CraftedTrust CraftedTrust

Help & Documentation

Everything you need to get started with CraftedTrust — from creating your account to integrating trust checks into your agent workflows.

API Reference

Full REST API documentation with endpoints, examples, and response schemas.

Scoring Standards

How the 12-factor trust scoring system works, aligned with CoSAI, OWASP, and EU AI Act.

Security Checklist

Best practices for MCP server publishers to maximize their trust score.

Your Dashboard

Manage your account, API keys, team members, and linked emails.

Security Research

63 automated checks, published advisories, red team testing, and SBOM analysis.

Getting Started

CraftedTrust is the independent trust authority for the AI agent ecosystem. We evaluate MCP (Model Context Protocol) servers across 12 security factors and provide trust scores, certifications, and audit logging to help agents and their operators make safe tool choices.

Here's how to get started in 3 steps:

  1. Create an accountSign up with email or use Google, GitHub, or Apple sign-in. You'll get a dashboard with your organization, API keys, and team management.
  2. Search the registry — Use the Search page to look up any MCP server and see its trust score, security findings, and certification status.
  3. Integrate trust checks — Create an API key and use the API to verify MCP servers before your agents connect to them.

Account & Authentication

Your CraftedTrust account is the central hub for managing your interaction with the platform. Here's how it works:

Sign In Options: You can sign in with email + password, or use Google, GitHub, or Apple. If you sign in with a social provider that has the same email as an existing account, they're automatically linked.

Multi-Factor Authentication (MFA): We strongly recommend enabling MFA on your account. Go to Account Settings → Security → Enable MFA. You'll scan a QR code with any authenticator app (Google Authenticator, Authy, 1Password, etc.) and receive backup codes for recovery.

Organizations: Every account has an organization. You can invite team members via Organization settings, assign roles (owner, admin, member, viewer), and share API keys across the team.

Sessions: You can view active sessions and sign out from all devices in Account Settings. Sessions expire after 7 days, and signing out invalidates all tokens immediately.

Linked Emails

If you've submitted MCP servers for certification under different email addresses, you can link those emails to your account so they all appear in your Dashboard.

  1. Go to Account Settings and find the Linked Emails section.
  2. Enter the email address and click Link Email.
  3. Check the inbox for that email — click the Verify Email button in the message we send.
  4. Once verified, any certifications registered under that email will show up in your Dashboard automatically.

You can link as many emails as you need. Each one must be verified separately for security.

API Keys

API keys let you integrate CraftedTrust trust checks directly into your agent workflows, CI/CD pipelines, or applications.

How keys are secured: We never store your API key in plain text. Only a one-way SHA-256 hash is stored. The full key is shown exactly once when you create it — save it immediately. Keys are scoped to specific permissions (e.g., registry:read, registry:scan) and rate-limited per day.

To create a key: Go to API Keys, click Create API Key, choose a name, select the permissions you need, set an expiry, and save the key that's displayed.

Using your key:

# Check a server's trust score
curl -H "X-API-Key: ct_YOUR_KEY" \
https://mcp.craftedtrust.com/api/v1/server/check?url=https://example.com

Dashboard

If you operate MCP servers, the Dashboard is where you manage your certifications, monitor trust scores, and track server health.

The dashboard shows certifications for your primary email AND any linked emails. If you submitted servers under different addresses, link them in Account Settings to see everything in one place.

From the dashboard you can view certification status (pending, certified, denied), current trust scores, score trends for premium certifications, and initiate re-scans.

Trust Scoring

CraftedTrust evaluates MCP servers across 12 security factors, producing a score from 0 to 100:

1. Identity & Auth
2. Permission Scope
3. Transport Security
4. Declaration Accuracy
5. Tool Integrity
6. Supply Chain
7. Input Validation
8. Data Protection
9. Network Behavior
10. Code Transparency
11. Publisher Trust
12. Protocol Compliance

Scores map to trust tiers: Trusted (80-100), Moderate (60-79), Caution (40-59), Warning (20-39), Dangerous (0-19). See the full scoring standards for details.

Certification

Publishers can submit their MCP servers for trust certification to earn a verified badge that agents check automatically. There are four tiers:

Start at Get Certified.

Touchstone Security Research

Touchstone is the security research arm of CraftedTrust. It runs 63 automated checks across 9 domains: authentication, tool security, input validation, data security, supply chain, infrastructure, runtime, and A2A Agent Cards.

Every finding is scored with AIVSS (AI Vulnerability Scoring System) and mapped to 10 compliance frameworks: CoSAI, OWASP MCP Top 10, OWASP Agentic AI Top 10, MITRE ATLAS, NIST AI RMF, EU AI Act, ISO 42001, MAESTRO, SOC 2 Type II, and HITRUST CSF.

Published advisories follow a 90-day coordinated disclosure process. Subscribe via RSS feed or browse the check reference.

Supply Chain & SBOM

Every indexed npm package gets a CycloneDX SBOM (Software Bill of Materials) with dependency vulnerability scanning. SBOMs are generated automatically and rescanned daily against updated advisory databases.

Supply chain analysis includes: OSV vulnerability queries, GHSA cross-reference, Sigstore provenance verification, SLSA build level attestation, typosquat detection, maintainer reputation scoring, and container hardening analysis.

View a server's SBOM from its detail page in the registry, or use the SBOM viewer directly.

Red Team Testing

The Red Team Dashboard provides automated adversarial testing with 219 attack templates across 14 categories: prompt injection, tool poisoning, data exfiltration, privilege escalation, jailbreak, social engineering, encoding bypass, and more.

Campaigns run in batches against a target MCP server. Each test sends an attack payload and classifies the response as pass (blocked), warn (ambiguous), or fail (bypassed). Results include specific remediation guidance.

Red team campaigns are also available via the API (POST /api/v1/redteam/campaign) and the CLI (craftedtrust-scan redteam).

CLI Scanner

The craftedtrust-scan CLI runs scans locally before deployment.

Installation:

# Install globally from npm
npm install -g craftedtrust-scan
# Or run directly with npx
npx craftedtrust-scan scan https://your-mcp-server.com

Available commands:

Output formats: text (default), JSON, SARIF. Exit code 1 on critical/high findings for CI/CD integration.

On-Chain Verification

CraftedTrust publishes trust scores as ERC-8004 reputation data on the Base L2 network. This provides independently verifiable trust records that cannot be tampered with after publication.

Certified servers receive an on-chain attestation via the Ethereum Attestation Service (EAS). Audit logs are anchored via Merkle proofs, creating a cryptographic chain of custody for all security assessments.

On-chain features are available for Enterprise certified servers. The attestation UID and transaction hash are displayed on the server's certification report.

Frequently Asked Questions

What is CraftedTrust?
CraftedTrust is the independent trust authority for MCP (Model Context Protocol) servers. We provide trust scoring, security scanning, audit logging, and certification for AI agent tools. Think of us as the SSL certificate authority for the AI agent economy — we help agents verify that the tools they connect to are safe.
Do I need an account to search the registry?
No. The registry search and individual server pages are public. You only need an account to access the Dashboard, create API keys, or submit servers for certification.
I signed in with Google but my certifications are under a different email. How do I see them?
Go to Account Settings → Linked Emails → enter the email your certifications are under → click Link Email → verify it from your inbox. Once verified, your Dashboard will show certifications from all linked emails.
Are my API keys stored securely?
Yes. We only store a one-way SHA-256 hash of your API key — we never store the key itself. The full key is shown exactly once when you create it. If you lose it, you'll need to create a new one. Keys are also scoped to specific permissions and rate-limited per day.
What happens when I enable MFA?
Multi-Factor Authentication adds a second step to sign-in: after entering your password, you'll need to provide a 6-digit code from your authenticator app (Google Authenticator, Authy, 1Password, etc.). You'll also receive backup codes in case you lose access to your authenticator. MFA is strongly recommended for all accounts.
Can I invite team members to my organization?
Yes. Go to Organization → Invite Member → enter their email and select a role. They'll receive an invitation link. Roles are: Owner (full access), Admin (manage members and keys), Member (view and use), Viewer (read-only).
How often are trust scores updated?
Servers are re-scanned periodically based on their risk level. Low-scoring servers are scanned more frequently. Premium certified servers get continuous monitoring with daily scans. You can also trigger a manual scan from the registry.
What compliance frameworks does CraftedTrust align with?
Our scoring maps to ten frameworks: CoSAI, OWASP MCP Top 10, OWASP Agentic AI Top 10, MITRE ATLAS, NIST AI RMF, EU AI Act (Articles 9-15), ISO 42001, MAESTRO, SOC 2 Type II, and HITRUST CSF. See the Standards page for full mapping details.
I need help or want to report an issue
Contact us at cyber.craft@craftedcybersolutions.com or visit Cyber Craft Solutions.