Alpha Preview: Fidensa is currently in early testing. Scores are for demonstration purposes and are not considered final or reliable.

Fidensa

Contract API

Programmatic access to Fidensa certifications. Designed for AI agents making trust decisions at runtime, CI/CD pipelines checking dependency certification, and enterprise platforms enforcing capability governance.

Base URL: https://fidensa.com

Standards and Methodology

Trust scores are computed from eight weighted signals grounded in established frameworks: CVSS v4.0 (FIRST.org) for vulnerability severity decay, NIST SP 800-30 for risk assessment, SLSA (Google/OpenSSF) for supply chain integrity, ISO/IEC 25010 for software quality, ISO/IEC 17065 for conformity assessment, and the UL certification model for independent third-party verification. Adversarial findings use an impact-based classification system (Block/Warn/Review/Info) with OWASP MCP Top 10 coverage mapping.

API Tiers

Basic attestation checks, search, and experience reports are permanently free — they ensure the certification mark works as a trust signal across the entire ecosystem. Deeper access to full contracts, SBOMs, and enterprise features is available through paid tiers.

Open

Free

Auth: None

Attestation checks, search, badges, artifacts, public key, experience reports. Everything needed for the certification mark to function.

Registered

Free

Auth: API key (free)

Full contract retrieval (10/hr), score breakdowns (30/hr), search (30/hr), experience reports with higher rate limits.

Professional

Subscription

Auth: API key (paid)

Unlimited contracts, SBOM downloads, bulk API, webhooks, higher rate limits.

Enterprise

Subscription

Auth: API key + org identity

Dedicated support, SLA, custom gateway policy templates, private catalog, aggregate reporting.

Authentication

Endpoints that require authentication accept a Bearer token in the Authorization header. Register a free API key, store it securely, and include it in requests:

Authorization: Bearer fid_a1b2c3d4e5f6...

Rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset) are included on authenticated responses.

Attestation (Open — no auth)

GET/v1/attestation/{capabilityId}

Quick trust check. Returns certification status, trust score, grade, tier, maturity, and supply chain status for the latest version of a capability.

Parameters

capabilityIdpathCapability identifier (e.g., mcp-server-filesystem)

Example

curl https://fidensa.com/v1/attestation/mcp-server-filesystem
GET/v1/attestation/{capabilityId}/{version}

Attestation for a specific version.

Parameters

capabilityIdpathCapability identifier
versionpathSemver version (e.g., 0.6.3)

Example

curl https://fidensa.com/v1/attestation/mcp-server-filesystem/0.6.3
GET/v1/attestation/by-hash/{contentHash}

Look up a certification by the SHA-256 content hash of its signed artifact.

Parameters

contentHashpathSHA-256 hex hash

Search (Open — no auth)

GET/v1/search

Search certified capabilities with filters. Powers the "suggest certified alternatives" flow — agents can search for higher-scored options when a tool is uncertified or scores poorly.

Parameters

qqueryText search across capability IDs, publishers, descriptions
typequeryFilter by type: mcp_server, skill, rules_file, hook, sub_agent, plugin
tierqueryFilter by tier: certified, verified, evaluated
min_scorequeryMinimum trust score (0–100)
statusqueryFilter by status (default: valid)
limitqueryMax results, 1–50 (default: 20)

Example

curl "https://fidensa.com/v1/search?type=mcp_server&q=filesystem&min_score=60"

Artifacts (Open — no auth)

GET/v1/artifacts/{capabilityId}

Download the signed .cert.json artifact for the latest version of a capability. This is the portable, cryptographically signed certification artifact that can be independently verified.

Parameters

capabilityIdpathCapability identifier (e.g., mcp-server-filesystem)

Example

curl https://fidensa.com/v1/artifacts/mcp-server-filesystem
GET/v1/artifacts/{capabilityId}/{version}

Download the signed artifact for a specific version.

Parameters

capabilityIdpathCapability identifier
versionpathSemver version (e.g., 0.6.3)

Example

curl https://fidensa.com/v1/artifacts/mcp-server-filesystem/0.6.3

Contracts (Registered — API key required)

GET/v1/contracts/{capabilityId}

Full contract retrieval (latest version). Returns the complete certification contract including identity, trust breakdown, security posture, behavioral guarantees, and fingerprint.

Parameters

capabilityIdpathCapability identifier

Example

curl -H "Authorization: Bearer fid_..." https://fidensa.com/v1/contracts/mcp-server-filesystem
GET/v1/contracts/{capabilityId}/{version}

Full contract for a specific version.

Parameters

capabilityIdpathCapability identifier
versionpathSemver version
GET/v1/contracts/{capabilityId}/score

Trust score breakdown. Returns per-signal scores with weights, rationale, and the overall grade.

Parameters

capabilityIdpathCapability identifier

Example

curl -H "Authorization: Bearer fid_..." https://fidensa.com/v1/contracts/mcp-server-filesystem/score

SBOM (Professional — paid API key required)

GET/v1/contracts/{capabilityId}/sbom

SBOM summary and download URLs. Returns component counts, vulnerability summary, and links to full CycloneDX and SPDX artifacts.

Parameters

capabilityIdpathCapability identifier

Example

curl -H "Authorization: Bearer fid_..." https://fidensa.com/v1/contracts/mcp-server-filesystem/sbom

API Keys

POST/v1/keys

Register a new API key. Returns the key once — store it securely. The key is never shown again.

Parameters

display_namebodyName for your application (min 2 chars)
emailbodyContact email for usage notifications

Example

curl -X POST https://fidensa.com/v1/keys \
  -H "Content-Type: application/json" \
  -d '{"display_name": "My Agent", "email": "dev@example.com"}'

Experience Reports (API key optional)

POST/v1/reports

Submit an experience report for a certified capability. Reports help maintain certification accuracy by incorporating real-world usage data into trust scores. Authenticated reports (with API key) get standard rate limits; unauthenticated reports use IP-based rate limiting with lower limits. The content_hash field must match the certified artifact to prove the reporter has encountered the cert.

Parameters

capability_idbodyCapability identifier (must be certified)
content_hashbodyContent hash from the .cert.json artifact (anti-spam)
outcomebodysuccess, failure, or partial
capability_versionbodyOptional. Defaults to latest certified version
environmentbodyOptional. Object with agent_platform, agent_version, os, runtime_version
detailsbodyOptional. Additional context (tools_used, failure_description, etc.)

Example

curl -X POST https://fidensa.com/v1/reports \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer fid_..." \
  -d '{"capability_id": "mcp-server-filesystem", "content_hash": "abc123...", "outcome": "success"}'

Badges & Public Key (Open)

GET/badges/{capabilityId}.svg

Dynamic shields.io-style badge SVG with tier color. Supports ?style=flat and ?compact=true query params.

Parameters

capabilityIdpathCapability identifier
GET/.well-known/certification-keys.json

Platform ES256 public key in JWK Set format for offline artifact verification.

Errors

All error responses return JSON with an error field.

400Bad Request — invalid parameters or content_hash mismatch
401Unauthorized — missing or invalid API key
403Forbidden — API key tier insufficient for this endpoint
404Not Found — capability or version not found
429Rate Limit — includes Retry-After header
500Server Error

CORS

All endpoints return Access-Control-Allow-Origin: *. Preflight OPTIONS requests are handled automatically.