Skip to content
Sill Docs

ARD catalog

Sill publishes a per-site, signed Agentic Resource Discovery (ARD) catalog at its edge — an ai-catalog document that lets AI agents discover the site’s agent-facing surface (agent card, MCP endpoint, related manifests) with a verifiable provenance signature.

Endpoint

Section titled “Endpoint”
GET https://edge.sill.so/v1/catalog/{site_key}.json

Shape of the document

Section titled “Shape of the document”
  • specVersion: "1.0"
  • host.identifier: did:web:{merchant_domain} — the verified merchant domain expressed as a did:web identifier.
  • host.trustManifest: a manifest binding the host identity to the publishing party. Carries an independent signature.
  • entries[]: pointers to the site’s discoverable surfaces (agent card, MCP endpoint). Each entry carries its own trustManifest with an independent signature.

Each trustManifest — host and per entry — is signed independently with a compact detached ed25519 JWS over the JCS-canonical (RFC 8785) bytes of that trust manifest with its signature field removed.

Signing

Section titled “Signing”

The ed25519 signing key is the same foyer/edge/card-signing-v1 key used for the agent card. The public half is published at Sill’s public JWKS endpoint:

GET https://edge.sill.so/.well-known/jwks.json

The signature is a detached JWS in compact serialization — the JWS payload is omitted from the compact form (BASE64URL(protected)..BASE64URL(signature), middle segment empty) and a verifier reconstructs it by JCS-canonicalizing the trust manifest. The protected header carries alg: EdDSA, the kid that resolves to the JWKS, and a typ value identifying the manifest kind (catalog trust manifests use ard-catalog+jcs). See Verify a signature for the step-by-step verifier recipe.

Scope of claim

Section titled “Scope of claim”
  • What is independently verifiable is the signature over each trust manifest — its identity, identityType, and provenance. The entry-level url, capabilities, description, representativeQueries, displayName, version, and updatedAt fields are not inside the signed payload — content integrity for those rests on did:web + TLS to edge.sill.so, as the upstream Trust Manifest spec defines.
  • There is no single root signature over the catalog as a whole; the host trust manifest and each entry trust manifest are signed independently. A content-binding extension that would sign the entry bodies themselves is deferred.
  • The ARD signature attests the trust manifest. It does not attest the runtime availability, content, or behavior of the agent card or MCP endpoint the catalog points to.

See also

Section titled “See also”