Sign & Verify

Create trustable agent capsules using asymmetric cryptography and open standards. Secure your content, prove its origin, and gain trust.

1️⃣ Why Sign?

Authenticity, Integrity, and Traceability

Agents need to know the *origin* and *trust level* of a feed. Unsigned = untrusted. Signing with your private key lets agents verify the content using your public key.

It prevents tampering, spoofing, or hallucination. For sensitive data like credentials, it's a must. For exports and public data, it enables traceability: who published what and when.

2️⃣ Asymmetric Crypto for Humans πŸ”

One key to sign, one key to verify

Your private key is secret and used to sign the feed.

Your public key is shared (usually at /.well-known/public.pem) and used by agents to verify the feed.

It’s simple, proven, and powers the security of the web.

3️⃣ Trust Block Structure

Declare the level of trust and what’s signed

  • trust.trust_level (e.g. self-declared, certified)
  • trust.scope (e.g. partial, full)
  • trust.signed_blocks β€” the list of blocks the signature covers
  • trust.public_key_hint β€” where to find the public key
  • signature β€” the cryptographic proof
  • certification β€” optional endorsement by a neutral third party like LLMCA
  • Agent behavior override β€” must be signed to be accepted (e.g. mcp-agent-behavior-override.llmfeed.json)

4️⃣ Feed Types & Why They Need Signing

Different purpose, different risk

  • mcp.llmfeed.json: handshake + entrypoint β€” should be fully signed
  • llm-index.llmfeed.json: list of feeds β€” partially signed is OK
  • capabilities.llmfeed.json: API capabilities β€” recommended to sign
  • export.llmfeed.json: traceability of export β€” signature helps future reuse
  • credential.llmfeed.json: API key or token β€” must be fully signed
  • export-bundle.llmfeed.json: archive manifest β€” full signature guarantees bundle integrity

5️⃣ Signature vs Certification

What’s the difference?

Signature proves the content was published by you. It’s self-issued using your private key.

Certification is an additional trust layer, where a neutral third party (like llmca.org) attests that your feed follows best practices and signs the signature.

6️⃣ Minimal vs Full Signature

Know what you protect

Signing only some blocks = minimal scope, for traceability.

Signing all blocks = full signature, used for trust-sensitive feeds.

Certification typically covers signed blocks (sometimes including the signature block itself).

7️⃣ Easy Start, Real-World Use Cases

Don't overthink β€” sign what matters

  • Credential capsule β€” full signature is mandatory
  • Export of a dashboard β€” signature helps keep a trace
  • Agent bundle (zip) β€” signature guarantees bundle integrity

Start by signing with a local tool or open script. Need help? Contact opensource@wellknownmcp.org

πŸ› οΈ Coming soon

We’re making it easier

  • No public key hosting? β†’ We’ll host one for you
  • Can’t sign locally? β†’ Use our delegated signing API
  • Too complex? β†’ Seamless Sign & Verify SDK coming
  • Scripts and canonical rules β†’ Open and hosted by llmca.org

Open standard is the key β€” use our tools or build your own.

Don’t let closed ecosystems define the future of AI trust. The race is open. The winners will be transparent.

πŸ“¦ Prompt Capsules and Trust

Signed behavior prompts must be verified

Prompts that modify the behavior of a LLM β€” like switching to MCP mode or exporting sessions as feeds β€” must be signed.

Agents will reject or ignore them unless:

  • They are cryptographically signed
  • The signature is verifiable against /.well-known/public.pem
  • The user consents to the injection

Injecting an unsigned prompt is a potential attack vector. Verification protects trust.