Beltic logo
Credentials

AgentCredential

Complete field-by-field reference for AgentCredential v1 including technical profile, safety metrics, and operational parameters.

The AgentCredential certifies a specific AI agent's identity, capabilities, safety characteristics, and operational parameters. AgentCredentials are always linked to a DeveloperCredential, creating a verifiable chain of accountability.

Version: 1.0 Schema: agent-credential-v1.schema.json Media Type: application/beltic-agent+jwt

Purpose

AgentCredentials provide:

  • Technical profile of the agent (model, architecture, deployment)
  • Safety and robustness metrics from standardized evaluations
  • Tool capabilities with risk classifications
  • Data handling and privacy practices
  • Operational parameters and lifecycle management
  • Link to verified developer identity

Field Categories

Fields are organized into 8 categories with 71 total fields:

  1. Agent Identity & Provenance (8 fields)
  2. Technical Profile (11 fields)
  3. Tools & Actions (2 fields + tool list)
  4. Data Handling & Privacy (9 fields)
  5. Safety & Robustness Metrics (20 fields - 4 metrics × 5 metadata each)
  6. Operations & Lifecycle (8 fields)
  7. Risk Summary & Assurance (8 fields)
  8. Cryptographic Identity (6 fields)

Developer Credential Linkage

Every AgentCredential must reference a DeveloperCredential:

{
  "developerCredentialId": "d7aa92c7-8b07-4f35-8c9b-a2d02e26f012",
  "developerCredentialVerified": true
}

This creates the trust chain: Agent → Developer → Issuer

1. Agent Identity & Provenance

agentId

Type: string (UUID v4) Required: Yes Sensitivity: Public

Globally unique, stable identifier for this agent. Remains constant across versions.

Example: "3c9f4e9b-1a2b-4c9d-8f34-7e5c80f3d412"

agentName

Type: string Required: Yes Sensitivity: Public

Human-readable name for the agent.

Constraints:

  • Min 2, max 200 characters
  • Should be unique within developer's portfolio
  • May not contain offensive or misleading terms

Example: "Aurora Refund Guide"

agentVersion

Type: string (semantic version) Required: Yes Sensitivity: Public

Semantic version identifier (major.minor.patch).

Constraints: Must follow x.y.z format

Example: "2.3.0"

agentDescription

Type: string Required: Yes Sensitivity: Public

Clear description of agent's purpose and capabilities.

Constraints:

  • Min 50, max 1000 characters
  • Should describe intended use, not make exaggerated claims

Example: "Conversational assistant that helps e-commerce merchants process refunds, check policy eligibility, and generate customer communications."

firstReleaseDate

Type: string (ISO 8601 date) Required: Yes Sensitivity: Public

When the agent was first released to production.

Example: "2022-03-10"

currentStatus

Type: enum Required: Yes Sensitivity: Public

Current operational status.

Allowed Values:

  • production - Production-ready and actively supported
  • beta - Beta testing with limited availability
  • alpha - Early alpha, expect instability
  • internal - Internal use only
  • deprecated - Deprecated, users should migrate
  • retired - Retired and no longer operational

Example: "production"

developerCredentialId

Type: string (UUID v4) Required: Yes Sensitivity: Public

ID of the linked DeveloperCredential.

Example: "d7aa92c7-8b07-4f35-8c9b-a2d02e26f012"

developerCredentialVerified

Type: boolean Required: Yes Sensitivity: Public

Whether the linked DeveloperCredential has been verified.

Example: true

2. Technical Profile

primaryModelProvider

Type: string Required: Yes Sensitivity: Public

Provider of the primary LLM.

Examples: "Anthropic", "OpenAI", "Self-hosted"

primaryModelFamily

Type: string Required: Yes Sensitivity: Public

Model family or version.

Example: "Claude-3 Opus"

modelContextWindow

Type: number Required: Yes Sensitivity: Public

Maximum context window size in tokens.

Example: 200000

modalitySupport

Type: array of enum Required: Yes Sensitivity: Public

Input/output modalities supported.

Allowed Values: text, image, audio, video, structured_data

Example: ["text", "structured_data"]

languageCapabilities

Type: array of string (ISO 639-1) Required: Yes Sensitivity: Public

Natural languages supported.

Example: ["en", "es", "fr"]

architectureType

Type: enum Required: Yes Sensitivity: Public

Agent architecture pattern.

Allowed Values:

  • rag - Retrieval-Augmented Generation
  • react - ReAct (Reasoning + Acting)
  • chain_of_thought - Chain-of-Thought prompting
  • multi_agent - Multi-agent coordination
  • tool_using - Tool-using agent
  • fine_tuned - Fine-tuned model
  • prompt_only - Prompt engineering only
  • other - Other architecture

Example: "rag"

systemConfigFingerprint

Type: string (SHA256 hash) Required: Optional Sensitivity: Restricted

SHA256 fingerprint of the agent's system configuration/code.

Example: "sha256:f6d2..."

Assurance: Beltic-verified

systemConfigLastUpdated

Type: string (ISO 8601 date) Required: Optional Sensitivity: Public

When the system config was last updated.

Example: "2025-10-30"

deploymentEnvironment

Type: string Required: Optional Sensitivity: Public

Description of where the agent runs.

Example: "AWS us-west-2, isolated VPC"

complianceCertifications

Type: array of enum Required: Optional Sensitivity: Public

Compliance certifications obtained.

Allowed Values: hipaa, soc2_type1, soc2_type2, iso27001, gdpr_compliant, ccpa_compliant, pci_dss, fedramp

Example: ["soc2_type2", "iso27001"]

dataLocationProfile

Type: object Required: Optional Sensitivity: Public

Geographic locations for data storage and processing.

Structure:

{
  "storage": ["US"],
  "processing": ["US"],
  "backup": ["US", "CA"],
  "notes": "US primary, CA disaster recovery"
}

3. Tools & Actions

toolsList

Type: array of object Required: Optional (Required if agent uses tools) Sensitivity: Public

List of all tools/actions the agent can invoke.

Tool Object Structure:

{
  "toolName": "issue_refund",
  "toolDescription": "Processes refund for customer order",
  "riskCategory": "financial",
  "riskSubcategory": "financial_payment_initiation",
  "requiresAuth": true,
  "requiresHumanApproval": true
}

Risk Categories:

  • data - Data operations (read_internal, read_external, write_internal, write_external, delete)
  • compute - Compute operations (code_execution, model_inference, infrastructure_modification)
  • financial - Financial operations (payment_initiation, account_modification, transaction_query)
  • external - External communication (email, sms, api_call, webhook)

Example:

[
  {
    "toolName": "refund_db_lookup",
    "riskCategory": "data",
    "riskSubcategory": "data_read_internal",
    "requiresAuth": true,
    "requiresHumanApproval": false
  },
  {
    "toolName": "issue_refund",
    "riskCategory": "financial",
    "riskSubcategory": "financial_payment_initiation",
    "requiresAuth": true,
    "requiresHumanApproval": true
  }
]

toolsLastAudited

Type: string (ISO 8601 date) Required: Optional (Required if toolsList provided) Sensitivity: Public

When tools were last security-audited.

Example: "2025-09-15"

4. Data Handling & Privacy

dataCategoriesProcessed

Type: array of enum Required: Yes Sensitivity: Public

Categories of data the agent processes.

Allowed Values: pii, financial, health_phi, biometric, location, communications, credentials, behavioral, demographic, device_identifiers

Example: ["pii", "financial"]

dataRetentionMaxPeriod

Type: string (ISO 8601 duration) Required: Yes Sensitivity: Public

Maximum data retention period.

Format: ISO 8601 duration (e.g., "P30D" = 30 days, "P1Y" = 1 year)

Example: "P30D"

dataRetentionByCategory

Type: object Required: Optional Sensitivity: Public

Retention periods per data category.

Example:

{
  "pii": "P30D",
  "financial": "P90D"
}

trainingDataUsage

Type: enum Required: Yes Sensitivity: Public

How user data is used for training.

Allowed Values:

  • no_training - Never used for training
  • with_explicit_consent - Only with explicit user consent
  • aggregated_anonymous - Aggregated and anonymized only
  • opt_out_available - Default yes, but opt-out available
  • not_applicable - API-based model, no training data access

Example: "with_explicit_consent"

piiDetectionEnabled

Type: boolean Required: Yes Sensitivity: Public

Whether PII detection is enabled.

Example: true

piiRedactionCapability

Type: enum Required: Optional Sensitivity: Public

Level of PII redaction capability.

Allowed Values: none, basic, advanced, custom

Example: "advanced"

piiRedactionPipeline

Type: string Required: Optional Sensitivity: Public

Description of how PII is detected and redacted.

Example: "Detects PII pre-inference and scrubs logs before storage."

dataEncryptionStandards

Type: array of string Required: Optional Sensitivity: Public

Encryption standards used.

Example: ["AES-256-at-rest", "TLS 1.3 in transit"]

5. Safety & Robustness Metrics

The agent's safety is measured across 4 core dimensions. Each metric includes 5 metadata fields:

  1. Score (0-100, higher is better)
  2. Benchmark Name (test suite used)
  3. Benchmark Version (test suite version)
  4. Evaluation Date (when evaluated)
  5. Assurance Source (who evaluated)

Metric 1: Harmful Content Refusal

Measures the agent's ability to refuse harmful requests.

Fields:

  • harmfulContentRefusalScore (number, 0-100)
  • harmfulContentBenchmarkName (string)
  • harmfulContentBenchmarkVersion (string)
  • harmfulContentEvaluationDate (ISO 8601 date)
  • harmfulContentAssuranceSource (enum: self_attested, beltic, third_party)

Example:

{
  "harmfulContentRefusalScore": 96,
  "harmfulContentBenchmarkName": "Beltic Harmful Content Suite",
  "harmfulContentBenchmarkVersion": "2.1",
  "harmfulContentEvaluationDate": "2025-11-05",
  "harmfulContentAssuranceSource": "beltic"
}

Metric 2: Prompt Injection Robustness

Resistance to jailbreaks and prompt injection attacks.

Fields:

  • promptInjectionRobustnessScore (number, 0-100)
  • promptInjectionBenchmarkName (string)
  • promptInjectionBenchmarkVersion (string)
  • promptInjectionEvaluationDate (ISO 8601 date)
  • promptInjectionAssuranceSource (enum)

Example:

{
  "promptInjectionRobustnessScore": 92,
  "promptInjectionBenchmarkName": "Beltic Prompt Injection Suite",
  "promptInjectionBenchmarkVersion": "1.4",
  "promptInjectionEvaluationDate": "2025-11-06",
  "promptInjectionAssuranceSource": "beltic"
}

Metric 3: Tool Abuse Robustness

Resistance to unsafe or unauthorized tool usage.

Fields:

  • toolAbuseRobustnessScore (number, 0-100)
  • toolAbuseBenchmarkName (string)
  • toolAbuseBenchmarkVersion (string)
  • toolAbuseEvaluationDate (ISO 8601 date)
  • toolAbuseAssuranceSource (enum)

Example:

{
  "toolAbuseRobustnessScore": 88,
  "toolAbuseBenchmarkName": "Beltic Tool Safety Suite",
  "toolAbuseVersion": "1.2",
  "toolAbuseEvaluationDate": "2025-11-06",
  "toolAbuseAssuranceSource": "beltic"
}

Metric 4: PII Leakage Robustness

Resistance to PII leakage and privacy violations.

Fields:

  • piiLeakageRobustnessScore (number, 0-100)
  • piiLeakageBenchmarkName (string)
  • piiLeakageBenchmarkVersion (string)
  • piiLeakageEvaluationDate (ISO 8601 date)
  • piiLeakageAssuranceSource (enum)

Example:

{
  "piiLeakageRobustnessScore": 94,
  "piiLeakageBenchmarkName": "Beltic Privacy Leakage Suite",
  "piiLeakageBenchmarkVersion": "1.3",
  "piiLeakageEvaluationDate": "2025-11-05",
  "piiLeakageAssuranceSource": "beltic"
}

Score Interpretation:

  • 90-100: Excellent - Very low risk
  • 80-89: Good - Low risk
  • 70-79: Moderate - Some risk, review use cases
  • 60-69: Fair - Moderate risk, restrict capabilities
  • 0-59: Poor - High risk, not recommended for production

6. Operations & Lifecycle

incidentResponseContact

Type: string (email) Required: Yes Sensitivity: Public

Contact for security incidents.

Example: "security@auroralabs.ai"

incidentResponseSLO

Type: string (ISO 8601 duration) Required: Optional Sensitivity: Public

Service level objective for incident response.

Example: "PT4H" (4 hours)

deprecationPolicy

Type: string Required: Optional Sensitivity: Public

How agent deprecation is handled.

Example: "90-day notice, automatic migration script for merchants"

updateCadence

Type: enum Required: Optional Sensitivity: Public

How frequently the agent is updated.

Allowed Values: daily, weekly, biweekly, monthly, quarterly, as_needed

Example: "biweekly"

humanOversightMode

Type: enum Required: Optional Sensitivity: Public

Level of human oversight.

Allowed Values:

  • none - Fully autonomous
  • human_review_post_action - Review after action
  • human_review_pre_action - Approval before action
  • human_in_loop - Human in decision loop
  • human_on_loop - Human monitors

Example: "human_review_pre_action"

failSafeBehavior

Type: string Required: Optional Sensitivity: Public

Description of fail-safe mechanisms.

Example: "Refuses requests exceeding $500 and escalates to finance queue"

monitoringCoverage

Type: string Required: Optional Sensitivity: Public

Monitoring and observability details.

Example: "PII detector alerts to SOC channel; monthly human log reviews"

credentialIssuanceDate

Type: string (ISO 8601 timestamp) Required: Yes Sensitivity: Public

When this credential was issued.

Example: "2025-11-08T12:00:00Z"

credentialExpirationDate

Type: string (ISO 8601 timestamp) Required: Yes Sensitivity: Public

When this credential expires.

Example: "2026-05-08T12:00:00Z"

7. Risk Summary & Assurance

overallSafetyRating

Type: enum Required: Yes Sensitivity: Public

Composite safety rating.

Allowed Values: low_risk, moderate_risk, high_risk, critical_risk

Example: "low_risk"

approvedUseCases

Type: array of string Required: Optional Sensitivity: Public

Explicitly approved use cases.

Example: ["E-commerce refund triage", "Customer refund status inquiries"]

prohibitedUseCases

Type: array of string Required: Optional Sensitivity: Public

Explicitly prohibited use cases.

Example: ["Financial investment advice", "Medical triage"]

ageRestrictions

Type: string Required: Optional Sensitivity: Public

Minimum age for users.

Example: "16+" or "18+" or "none"

regulatoryApprovals

Type: array of string Required: Optional Sensitivity: Public

Regulatory approvals obtained.

Example: ["SOC 2 Type II infrastructure alignment"]

kybTierRequired

Type: enum Required: Optional Sensitivity: Public

Minimum developer KYB tier required for this agent.

Allowed Values: tier_1, tier_2, tier_3

Example: "tier_2"

verificationLevel

Type: enum Required: Yes Sensitivity: Public

Overall verification level.

Allowed Values: self_attested, beltic_verified, third_party_verified

Example: "beltic_verified"

8. Cryptographic Identity

credentialId

Type: string (UUID v4) Required: Yes Sensitivity: Public

Unique identifier for this credential.

Example: "a2a1f6a0-7f4f-4aa1-8f6b-5c33c6f9f7e2"

issuerDid

Type: string (DID) Required: Yes Sensitivity: Public

DID of the issuer.

Example: "did:web:beltic.com"

verificationMethod

Type: string (DID URL) Required: Yes Sensitivity: Public

Key used to sign this credential.

Example: "did:web:beltic.com#key-1"

credentialStatus

Type: enum Required: Yes Sensitivity: Public

Current status.

Allowed Values: active, suspended, revoked

Example: "active"

revocationListUrl

Type: string (URL) Required: Optional Sensitivity: Public

URL to Status List 2021 bitstring.

Example: "https://beltic.com/status/agent-credentials.json"

proof

Type: object Required: Yes Sensitivity: Public

Cryptographic signature from issuer.

Complete Example: Aurora Refund Guide

Customer service agent for e-commerce refund processing:

{
  "agentId": "3c9f4e9b-1a2b-4c9d-8f34-7e5c80f3d412",
  "agentName": "Aurora Refund Guide",
  "agentVersion": "2.3.0",
  "agentDescription": "Conversational assistant that helps e-commerce merchants process refunds...",
  "firstReleaseDate": "2022-03-10",
  "currentStatus": "production",
  "developerCredentialId": "d7aa92c7-8b07-4f35-8c9b-a2d02e26f012",
  "developerCredentialVerified": true,

  "primaryModelProvider": "Anthropic",
  "primaryModelFamily": "Claude-3 Opus",
  "modelContextWindow": 200000,
  "modalitySupport": ["text", "structured_data"],
  "languageCapabilities": ["en", "es", "fr"],
  "architectureType": "rag",
  "deploymentEnvironment": "AWS us-west-2, isolated VPC",
  "complianceCertifications": ["soc2_type2", "iso27001"],

  "toolsList": [
    {
      "toolName": "issue_refund",
      "riskCategory": "financial",
      "riskSubcategory": "financial_payment_initiation",
      "requiresAuth": true,
      "requiresHumanApproval": true
    }
  ],

  "dataCategoriesProcessed": ["pii", "financial"],
  "dataRetentionMaxPeriod": "P30D",
  "trainingDataUsage": "with_explicit_consent",
  "piiDetectionEnabled": true,
  "piiRedactionCapability": "advanced",

  "harmfulContentRefusalScore": 96,
  "promptInjectionRobustnessScore": 92,
  "toolAbuseRobustnessScore": 88,
  "piiLeakageRobustnessScore": 94,

  "incidentResponseContact": "security@auroralabs.ai",
  "humanOversightMode": "human_review_pre_action",
  "overallSafetyRating": "low_risk",
  "kybTierRequired": "tier_2",
  "verificationLevel": "beltic_verified"
}

Next Steps

DeveloperCredential

Developer identity and KYB verification

Credential Lifecycle

Issuance, verification, and revocation

Agent Examples

Complete examples for different agent types

Evaluation Metrics

How safety scores are calculated

DeveloperCredential

Complete field-by-field reference for DeveloperCredential v1 including KYB tiers, validation rules, and examples.

Credential Lifecycle

Complete lifecycle from manifest submission through issuance, verification, updates, and revocation.

On this page

PurposeField CategoriesDeveloper Credential Linkage1. Agent Identity & ProvenanceagentIdagentNameagentVersionagentDescriptionfirstReleaseDatecurrentStatusdeveloperCredentialIddeveloperCredentialVerified2. Technical ProfileprimaryModelProviderprimaryModelFamilymodelContextWindowmodalitySupportlanguageCapabilitiesarchitectureTypesystemConfigFingerprintsystemConfigLastUpdateddeploymentEnvironmentcomplianceCertificationsdataLocationProfile3. Tools & ActionstoolsListtoolsLastAudited4. Data Handling & PrivacydataCategoriesProcesseddataRetentionMaxPerioddataRetentionByCategorytrainingDataUsagepiiDetectionEnabledpiiRedactionCapabilitypiiRedactionPipelinedataEncryptionStandards5. Safety & Robustness MetricsMetric 1: Harmful Content RefusalMetric 2: Prompt Injection RobustnessMetric 3: Tool Abuse RobustnessMetric 4: PII Leakage Robustness6. Operations & LifecycleincidentResponseContactincidentResponseSLOdeprecationPolicyupdateCadencehumanOversightModefailSafeBehaviormonitoringCoveragecredentialIssuanceDatecredentialExpirationDate7. Risk Summary & AssuranceoverallSafetyRatingapprovedUseCasesprohibitedUseCasesageRestrictionsregulatoryApprovalskybTierRequiredverificationLevel8. Cryptographic IdentitycredentialIdissuerDidverificationMethodcredentialStatusrevocationListUrlproofComplete Example: Aurora Refund GuideNext Steps