Agent Passport
A cryptographically signed security certificate per agent — real-time security posture, compliance status, and tool permissions in a shareable URL.
What is an Agent Passport?
Every agent monitored by ShieldAgent gets an Agent Passport — a signed document that reflects the agent's current security posture. It includes the current risk score and tier, the tools the agent is allowed and blocked from using, compliance framework coverage, and a full blocking and event history.
Passports are issued within minutes of first proxy activity and updated on every tool call. The displayed data reflects a rolling 24-hour window; the passport is automatically revoked if the agent is suspended or its key rotated. No configuration is required.
Visibility Levels
Each passport has one of three visibility levels:
| Level | Who can see it | Use case |
|---|---|---|
| Private | No one outside your team | Default — while you set up or review |
| Internal | Any authenticated user in your tenant | CISO and security team review before agent approval |
| Public | Anyone with the URL | Share with clients, partners, regulators; embed badges |
Only security_manager, tenant_admin, and platform_admin roles can publish a passport publicly. Any admin can publish internally.
Internal Security Review
The most common use case for internal passports is pre-deployment security review. Before an agent goes live, the CISO or security team reviews the internal passport URL. It shows exactly what the agent is allowed to do, what ShieldAgent has blocked, the current risk score, and compliance coverage — without requiring system access.
Fetch a Passport
Public passports are accessible without authentication:
curl https://passport.shieldagent.io/pa_9c3f2aResponse (truncated)
{
"id": "pa_9c3f2a",
"agentName": "Apex Procurement Agent",
"organization": "Meridian Financial Group",
"riskScore": 18,
"tier": "normal",
"visibility": "public",
"toolsAllowed": ["erp.vendor.read", "erp.po.create_draft", ...],
"toolsBlocked": ["erp.vendor.write", "erp.payment.approve", ...],
"frameworks": [
{ "name": "SOC 2 Type II", "status": "compliant" },
{ "name": "ISO 27001", "status": "compliant" },
{ "name": "GDPR Article 25", "status": "partial" }
],
"verificationId": "shld_v1_9c3f2a_0419T142233Z",
"publicKeyFingerprint": "SHA256:zR9Fx2K4mQpLvJ3eNdWhUcBiYsOgAT8EH6KRl5X1P0=",
"certExpires": "2026-10-21",
"lastVerified": "2026-04-21T14:22:33Z"
}Cryptographic Verification
Passports are signed with Ed25519. Anyone can verify a passport independently without trusting ShieldAgent's servers — useful for auditors, partners, and automated compliance checks.
# Download the public key
curl https://passport.shieldagent.io/public-key > shieldagent.pub
# Verify a passport
curl https://passport.shieldagent.io/pa_9c3f2a > passport.json
shieldagent verify --passport passport.json --key shieldagent.pubThe verification ID (verificationId) and public key fingerprint are included in every passport response. The SDK handles verification automatically.
Embeddable Badges
Embed a live trust badge in any HTML page, GitHub README, or documentation site. The SVG badge reflects the current certification tier and links to the full public passport.
<!-- Basic embed -->
<img
src="https://shieldagent.io/badge/pa_9c3f2a.svg"
alt="ShieldAgent Certified"
/>
<!-- With link to passport -->
<a href="https://passport.shieldagent.io/pa_9c3f2a">
<img
src="https://shieldagent.io/badge/pa_9c3f2a.svg"
alt="ShieldAgent Certified — view passport"
/>
</a>Badge URL format
https://shieldagent.io/badge/{passportId}.svg
The badge updates automatically when the risk tier changes. No CDN cache is applied — the response is always current.
Publishing via API
# Publish internally (security team review)
curl -X POST https://api.shieldagent.io/passports/pa_9c3f2a/publish \
-H 'Authorization: Bearer <admin-key>' \
-H 'Content-Type: application/json' \
-d '{ "visibility": "internal" }'
# Publish publicly (requires security_manager or higher)
curl -X POST https://api.shieldagent.io/passports/pa_9c3f2a/publish \
-H 'Authorization: Bearer <security-manager-key>' \
-H 'Content-Type: application/json' \
-d '{ "visibility": "public" }'Related
- Risk Scoring Model →How the 0–100 score is calculated
- Integrating Agents →Register agents and configure MCP bindings
- Compliance Frameworks →SOC 2, ISO 27001, and GDPR coverage in passports