Fidensa

Contract API

Programmatic access to Fidensa certifications. Designed for AI agents making trust decisions at runtime, CI/CD pipelines checking dependency certification, and enterprise platforms enforcing capability governance.

Base URL: https://fidensa.com

API Tiers

Basic attestation checks and search are permanently free — they ensure the certification mark works as a trust signal across the entire ecosystem. Deeper access to full contracts, SBOMs, and enterprise features is available through paid tiers.

Open

Free

Auth: None

Attestation checks, search, badges, public key. Everything needed for the certification mark to function.

Registered

Free

Auth: API key (free)

Full contract retrieval (10/hr), score breakdowns (30/hr), search (30/hr).

Professional

Subscription

Auth: API key (paid)

Unlimited contracts, SBOM downloads, bulk API, webhooks, higher rate limits.

Enterprise

Subscription

Auth: API key + org identity

Dedicated support, SLA, custom gateway policy templates, private catalog, aggregate reporting.

Authentication

Endpoints that require authentication accept a Bearer token in the Authorization header. Register a free API key, store it securely, and include it in requests:

Authorization: Bearer fid_a1b2c3d4e5f6...

Rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset) are included on authenticated responses.

Attestation (Open — no auth)

GET/v1/attestation/{capabilityId}

Quick trust check. Returns certification status, trust score, grade, tier, maturity, and supply chain status for the latest version of a capability.

Parameters

capabilityIdpathCapability identifier (e.g., mcp-server-filesystem)

Example

curl https://fidensa.com/v1/attestation/mcp-server-filesystem
GET/v1/attestation/{capabilityId}/{version}

Attestation for a specific version.

Parameters

capabilityIdpathCapability identifier
versionpathSemver version (e.g., 0.6.3)

Example

curl https://fidensa.com/v1/attestation/mcp-server-filesystem/0.6.3
GET/v1/attestation/by-hash/{contentHash}

Look up a certification by the SHA-256 content hash of its signed artifact.

Parameters

contentHashpathSHA-256 hex hash

Search (Open — no auth)

GET/v1/search

Search certified capabilities with filters. Powers the "suggest certified alternatives" flow — agents can search for higher-scored options when a tool is uncertified or scores poorly.

Parameters

qqueryText search across capability IDs, publishers, descriptions
typequeryFilter by type: mcp_server, skill, workflow, plugin
tierqueryFilter by tier: certified, verified, evaluated
min_scorequeryMinimum trust score (0–100)
statusqueryFilter by status (default: valid)
limitqueryMax results, 1–50 (default: 20)

Example

curl "https://fidensa.com/v1/search?type=mcp_server&q=filesystem&min_score=60"

Contracts (Registered — API key required)

GET/v1/contracts/{capabilityId}

Full contract retrieval (latest version). Returns the complete certification contract including identity, trust breakdown, security posture, behavioral guarantees, and fingerprint.

Parameters

capabilityIdpathCapability identifier

Example

curl -H "Authorization: Bearer fid_..." https://fidensa.com/v1/contracts/mcp-server-filesystem
GET/v1/contracts/{capabilityId}/{version}

Full contract for a specific version.

Parameters

capabilityIdpathCapability identifier
versionpathSemver version
GET/v1/contracts/{capabilityId}/score

Trust score breakdown. Returns per-signal scores with weights, rationale, and the overall grade.

Parameters

capabilityIdpathCapability identifier

Example

curl -H "Authorization: Bearer fid_..." https://fidensa.com/v1/contracts/mcp-server-filesystem/score

SBOM (Professional — paid API key required)

GET/v1/contracts/{capabilityId}/sbom

SBOM summary and download URLs. Returns component counts, vulnerability summary, and links to full CycloneDX and SPDX artifacts.

Parameters

capabilityIdpathCapability identifier

Example

curl -H "Authorization: Bearer fid_..." https://fidensa.com/v1/contracts/mcp-server-filesystem/sbom

API Keys

POST/v1/keys

Register a new API key. Returns the key once — store it securely. The key is never shown again.

Parameters

display_namebodyName for your application (min 2 chars)
emailbodyContact email for usage notifications

Example

curl -X POST https://fidensa.com/v1/keys \
  -H "Content-Type: application/json" \
  -d '{"display_name": "My Agent", "email": "dev@example.com"}'

Badges & Public Key (Open)

GET/badges/{capabilityId}.svg

Dynamic shields.io-style badge SVG with tier color. Supports ?style=flat and ?compact=true query params.

Parameters

capabilityIdpathCapability identifier
GET/.well-known/certification-keys.json

Platform ES256 public key in JWK Set format for offline artifact verification.

Errors

All error responses return JSON with an error field.

400Bad Request — invalid parameters
401Unauthorized — missing or invalid API key
403Forbidden — API key tier insufficient for this endpoint
404Not Found — capability or version not found
429Rate Limit — includes Retry-After header
500Server Error

CORS

All endpoints return Access-Control-Allow-Origin: *. Preflight OPTIONS requests are handled automatically.