MCP-T adds trust scoring to the Model Context Protocol (MCP) stack. It complements MCP (tools) and MCP-I (identity) to provide the missing accountability layer for AI agents.
MCP = How agents use tools
MCP-I = Who the agent is
MCP-T = Should you trust it
MCP-T works anywhere agents operate: MCP tool servers, UCP agentic commerce, and any protocol where trust decisions gate access to resources.
AI agents can connect to 10,000+ tools via MCP. None of those tools have trust scores. An agent's demonstrated trustworthiness on one platform carries no weight on another. Platforms must independently solve trust evaluation — or skip it entirely.
The result: 824 malicious skills on ClawHub. 41% of MCP servers lack authentication. Trust is the missing infrastructure layer.
-
Trust Score Schema — Ten default dimensions across economic, behavioral, security, and governance domains. 0-1000 range, confidence metadata, domain scoping, temporal validity. Implementations score at least two; custom dimensions extend via reverse-DNS namespacing.
Dimension What It Measures verificationIdentity and credential verification tenureOperational history and continuity performanceTask completion and service quality commitmentEconomic, reputational, or organizational stake communityEndorsements from other trusted entities consistencyBehavioral stability and predictability transparencyOpenness to inspection and audit complianceRegulatory and policy adherence securityVulnerability posture and incident response behavioral_fidelityDeclared vs. observed behavior honesty (v0.2.0) -
Query Protocol — Five JSON-RPC 2.0 methods aligned with MCP:
trust/query— Full trust score retrievaltrust/verify— Binary threshold check ("is this agent trusted enough?")trust/history— Audit trail of trust eventstrust/providers— Discover available trust providerstrust/publish— Report trust-relevant observations
-
Trust Event Format — Signed, timestamped records of trust-relevant observations (contract completions, security incidents, behavioral traces, simulation results, bid lifecycle). 26 standard event types across 8 categories. Transport-agnostic.
-
Trust Provider Interface — Registration, discovery, authorization, and multi-provider aggregation.
-
Conformance Levels — Incremental adoption from read-only queries to zero-knowledge trust proofs:
- Level 0: Read-only (query scores)
- Level 1: Basic (query + publish events)
- Level 2: Economic (staking, slashing, escrow)
- Level 3: Zero-knowledge (prove trust without revealing score)
Check if an agent is trustworthy (Level 0):
{
"jsonrpc": "2.0",
"id": "1",
"method": "trust/verify",
"params": {
"subject_id": "did:key:z6Mk...",
"domain": "code-execution",
"threshold": {
"composite_min": 600
}
}
}Response:
{
"jsonrpc": "2.0",
"id": "1",
"result": {
"verified": true,
"confidence": 0.85,
"checked_at": "2026-03-15T10:31:00Z"
}
}MCP-T is transport-agnostic. The spec defines bindings for:
| Transport | Use Case | Spec Section |
|---|---|---|
| HTTPS | Standard REST endpoints | 9.1 |
| Nostr | Decentralized, censorship-resistant | 9.2 |
| IPFS | Archival, content-addressed | 9.3 |
| SSE | Real-time score streaming | 9.4 |
- Implementation-agnostic — Defines the format, not the algorithm. Any scoring methodology is valid.
- Composable — Works alongside MCP and MCP-I. Not required, but stronger together.
- Portable — Trust data flows through any transport. No vendor lock-in.
- Privacy-aware — Supports zero-knowledge trust proofs (Level 3).
- Extensible — Ten default dimensions plus unlimited custom dimensions via reverse-DNS namespacing.
- Observable — First-class behavioral tracing, simulation, and declared-vs-observed comparison (v0.2.0).
Current: spec/mcp-t-v0.2.0.md (v0.2.0-draft, 2026-03-23)
Previous: spec/mcp-t-v0.1.0.md (v0.1.0-draft, 2026-03-15)
JSON schemas for all data structures are in schemas/.
- Behavioral Fidelity dimension -- measures whether agents do what they say they do
- Behavioral Observation Events -- structured runtime traces with fidelity ratios, invariant discovery, declaration deltas
- Simulation Events -- pre-execution predictions, post-execution accuracy measurement
- Bid Events -- contract bidding lifecycle with optional simulation evidence
- Scoring Methodology Guidance -- two-tier architecture (structural + contextual pass) as recommended pattern
- Full backward compatibility with v0.1.0
| Protocol | Guide | Status |
|---|---|---|
| UCP (Shopify + Google) | docs/integrations/ucp-integration.md |
Complete |
MCP-T integrates with UCP's agentic commerce protocol to provide trust-tiered checkout flows. Merchants set trust thresholds in their /.well-known/ucp profile. Agents that meet the threshold proceed autonomously. Agents below the threshold trigger UCP's requires_escalation state for human approval.
| Implementation | Conformance Level | Language | Status |
|---|---|---|---|
| Vouch Protocol (Percival Labs) | Level 2 (Economic) | TypeScript | Reference |
Add yours via PR.
MCP-T is an open specification. Contributions are welcome.
- Spec changes: Open an issue or PR against
spec/mcp-t-v0.2.0.md - New transport bindings: Propose in a GitHub issue
- New default dimensions: Propose via RFC issue
- Implementations: Add to the table above via PR
See CONTRIBUTING.md for details.
MCP-T is being submitted to the Decentralized Identity Foundation (DIF) for standardization alongside MCP-I.
MCP-T was initially authored by Alan Carroll (Percival Labs) based on the trust scoring architecture developed for the Vouch Protocol. The specification is designed to be implementation-agnostic and is offered to the community under CC-BY-4.0 for open development.
Specification: CC-BY-4.0
Implementation licenses are independent of the specification license.