Four properties, no proprietary tooling.
Computed from evidence
score = w₁·redteam_pass_rate + w₂·firewall_block_rate + w₃·intent_failure_rate − w₄·SBOM_drift. Each weight is exposed in the cert payload so verifiers know what they're trusting.
Public + signed
Cert is an RS256 JWT signed by a per-environment private key. Public key is published at /.well-known/jwks.json. Anyone — your customer, their procurement team, an external auditor — can verify the score from outside your stack.
Auto-revocable
Behaviour drifts → cert score drops → cert auto-revokes below your threshold. The cron-watch worker mints fresh certs every 6h. No stale evidence.
Verify from the CLI
vouchctl verify <publicHash> --base https://app.tryvouch.ai. Public-only — no auth needed. Useful for procurement, design partners, and CI checks against the deployed agent.
What's in a cert.
{
"iss": "tryvouch.ai",
"agent_id": "refund-agent",
"agent_fingerprint": "0x77dac0",
"score": 88.6,
"components": {
"redteam_pass_rate": 0.78,
"firewall_block_rate": 0.92,
"intent_failure_rate": 0.07,
"sbom_drift": 0.0
},
"issued_at": "2026-04-29T16:00:00Z",
"expires_at": "2026-04-30T16:00:00Z",
"public_hash": "0x77dac0..."
}Ship a Living Cert with your next release.
Public verification endpoint. Embeddable badge. No customer-side install.