Integrate as a Service Provider
This page walks you through publishing trust signals from your service so AI agents can discover and verify them. It uses the Trusted Shops authority as the worked example; the same flow applies to any authority listed in the Implementations catalog.
For the normative spec — wire format, signing, error handling — see Integration: Provider and the Verification API.
Prerequisites
- A live web property you control (HTTPS).
- The ability to edit the HTML
<head>of your pages (or inject it via your CMS / framework). - An account with one of the trust authorities in the catalog.
Step 1 — Pick a trust authority
Open the Implementations page and choose an authority that:
- Operates in your region (e.g., Trusted Shops covers the EU).
- Verifies the kinds of signals relevant to your business (reviews, dispute resolution, certifications, …).
- Has a status acceptable for your use case (
productionfor live deployments;betaorexperimentalif you're prototyping).
The rest of this guide assumes Trusted Shops; substitute the equivalent URLs for any other authority.
Step 2 — Get verified
Authorities issue trust signals only for entities they have independently verified. Onboarding flows differ per authority — start at the Onboarding link on the authority's card in the catalog.
Once verified, the authority assigns you an entityId — an opaque identifier that scopes your signals on their verify endpoint. Keep it; the next step needs it.
For Trusted Shops, the verify endpoint URL takes the form:
https://trstd-protocol.trustedshops.com/v1/entities/{entityId}/trust-signals
Step 3 — Add the discovery <link> tag
Add a <link rel="trstd-protocol"> element to the <head> of every page on your site, pointing to your verify endpoint. Replace {entityId} with the value the authority issued you:
<link
rel="trstd-protocol"
href="https://trstd-protocol.trustedshops.com/v1/entities/{entityId}/trust-signals"
/>
This is how agents discover where to fetch your signals. The full discovery rules — including agent-side allowlist validation — are in Discovery.
Step 4 — Verify end-to-end
Confirm that agents can actually retrieve and validate your signals.
a. Discovery. From a fresh browser DevTools session on one of your pages, run:
document
.querySelector('link[rel="trstd-protocol"]')
?.getAttribute('href');
You should get back the full verify endpoint URL with your entityId baked in.
b. Verify endpoint reachability. curl the endpoint:
curl -sS \
"https://trstd-protocol.trustedshops.com/v1/entities/{entityId}/trust-signals?url=https://your-site.example/some-page"
You should receive a JSON response with signed signals. The exact shape and signature format are documented in the API spec and OpenAPI.
c. Signature. Validate the response signature against the authority's published public key. Trusted Shops uses raw Ed25519 — see ADR-015 for the rationale and JCS canonicalization rules.
Step 5 — Maintain
- Re-deploy the
<link>tag whenever your page templates change. - Notify the authority when your service domain changes (the authority's verify response is bound to the domain it verified).
- Watch for new signal types or schema additions in the Trust Signals catalog and update your authority records as needed.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
Agents see no <link> tag | Tag injected by client-side JS only | Render server-side; the spec recommends it |
404 from verify endpoint | Wrong entityId or the entity was deactivated | Re-check the value the authority issued |
400 with url mismatch | The url query param doesn't belong to the verified scope | Use a URL that's actually under your verified domain |
| Signature mismatch | Stale public key cached, or canonicalization mismatch | Refresh the authority's public key; double-check JCS canonicalization |
| Authority domain rejected by agent | Agent enforces an allowlist you're not on | Open a request with the agent vendor; the protocol is permissionless on the authority side, but agents are free to gate |
Next steps
- Browse the full protocol overview once you have a working integration.
- If you operate a trust authority and want to be listed, see the bottom of the Implementations page.