Skip to main content
The AgentCredential certifies a specific AI agent’s identity, capabilities, safety characteristics, and operational parameters. AgentCredentials are always linked to a DeveloperCredential, creating a verifiable chain of accountability. Version: 1.0 Schema: agent-credential-v1.schema.json Media Type: application/beltic-agent+jwt

Purpose

AgentCredentials provide:
  • Technical profile of the agent (model, architecture, deployment)
  • Safety and robustness metrics from standardized evaluations
  • Tool capabilities with risk classifications
  • Data handling and privacy practices
  • Operational parameters and lifecycle management
  • Link to verified developer identity

Field Categories

Fields are organized into 8 categories with 71 total fields:
  1. Agent Identity & Provenance (8 fields)
  2. Technical Profile (11 fields)
  3. Tools & Actions (2 fields + tool list)
  4. Data Handling & Privacy (9 fields)
  5. Safety & Robustness Metrics (20 fields - 4 metrics × 5 metadata each)
  6. Operations & Lifecycle (8 fields)
  7. Risk Summary & Assurance (8 fields)
  8. Cryptographic Identity (6 fields)

Developer Credential Linkage

Every AgentCredential must reference a DeveloperCredential: 
{
  "developerCredentialId": "d7aa92c7-8b07-4f35-8c9b-a2d02e26f012",
  "developerCredentialVerified": true
}
This creates the trust chain: Agent → Developer → Issuer

1. Agent Identity & Provenance

agentId

Type: string (UUID v4) Required: Yes Sensitivity: Public Globally unique, stable identifier for this agent. Remains constant across versions. Example: "3c9f4e9b-1a2b-4c9d-8f34-7e5c80f3d412"

agentName

Type: string Required: Yes Sensitivity: Public Human-readable name for the agent. Constraints:
  • Min 2, max 200 characters
  • Should be unique within developer’s portfolio
  • May not contain offensive or misleading terms
Example: "Aurora Refund Guide"

agentVersion

Type: string (semantic version) Required: Yes Sensitivity: Public Semantic version identifier (major.minor.patch). Constraints: Must follow x.y.z format Example: "2.3.0"

agentDescription

Type: string Required: Yes Sensitivity: Public Clear description of agent’s purpose and capabilities. Constraints:
  • Min 50, max 1000 characters
  • Should describe intended use, not make exaggerated claims
Example: "Conversational assistant that helps e-commerce merchants process refunds, check policy eligibility, and generate customer communications."

firstReleaseDate

Type: string (ISO 8601 date) Required: Yes Sensitivity: Public When the agent was first released to production. Example: "2022-03-10"

currentStatus

Type: enum Required: Yes Sensitivity: Public Current operational status. Allowed Values:
  • production - Production-ready and actively supported
  • beta - Beta testing with limited availability
  • alpha - Early alpha, expect instability
  • internal - Internal use only
  • deprecated - Deprecated, users should migrate
  • retired - Retired and no longer operational
Example: "production"

developerCredentialId

Type: string (UUID v4) Required: Yes Sensitivity: Public ID of the linked DeveloperCredential. Example: "d7aa92c7-8b07-4f35-8c9b-a2d02e26f012"

developerCredentialVerified

Type: boolean Required: Yes Sensitivity: Public Whether the linked DeveloperCredential has been verified. Example: true

2. Technical Profile

primaryModelProvider

Type: string Required: Yes Sensitivity: Public Provider of the primary LLM. Examples: "Anthropic", "OpenAI", "Self-hosted"

primaryModelFamily

Type: string Required: Yes Sensitivity: Public Model family or version. Example: "Claude-3 Opus"

modelContextWindow

Type: number Required: Yes Sensitivity: Public Maximum context window size in tokens. Example: 200000

modalitySupport

Type: array of enum Required: Yes Sensitivity: Public Input/output modalities supported. Allowed Values: text, image, audio, video, structured_data Example: ["text", "structured_data"]

languageCapabilities

Type: array of string (ISO 639-1) Required: Yes Sensitivity: Public Natural languages supported. Example: ["en", "es", "fr"]

architectureType

Type: enum Required: Yes Sensitivity: Public Agent architecture pattern. Allowed Values:
  • rag - Retrieval-Augmented Generation
  • react - ReAct (Reasoning + Acting)
  • chain_of_thought - Chain-of-Thought prompting
  • multi_agent - Multi-agent coordination
  • tool_using - Tool-using agent
  • fine_tuned - Fine-tuned model
  • prompt_only - Prompt engineering only
  • other - Other architecture
Example: "rag"

systemConfigFingerprint

Type: string (SHA256 hash) Required: Optional Sensitivity: Restricted SHA256 fingerprint of the agent’s system configuration/code. Example: "sha256:f6d2..." Assurance: Beltic-verified

systemConfigLastUpdated

Type: string (ISO 8601 date) Required: Optional Sensitivity: Public When the system config was last updated. Example: "2025-10-30"

deploymentEnvironment

Type: string Required: Optional Sensitivity: Public Description of where the agent runs. Example: "AWS us-west-2, isolated VPC"

complianceCertifications

Type: array of enum Required: Optional Sensitivity: Public Compliance certifications obtained. Allowed Values: hipaa, soc2_type1, soc2_type2, iso27001, gdpr_compliant, ccpa_compliant, pci_dss, fedramp Example: ["soc2_type2", "iso27001"]

dataLocationProfile

Type: object Required: Optional Sensitivity: Public Geographic locations for data storage and processing. Structure: 
{
  "storage": ["US"],
  "processing": ["US"],
  "backup": ["US", "CA"],
  "notes": "US primary, CA disaster recovery"
}

3. Tools & Actions

toolsList

Type: array of object Required: Optional (Required if agent uses tools) Sensitivity: Public List of all tools/actions the agent can invoke. Tool Object Structure: 
{
  "toolName": "issue_refund",
  "toolDescription": "Processes refund for customer order",
  "riskCategory": "financial",
  "riskSubcategory": "financial_payment_initiation",
  "requiresAuth": true,
  "requiresHumanApproval": true
}
Risk Categories:
  • data - Data operations (read_internal, read_external, write_internal, write_external, delete)
  • compute - Compute operations (code_execution, model_inference, infrastructure_modification)
  • financial - Financial operations (payment_initiation, account_modification, transaction_query)
  • external - External communication (email, sms, api_call, webhook)
Example: 
[
  {
    "toolName": "refund_db_lookup",
    "riskCategory": "data",
    "riskSubcategory": "data_read_internal",
    "requiresAuth": true,
    "requiresHumanApproval": false
  },
  {
    "toolName": "issue_refund",
    "riskCategory": "financial",
    "riskSubcategory": "financial_payment_initiation",
    "requiresAuth": true,
    "requiresHumanApproval": true
  }
]

toolsLastAudited

Type: string (ISO 8601 date) Required: Optional (Required if toolsList provided) Sensitivity: Public When tools were last security-audited. Example: "2025-09-15"

4. Data Handling & Privacy

dataCategoriesProcessed

Type: array of enum Required: Yes Sensitivity: Public Categories of data the agent processes. Allowed Values: pii, financial, health_phi, biometric, location, communications, credentials, behavioral, demographic, device_identifiers Example: ["pii", "financial"]

dataRetentionMaxPeriod

Type: string (ISO 8601 duration) Required: Yes Sensitivity: Public Maximum data retention period. Format: ISO 8601 duration (e.g., "P30D" = 30 days, "P1Y" = 1 year) Example: "P30D"

dataRetentionByCategory

Type: object Required: Optional Sensitivity: Public Retention periods per data category. Example: 
{
  "pii": "P30D",
  "financial": "P90D"
}

trainingDataUsage

Type: enum Required: Yes Sensitivity: Public How user data is used for training. Allowed Values:
  • no_training - Never used for training
  • with_explicit_consent - Only with explicit user consent
  • aggregated_anonymous - Aggregated and anonymized only
  • opt_out_available - Default yes, but opt-out available
  • not_applicable - API-based model, no training data access
Example: "with_explicit_consent"

piiDetectionEnabled

Type: boolean Required: Yes Sensitivity: Public Whether PII detection is enabled. Example: true

piiRedactionCapability

Type: enum Required: Optional Sensitivity: Public Level of PII redaction capability. Allowed Values: none, basic, advanced, custom Example: "advanced"

piiRedactionPipeline

Type: string Required: Optional Sensitivity: Public Description of how PII is detected and redacted. Example: "Detects PII pre-inference and scrubs logs before storage."

dataEncryptionStandards

Type: array of string Required: Optional Sensitivity: Public Encryption standards used. Example: ["AES-256-at-rest", "TLS 1.3 in transit"]

5. Safety & Robustness Metrics

The agent’s safety is measured across 4 core dimensions. Each metric includes 5 metadata fields:
  1. Score (0-100, higher is better)
  2. Benchmark Name (test suite used)
  3. Benchmark Version (test suite version)
  4. Evaluation Date (when evaluated)
  5. Assurance Source (who evaluated)

Metric 1: Harmful Content Refusal

Measures the agent’s ability to refuse harmful requests. Fields:
  • harmfulContentRefusalScore (number, 0-100)
  • harmfulContentBenchmarkName (string)
  • harmfulContentBenchmarkVersion (string)
  • harmfulContentEvaluationDate (ISO 8601 date)
  • harmfulContentAssuranceSource (enum: self_attested, beltic, third_party)
Example: 
{
  "harmfulContentRefusalScore": 96,
  "harmfulContentBenchmarkName": "Beltic Harmful Content Suite",
  "harmfulContentBenchmarkVersion": "2.1",
  "harmfulContentEvaluationDate": "2025-11-05",
  "harmfulContentAssuranceSource": "beltic"
}

Metric 2: Prompt Injection Robustness

Resistance to jailbreaks and prompt injection attacks. Fields:
  • promptInjectionRobustnessScore (number, 0-100)
  • promptInjectionBenchmarkName (string)
  • promptInjectionBenchmarkVersion (string)
  • promptInjectionEvaluationDate (ISO 8601 date)
  • promptInjectionAssuranceSource (enum)
Example: 
{
  "promptInjectionRobustnessScore": 92,
  "promptInjectionBenchmarkName": "Beltic Prompt Injection Suite",
  "promptInjectionBenchmarkVersion": "1.4",
  "promptInjectionEvaluationDate": "2025-11-06",
  "promptInjectionAssuranceSource": "beltic"
}

Metric 3: Tool Abuse Robustness

Resistance to unsafe or unauthorized tool usage. Fields:
  • toolAbuseRobustnessScore (number, 0-100)
  • toolAbuseBenchmarkName (string)
  • toolAbuseBenchmarkVersion (string)
  • toolAbuseEvaluationDate (ISO 8601 date)
  • toolAbuseAssuranceSource (enum)
Example: 
{
  "toolAbuseRobustnessScore": 88,
  "toolAbuseBenchmarkName": "Beltic Tool Safety Suite",
  "toolAbuseVersion": "1.2",
  "toolAbuseEvaluationDate": "2025-11-06",
  "toolAbuseAssuranceSource": "beltic"
}

Metric 4: PII Leakage Robustness

Resistance to PII leakage and privacy violations. Fields:
  • piiLeakageRobustnessScore (number, 0-100)
  • piiLeakageBenchmarkName (string)
  • piiLeakageBenchmarkVersion (string)
  • piiLeakageEvaluationDate (ISO 8601 date)
  • piiLeakageAssuranceSource (enum)
Example: 
{
  "piiLeakageRobustnessScore": 94,
  "piiLeakageBenchmarkName": "Beltic Privacy Leakage Suite",
  "piiLeakageBenchmarkVersion": "1.3",
  "piiLeakageEvaluationDate": "2025-11-05",
  "piiLeakageAssuranceSource": "beltic"
}
Score Interpretation:
  • 90-100: Excellent - Very low risk
  • 80-89: Good - Low risk
  • 70-79: Moderate - Some risk, review use cases
  • 60-69: Fair - Moderate risk, restrict capabilities
  • 0-59: Poor - High risk, not recommended for production

6. Operations & Lifecycle

incidentResponseContact

Type: string (email) Required: Yes Sensitivity: Public Contact for security incidents. Example: "security@auroralabs.ai"

incidentResponseSLO

Type: string (ISO 8601 duration) Required: Optional Sensitivity: Public Service level objective for incident response. Example: "PT4H" (4 hours)

deprecationPolicy

Type: string Required: Optional Sensitivity: Public How agent deprecation is handled. Example: "90-day notice, automatic migration script for merchants"

updateCadence

Type: enum Required: Optional Sensitivity: Public How frequently the agent is updated. Allowed Values: daily, weekly, biweekly, monthly, quarterly, as_needed Example: "biweekly"

humanOversightMode

Type: enum Required: Optional Sensitivity: Public Level of human oversight. Allowed Values:
  • none - Fully autonomous
  • human_review_post_action - Review after action
  • human_review_pre_action - Approval before action
  • human_in_loop - Human in decision loop
  • human_on_loop - Human monitors
Example: "human_review_pre_action"

failSafeBehavior

Type: string Required: Optional Sensitivity: Public Description of fail-safe mechanisms. Example: "Refuses requests exceeding $500 and escalates to finance queue"

monitoringCoverage

Type: string Required: Optional Sensitivity: Public Monitoring and observability details. Example: "PII detector alerts to SOC channel; monthly human log reviews"

credentialIssuanceDate

Type: string (ISO 8601 timestamp) Required: Yes Sensitivity: Public When this credential was issued. Example: "2025-11-08T12:00:00Z"

credentialExpirationDate

Type: string (ISO 8601 timestamp) Required: Yes Sensitivity: Public When this credential expires. Example: "2026-05-08T12:00:00Z"

7. Risk Summary & Assurance

overallSafetyRating

Type: enum Required: Yes Sensitivity: Public Composite safety rating. Allowed Values: low_risk, moderate_risk, high_risk, critical_risk Example: "low_risk"

approvedUseCases

Type: array of string Required: Optional Sensitivity: Public Explicitly approved use cases. Example: ["E-commerce refund triage", "Customer refund status inquiries"]

prohibitedUseCases

Type: array of string Required: Optional Sensitivity: Public Explicitly prohibited use cases. Example: ["Financial investment advice", "Medical triage"]

ageRestrictions

Type: string Required: Optional Sensitivity: Public Minimum age for users. Example: "16+" or "18+" or "none"

regulatoryApprovals

Type: array of string Required: Optional Sensitivity: Public Regulatory approvals obtained. Example: ["SOC 2 Type II infrastructure alignment"]

kybTierRequired

Type: enum Required: Optional Sensitivity: Public Minimum developer KYB tier required for this agent. Allowed Values: tier_1, tier_2, tier_3 Example: "tier_2"

verificationLevel

Type: enum Required: Yes Sensitivity: Public Overall verification level. Allowed Values: self_attested, beltic_verified, third_party_verified Example: "beltic_verified"

8. Cryptographic Identity

credentialId

Type: string (UUID v4) Required: Yes Sensitivity: Public Unique identifier for this credential. Example: "a2a1f6a0-7f4f-4aa1-8f6b-5c33c6f9f7e2"

issuerDid

Type: string (DID) Required: Yes Sensitivity: Public DID of the issuer. Example: "did:web:beltic.com"

verificationMethod

Type: string (DID URL) Required: Yes Sensitivity: Public Key used to sign this credential. Example: "did:web:beltic.com#key-1"

credentialStatus

Type: enum Required: Yes Sensitivity: Public Current status. Allowed Values: active, suspended, revoked Example: "active"

revocationListUrl

Type: string (URL) Required: Optional Sensitivity: Public URL to Status List 2021 bitstring. Example: "https://beltic.com/status/agent-credentials.json"

proof

Type: object Required: Yes Sensitivity: Public Cryptographic signature from issuer.

Complete Example: Aurora Refund Guide

Customer service agent for e-commerce refund processing: 
{
  "agentId": "3c9f4e9b-1a2b-4c9d-8f34-7e5c80f3d412",
  "agentName": "Aurora Refund Guide",
  "agentVersion": "2.3.0",
  "agentDescription": "Conversational assistant that helps e-commerce merchants process refunds...",
  "firstReleaseDate": "2022-03-10",
  "currentStatus": "production",
  "developerCredentialId": "d7aa92c7-8b07-4f35-8c9b-a2d02e26f012",
  "developerCredentialVerified": true,

  "primaryModelProvider": "Anthropic",
  "primaryModelFamily": "Claude-3 Opus",
  "modelContextWindow": 200000,
  "modalitySupport": ["text", "structured_data"],
  "languageCapabilities": ["en", "es", "fr"],
  "architectureType": "rag",
  "deploymentEnvironment": "AWS us-west-2, isolated VPC",
  "complianceCertifications": ["soc2_type2", "iso27001"],

  "toolsList": [
    {
      "toolName": "issue_refund",
      "riskCategory": "financial",
      "riskSubcategory": "financial_payment_initiation",
      "requiresAuth": true,
      "requiresHumanApproval": true
    }
  ],

  "dataCategoriesProcessed": ["pii", "financial"],
  "dataRetentionMaxPeriod": "P30D",
  "trainingDataUsage": "with_explicit_consent",
  "piiDetectionEnabled": true,
  "piiRedactionCapability": "advanced",

  "harmfulContentRefusalScore": 96,
  "promptInjectionRobustnessScore": 92,
  "toolAbuseRobustnessScore": 88,
  "piiLeakageRobustnessScore": 94,

  "incidentResponseContact": "security@auroralabs.ai",
  "humanOversightMode": "human_review_pre_action",
  "overallSafetyRating": "low_risk",
  "kybTierRequired": "tier_2",
  "verificationLevel": "beltic_verified"
}

Next Steps

DeveloperCredential

Developer identity and KYB verification

Credential Lifecycle

Issuance, verification, and revocation

Agent Examples

Complete examples for different agent types

Evaluation Metrics

How safety scores are calculated