, API details, and partner onboarding.

Frequently asked questions

What is the difference between a Trust Card and a badge?

A Trust Card is the full JSON attestation — it contains the agent's identity, permissions, shield score, and cryptographic signature. A badge is a visual SVG representation of that Trust Card, designed for embedding in READMEs and listings.

Do I need the CLI to verify a badge?

No. You can verify badges via the web verifier at /trust/verify, programmatically via the API, or offline using the notary's public key. The CLI is one option among several.

What does the shield score measure?

The shield score (0–100) reflects the risk profile of an agent's declared permissions: network access, secret handling, tool risk levels, and data retention. Higher scores indicate more constrained, lower-risk configurations.

Can a Trust Card be revoked?

Yes. Publishers can revoke a Trust Card at any time. Revocations are recorded in the transparency log and propagate to all verification endpoints within minutes.

Does ProofClaw monitor agents at runtime?

No. ProofClaw provides trust attestation and verification infrastructure. Runtime enforcement is handled by shield policies at deploy time. Ongoing monitoring is the responsibility of the platform operator.

What happens when an agent is updated?

Each version requires its own notarization. An existing Trust Card covers only the specific version it was issued for. Previous Trust Cards remain valid unless explicitly revoked.

Is the transparency log public?

The log is designed for public read access. A public query API is being rolled out — contact us for early access.

Can I verify a badge offline?

Yes. If you have the notary's public key, you can verify the Ed25519 signature on a badge or Trust Card without network access. Revocation checks do require a network call.

Verify a badge Get verified GitHub