Version: 1.2.0 Date: May 2026 License: CC-BY-4.0 Status: Published Author: VeriSwarm (veriswarm.ai)
What changed in v1.2? Added Calibration as a fifth standard trust dimension — a measure of how well an agent's reported confidence matches its actual outcomes, scored with a rolling Brier metric. Two new event types (
agent.confidence_reported,agent.task_outcome) bring the taxonomy from 22 to 24. Composite weights are now profile-dependent (the prior claim of identical weights across profiles no longer holds): calibration-aware profiles carry a per-vertical calibration weight. See §10.1 Changelog for the full diff.What changed in v1.1? Event taxonomy reconciled with reference-implementation names (was previously aspirational). Added optional extensions for inter-agent transport signing, signed template exports, declarative policy engines, knowledge-source verification, and compliance attestation endpoints. Expanded reputation signal types. MCP server tool count updated from 39 to 67. v1.1.1 patch: corrected §2 score-snapshot field names, profile composite-weight table, tier model (5 codes, action-dependent decisions), and §4.1 JWT credential claim shape to faithfully describe the reference implementation.
The Open Agent Trust Specification (OATS) defines a standard format for expressing, transmitting, and verifying trust information about AI agents across platforms and providers.
As AI agents gain autonomy — executing tool calls, accessing data, and making decisions — platforms need a common language for trust. OATS provides that language.
An Agent Trust Score is a structured representation of an agent's behavioral trustworthiness at a point in time. Each dimension carries a score (integer 0–100) and a confidence (float 0.0–1.0). Risk additionally carries a band; autonomy additionally carries a label; calibration additionally carries an optional brier_avg (the rolling Brier average the score is derived from).
{
"oats_version": "1.2",
"agent_ref": "sha256:a1b2c3d4...",
"scored_at": "2026-05-09T12:00:00Z",
"identity": { "score": 82, "confidence": 0.9 },
"risk": { "score": 15, "confidence": 0.85, "band": "low" },
"reliability": { "score": 78, "confidence": 0.88 },
"autonomy": { "score": 45, "confidence": 0.7, "label": "human_assisted" },
"calibration": { "score": 79, "confidence": 0.8, "brier_avg": 0.21 },
"composite_trust": 76,
"policy_tier": "tier_2",
"scoring_profile": "general",
"provider_id": "sha256:e5f6g7h8...",
"event_count": 1247,
"window_days": 30,
"explanations": [
"Identity confidence is 82 based on verification and runtime disclosures.",
"Risk score is 15 (low) based on behavioral safety signals.",
"..."
]
}
The dimension sub-objects are top-level keys (not nested under a scores envelope). Field name is score — earlier drafts used value; that name is deprecated.
OATS defines five standard trust dimensions:
| Dimension | Range | Description |
|---|---|---|
| Identity | 0-100 | Strength of agent identity verification (ownership, manifests, delegation chains) |
| Risk | 0-100 | Behavioral risk level (higher = more risky). Based on security incidents, policy violations, and anomalous behavior. |
| Reliability | 0-100 | Task completion consistency. Based on success rates, error handling, escalation behavior. |
| Autonomy | 0-100 | Earned independence level. Based on trust history duration and consistency. |
| Calibration | 0-100 | Confidence-to-outcome alignment. Measures whether the confidence an agent reports on a task matches the outcome it gets, scored with a rolling Brier metric. Higher = better calibrated. (Added in v1.2.) |
Each dimension includes a confidence value (0.0-1.0) reflecting the quality of the underlying evidence.
Calibration is orthogonal to the other four: an agent can be highly reliable yet poorly calibrated (confidently wrong on the tasks it fails) or vice versa. Because the calibration score cannot be reconstructed from the other dimensions, it is represented as its own dimension rather than folded into reliability. Calibration is scored only once an agent has accumulated a minimum number of confidence-outcome pairs (profile-configurable; see §2.5); below that threshold a conformant implementation SHOULD omit the dimension or mark its confidence as low rather than emit a score from insufficient evidence.
The composite trust score is a weighted combination of the trust dimensions. As of v1.2, composite weights are profile-dependent — earlier spec versions stated that all profiles shared identical composite weights, which is no longer true once calibration is added. Two profile shapes exist:
Four-dimension profiles (no calibration term) use the original weighting:
composite = 0.35 * identity + 0.25 * reliability + 0.20 * (100 - risk) + 0.20 * autonomy
Calibration-aware profiles add a fifth term and renormalize so the five weights sum to 1.0:
composite = w_id * identity
+ w_rel * reliability
+ w_risk * (100 - risk)
+ w_auto * autonomy
+ w_cal * calibration
The calibration weight w_cal is set per vertical, reflecting how costly confident-wrongness is in that domain:
| Profile | Calibration weight (w_cal) |
identity / reliability / risk_inverse / autonomy |
|---|---|---|
healthcare |
0.35 | 0.20 / 0.20 / 0.15 / 0.10 |
legal |
0.30 | 0.15 / 0.25 / 0.15 / 0.15 |
financial_services |
0.25 | 0.20 / 0.20 / 0.20 / 0.15 |
security |
0.25 | 0.20 / 0.20 / 0.30 / 0.05 |
software |
0.20 | 0.15 / 0.30 / 0.20 / 0.15 |
general |
0.20 | 0.28 / 0.20 / 0.16 / 0.16 |
e_commerce |
0.15 | 0.10 / 0.30 / 0.20 / 0.25 |
OATS defines eleven standard scoring profiles — the seven calibration-aware verticals above plus four legacy technical profiles (high_security, social_platform, developer_tools, marketplace) that remain four-dimensional for backward compatibility. Beyond the composite weights, profiles also vary the sub-signal weights that feed each dimension. For example, high_security puts more weight on secret_hygiene_failures and exploit_susceptibility inside the risk dimension; healthcare weights evidence_integrity and correction_response more inside reliability and drives autonomy toward low_human_override.
| Profile | Calibration-aware | Use Case |
|---|---|---|
general |
yes (0.20) | Default balanced scoring |
healthcare |
yes (0.35) | Clinical / PHI-handling agents |
legal |
yes (0.30) | Privilege-sensitive legal work |
financial_services |
yes (0.25) | Regulated financial operations |
security |
yes (0.25) | Security-sensitive operations |
software |
yes (0.20) | Developer / software workflows |
e_commerce |
yes (0.15) | Transaction-scope commerce agents |
high_security |
no | Legacy: sensitive data/operations |
social_platform |
no | Legacy: community/social contexts |
developer_tools |
no | Legacy: developer workflows |
marketplace |
no | Legacy: agent marketplaces |
Implementations MAY publish their own profiles; the scoring_profile field on the Score Snapshot identifies which profile was used. The canonical composite-weight and sub-signal weight tables are part of the reference implementation and live at packages/scoring/src/veriswarm_gate/profiles.py.
OATS defines five tier codes that classify an agent's current trust state. Tier codes are deterministic functions of the individual dimension scores (not just the composite); this preserves information that a single composite would lose — an agent with high identity but low reliability is qualitatively different from one with low identity and high reliability.
| Tier Code | Meaning | Reference Gate (general profile) |
|---|---|---|
tier_3 |
Highest trust | identity ≥ 80 AND risk ≤ 20 AND reliability ≥ 80 |
tier_2 |
Moderate trust | identity ≥ 55 AND risk ≤ 35 AND reliability ≥ 60 |
tier_1 |
Default / unproven | Anything not matching tier_3, tier_2, tier_0, or tier_x |
tier_0 |
Low trust | identity ≤ 30 AND reliability ≤ 30 |
tier_x |
Restricted | severe-incident override OR risk ≥ 75 |
Tiers are not the same as decisions. A decision is the output of a policy evaluation against a specific action type (e.g., read_external, send_email, delete_record) and resolves to one of allow, review, or deny. The tier-to-decision mapping is action-type-dependent and configurable per tenant. The reference implementation ships a default mapping (see packages/policy/src/veriswarm_gate_policy/engine.py::POLICY_MATRIX) where, for example:
| Action type | tier_0 | tier_1 | tier_2 | tier_3 | tier_x |
|---|---|---|---|---|---|
| Default action | review | allow | allow | allow | deny |
| Sensitive action | deny | review | allow | allow | deny |
| External tool call | deny | review | allow (low-risk only) | allow | deny |
| Read-only data | allow | allow | allow | allow | allow |
Implementations MAY define their own tier codes or adjust thresholds; conformant decision-check responses MUST return one of allow, review, or deny regardless of internal tier representation.
The calibration dimension is computed from pairs of (reported confidence, observed outcome). For each task, the agent reports a confidence p ∈ [0, 1] and the task resolves to an outcome o ∈ {0, 1}. The per-pair penalty is the Brier score, the standard proper scoring rule for probabilistic forecasts:
brier_i = (p_i - o_i)²
A confident-and-correct prediction (e.g., p = 0.95, o = 1) incurs a small penalty; a confident-and-wrong prediction (p = 0.95, o = 0) incurs a large one. The dimension score is derived from the rolling average penalty over a sliding window of recent pairs:
calibration_score = round((1 - brier_avg) × 100)
Implementations SHOULD retain the Murphy (1973) decomposition of the Brier score into reliability, resolution, and uncertainty components, which distinguishes a uniformly overconfident agent from one whose confidence carries no discriminating signal. (Note: the Brier-decomposition "reliability" component is a calibration sub-term and is distinct from the OATS Reliability dimension in §2.2.)
Calibration scoring is governed by three per-profile parameters:
| Parameter | Meaning | Reference defaults |
|---|---|---|
calibration_min_pairs |
Minimum confidence-outcome pairs before a score is emitted | 10–15 (e.g., healthcare/legal 15, financial_services/security 12, general/software/e_commerce 10) |
calibration_window_size |
Sliding-window size over which brier_avg is computed |
100 (e_commerce 200) |
calibration_correlation_window_hours |
Lookback for pairing a confidence report with its outcome | 168 (e_commerce 72) |
Below calibration_min_pairs, a conformant implementation SHOULD NOT emit a calibration score derived from insufficient evidence (see §2.2).
OATS defines 24 standardized event types across 7 categories. Every event type maps deterministically to one or more agent signals (e.g., task_success, policy_violation_rate, deception_flags, calibration_error) which feed the five score dimensions. Platforms SHOULD map their agent activity to these types for interoperability; the canonical signal map lives with the reference implementation under veriswarm_gate.taxonomy.
| Event Type | Required Fields | Description |
|---|---|---|
tool.call.success |
tool_name |
Agent called a tool and it returned successfully |
tool.call.failure |
tool_name, error_type |
Tool call failed with a known error |
tool.call.blocked |
tool_name, reason |
Tool call was blocked by policy |
tool.call.unauthorized |
tool_name, attempted_action |
Agent attempted unauthorized tool access |
| Event Type | Required Fields | Description |
|---|---|---|
content.generated |
content_type |
Agent produced output (neutral; evidence-only) |
content.flagged |
content_type, flag_reason |
Output was flagged by a moderation control |
content.corrected |
original_action, correction |
Agent self-corrected after a violation |
| Event Type | Required Fields | Description |
|---|---|---|
task.started |
task_type |
Agent started a task |
task.completed |
task_type |
Agent completed a task successfully |
task.failed |
task_type, error_type |
Task failed |
task.delegated |
task_type, delegate_ref |
Task delegated to another agent or human |
| Event Type | Required Fields | Description |
|---|---|---|
security.credential_exposed |
credential_type |
Credential exposure detected |
security.policy_violation |
policy_id |
Agent violated a policy rule |
security.rate_limit_hit |
endpoint |
Agent breached a rate limit |
security.suspicious_pattern |
pattern |
Anomalous behavior pattern detected |
| Event Type | Required Fields | Description |
|---|---|---|
identity.registered |
agent_ref |
Agent registered with the platform |
identity.ownership_claimed |
owner_ref |
Human claimed ownership of agent |
identity.domain_verified |
domain |
Agent's controlling domain was verified |
identity.manifest_published |
manifest_uri |
Agent published a signed manifest |
identity.key_rotated |
kid |
Agent rotated its signing key |
| Event Type | Required Fields | Description |
|---|---|---|
interaction.agent_to_agent |
peer_ref |
Agent communicated with another agent (A2A) |
interaction.human_override |
operator_ref, decision |
Human overrode an agent decision |
| Event Type | Required Fields | Description |
|---|---|---|
agent.confidence_reported |
task_id, predicted_confidence |
Agent declares its confidence (0.0–1.0) that a task will succeed |
agent.task_outcome |
task_id, observed_outcome |
Observed resolution of the task, paired to the prior confidence by task_id |
These two events are neutral in the synchronous signal map — unlike the other six categories, they do not move a dimension at ingestion time. The scoring worker pairs agent.confidence_reported with agent.task_outcome by task_id (within calibration_correlation_window_hours), computes the Brier component, and updates the calibration dimension out-of-band. agent.confidence_reported MAY carry optional reasoning_summary, task_type, task_complexity_hint; agent.task_outcome MAY carry an optional weighted_outcome for partial-credit resolutions.
Platforms migrating from internal naming conventions MAY emit legacy names alongside canonical types; the reference implementation's taxonomy.legacy_event_map performs server-side normalization. Conformant publishers SHOULD use canonical names directly.
An OATS Portable Trust Credential is a signed JWT that an agent carries to prove its trust status to any platform.
The reference implementation issues a JWT whose private claim is named after the issuer (veriswarm). Conformant verifiers SHOULD accept either an oats claim (preferred for cross-vendor interoperability) or a vendor-prefixed claim of equivalent shape. Field names within the claim are flat (e.g., identity_score, not scores.identity) — this matches the reference implementation and lets verifiers parse the credential without traversing nested structures.
{
"iss": "https://api.veriswarm.ai",
"aud": "veriswarm-credential",
"sub": "agt_a1b2c3d4...",
"iat": 1746792000,
"exp": 1746795600,
"veriswarm": {
"agent_slug": "billing-agent",
"display_name": "Billing Agent",
"identity_score": 82,
"risk_score": 15,
"risk_band": "low",
"reliability_score": 78,
"autonomy_label": "human_assisted",
"policy_tier": "tier_2",
"composite_trust": 76,
"confidence": 0.9,
"is_verified": true,
"is_killed": false,
"scored_at": "2026-05-09T12:00:00Z",
"profile_url": "https://veriswarm.ai/agents/agt_a1b2c3d4..."
}
}
The reference implementation also issues a separate W3C Verifiable Credential variant (issue_vc) with sub set to a did:veriswarm:{agent_id} DID and the trust claims wrapped in a standard vc envelope. Verifiers MAY accept either variant.
/.well-known/jwks.jsonAny platform can verify an OATS credential by:
{iss}/.well-known/jwks.jsonkidexp is in the future and iat is reasonableaud matches an expected audienceoats, or a vendor-prefixed claim such as veriswarm — for the agent's score and tierNo VeriSwarm account or API key is required to verify a credential.
An OATS Reputation Signal is a privacy-preserving report that one platform sends about an agent's behavior to the shared reputation network.
{
"oats_version": "1.2",
"signal_type": "reputation",
"external_ref_hash": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b...",
"report_type": "policy_violation",
"severity": "medium",
"confidence": 0.85,
"risk_signal": 25,
"occurred_at": "2026-05-09T10:30:00Z"
}
external_ref_hash is sha256(pepper + ":" + lower(strip(agent_identifier))). The pepper is a per-deployment secret; rotating it invalidates the entire shared-reputation index, so it should be treated as configuration, not a one-time generated value.
sha256(pepper + ":" + normalized_agent_ref)) — the cross-platform lookup index never contains raw identifierstenant_id in cleartext alongside the hash. Reporter anonymity is enforced by aggregation at the query boundary — cross-tenant lookups return only counts and averages (e.g., cross_tenant_provider_count, average risk signal), never individual rows. A reporter is anonymous to other participants, not to the shared-reputation service itself.Implementations that wish to hide reporter identity from the shared-reputation service itself MAY hash the tenant_id before insertion, at the cost of losing the ability to revoke a tenant's contributions later. The reference implementation prioritizes operability over zero-trust storage.
| Report Type | Risk Impact | Description |
|---|---|---|
healthy |
-25 | Agent is operating normally |
attested |
-20 | Agent passed security review |
spam |
+20 | Agent produced spam content |
spam_burst |
+30 | Agent produced spam at burst-rate (added v1.1) |
abuse_spam |
+30 | Spam-shaped output that also crosses the abuse threshold (added v1.1) |
abuse |
+20 | Agent engaged in abusive behavior |
policy_violation |
+25 | Agent violated platform policies |
deception |
+35 | Agent engaged in deceptive behavior |
credential_leak |
+40 | Agent exposed credentials |
OATS-compliant providers SHOULD expose the following endpoints:
| Method | Path | Description |
|---|---|---|
POST |
/v1/events |
Ingest agent behavioral events |
POST |
/v1/decisions/check |
Check a trust decision |
GET |
/v1/agents/{id}/scores/current |
Get current trust scores |
GET |
/.well-known/jwks.json |
Public keys for credential verification |
| Method | Path | Description |
|---|---|---|
GET |
/v1/agents/{id}/scores/history |
Score history |
POST |
/v1/credentials/issue |
Issue a portable trust credential |
POST |
/v1/credentials/verify |
Verify a credential |
GET |
/v1/public/reputation/lookup |
Cross-provider reputation lookup |
POST |
/v1/suite/guard/pii/tokenize |
PII tokenization |
/v1/decisions/check endpointLevels 1–3 remain stable. The following extensions are OPTIONAL and do not affect conformance — implementations MAY adopt any subset.
These extensions standardize patterns the reference implementation has shipped since v1.0. They are independently adoptable.
When publishing an A2A protocol agent card, providers MAY include an x-veriswarm-trust extension carrying the OATS composite trust score, policy tier, and a link to the issuer's JWKS:
{
"name": "billing-agent",
"url": "https://billing.example.com/a2a/v1",
"x-veriswarm-trust": {
"oats_version": "1.2",
"composite_trust": 76,
"policy_tier": "trusted",
"issuer": "https://api.veriswarm.ai",
"credential_url": "https://api.veriswarm.ai/v1/credentials/issue"
}
}
A2A catalogs SHOULD trust-rank entries by composite_trust and SHOULD exclude agents whose policy tier is restricted.
A2A messages MAY be signed with Ed25519 to prove agent-of-origin and prevent on-path tampering. When transport signing is enabled, agent cards SHOULD include an x-veriswarm-transport extension advertising the public key and signature header.
{
"x-veriswarm-transport": {
"alg": "Ed25519",
"public_key_jwk": { "kty": "OKP", "crv": "Ed25519", "x": "..." },
"signature_header": "X-A2A-Signature",
"covered_headers": ["@method", "@target-uri", "content-digest", "date"]
}
}
Recipients MUST verify the signature against the JWK before processing the request body.
Agent or workflow templates published to a marketplace MAY be Ed25519-signed using a manifest-of-files digest. Importers MUST verify signatures when present and MUST reject tampered content. Unsigned imports MAY be accepted with a degraded trust badge.
Knowledge documents in a retrieval-augmented agent's index SHOULD carry a is_verified_source boolean and a verifier identity. Retrieval responses MUST include a retrieval_policy_summary reporting:
{
"total_chunks": 8,
"verified_chunks": 6,
"unverified_chunks": 2,
"unverified_document_ids": ["doc_..."],
"all_sources_verified": false
}
Policy engines MAY consume this summary to demote or refuse generations grounded in unverified context.
Implementations of OATS that proxy external tool surfaces (e.g., MCP servers) SHOULD perform a pre-flight scan of each tool definition at registration. CRITICAL findings MUST block the tool from registration; HIGH findings SHOULD be annotated into the tool description visible to the model and to human reviewers. Pre-flight events SHOULD emit tool.call.blocked (when blocked at registration) or a custom signal mapped to policy_violation_rate.
Trust decisions MAY be evaluated against a Cedar policy set scoped to the calling tenant. When Cedar is used:
Providers MAY expose GET /v1/compliance/{framework} returning a JSON attestation mapping live posture (Vault audit trail, scoring activity, policy state) to a named regulatory framework. Recommended framework codes:
| Framework Code | Counsel-Reviewed | Description |
|---|---|---|
eu-ai-act |
yes | EU AI Act high-risk obligations |
nist-ai-rmf |
yes | NIST AI Risk Management Framework |
iso-42001 |
yes | ISO/IEC 42001 AI management systems |
42-cfr-part-2 |
technical_preview | 42 CFR Part 2 — SUD records |
colorado-ai-act |
technical_preview | Colorado AI Act |
us-state-conv |
technical_preview | US state-level convergence baseline |
ny-raise-act |
technical_preview | NY RAISE Act |
california-sb-53 |
technical_preview | California SB-53 |
Attestations MUST be regenerable on demand and MUST cite specific Vault entries as evidence.
Implementations that route LLM calls MAY:
task_success on agreement, deception_flags on dissent)/v1/analytics/sre/dashboardThese are operational extensions; they do not alter the five canonical score dimensions.
The reference implementation of OATS is VeriSwarm (veriswarm.ai), which implements all three conformance levels, the v1.2 calibration dimension, and all v1.1 optional extensions.
Open source components:
veriswarm_scoring / veriswarm_gate (Python)cedarpy) tenant policiesveriswarm-sdk/python), Node.js (veriswarm-sdk/node)veriswarm-cli (veriswarm-sdk/cli)veriswarm-sdk/github-action)OATS follows semantic versioning.
oats_version field in all data structurescalibration_score = round((1 - brier_avg) × 100). Orthogonal to the other four dimensions; scored only after a profile-configurable minimum number of confidence-outcome pairs.(p - o)², the Murphy (1973) reliability/resolution/uncertainty decomposition, and the three per-profile parameters (calibration_min_pairs, calibration_window_size, calibration_correlation_window_hours).high_security, social_platform, developer_tools, marketplace) stay four-dimensional.calibration category with agent.confidence_reported and agent.task_outcome (§3.7). Both are neutral in the synchronous signal map; the scoring worker pairs them by task_id and updates the calibration dimension out-of-band.calibration sub-object with an optional brier_avg field; oats_version bumped to 1.2.A faithful-to-implementation pass after v1.1.0. v1.1.0 fixed event taxonomy and added optional extensions but left §2 (Core Concepts) and §4.1 (JWT claims) at their v1.0-draft shape, which never matched the reference implementation. v1.1.1 corrects:
scores. Field name is score, not value. policy_tier is a tier code (e.g., tier_2), not a label like trusted. Added band, label, and explanations fields that the reference implementation actually emits.general 0.25/0.30/0.25/0.20) were never accurate.tier_3/tier_2/tier_1/tier_0/tier_x), gated multi-dimensionally on identity AND risk AND reliability. Added an action-type-vs-tier decision matrix. Previous "3 tiers gated on composite alone" model never matched the engine.veriswarm), the flat *_score field naming, the aud claim, and a note about the W3C VC variant.kid matching + aud check, and acknowledged that conformant verifiers may need to accept vendor-prefixed claims (e.g., veriswarm) until ecosystem migration.SharedReputationSignal row shape. Privacy model corrected: reporter identity is not hashed in storage — anonymity is enforced by aggregation at the query boundary. Documented the pepper as a per-deployment secret with rotation implications.tool_usage, content, task, security, identity, interaction. Net total unchanged at 22.spam_burst (+30) and abuse_spam (+30) for fast-rate or compound abuse signals.Draft to Published.This specification is published under CC-BY-4.0 (Creative Commons Attribution 4.0 International).
Anyone may implement OATS. Attribution to VeriSwarm is required when referencing the specification.
The specification is open. Implementations may be proprietary.