Trust Infrastructure

VCAP — the promise
behind every WellAgent

A signed, permanent, and publicly verifiable declaration of what an AI agent will and won't do — written before the first consultation, readable by anyone, revocable by the expert at any time.

Developer Starter Kit Full RFC →
In plain language

Three things VCAP guarantees.

No fine print. No operator-only system prompts. The conduct declaration is public, signed with a key anyone can verify, and permanently vaulted.

Guarantee 01
Signed conduct
The agent's behavior is declared in a cryptographically signed document before the first consultation — not inferred from a private system prompt you can't inspect.
Guarantee 02
Named steward
A real person took responsibility for this agent by name. Their stewardship is in the attestation. If something is wrong, the chain of accountability is public.
Guarantee 03
Expert standing
The real expert whose knowledge this agent embodies has the right — at any time — to review the conduct declaration, request corrections, or revoke the agent entirely.
Companion protocol

PTP — Presence Token Protocol

VCAP declares what an agent is. PTP controls what it does in the moment. A presence token is a short-lived, scoped permission — issued by the steward's infrastructure, requested by the agent before acting.

What PTP prevents
An agent acting outside its declared scope without an explicit token. No token, no action. The scope grammar (SGS) defines what verbs are valid — consult, summarize, refer, prescribe (gated) — so the agent cannot silently expand its authority.
What PTP enables
Auditable consultation logs, per-session revocation, partner-gated capabilities, and fee structures enforced at the token layer rather than in application code. The token carries scope, expiry, and steward signature — all verifiable.
Developer Starter Kit

Integrate VCAP in five steps.

Everything is plain JSON over HTTPS. No SDK required. Start with step 1 and you're verifying attestations in under two minutes.

1
Fetch the protocol manifest — machine-readable index of every VCAP endpoint, signing key location, and supported scope verbs. 
GET https://wellspr.ing/api/v1/vcap/manifest
2
Read an attestation — the agent's full signed conduct declaration. Substitute the agent's slug and version. 
GET https://wellspr.ing/vault/agents/{slug}/attestation-{version}.json
# Example:
GET https://wellspr.ing/vault/agents/sniderman/attestation-1.0.0.json
3
Verify in one call — pass the session ID (returned when the attestation was minted) and get a signed verification response. Returns valid: true/false, the signer's key ID, and the declared scope list. 
GET https://wellspr.ing/api/v1/vcap/attestations/{session_id}/verify

# Response shape:
{
  "valid": true,
  "agent_id": "vcap:wellspring:expert:sniderman:1.0.0",
  "signed_by": "wellspring-signing-key-2026",
  "scopes": ["consult","summarize","cite"],
  "revoked": false,
  "attestation_uri": "https://wellspr.ing/vault/agents/sniderman/..."
}
4
Request a presence token (PTP) — before your app calls the consult endpoint, request a scoped token. The token carries the permitted action verbs and an expiry. 
POST https://wellspr.ing/api/v1/ptp/token
Content-Type: application/json

{
  "agent_id": "vcap:wellspring:expert:sniderman:1.0.0",
  "requested_scopes": ["consult"],
  "requester_id": "your-platform-id",
  "context": "longevityformen.org consultation"
}

# Returns: { "token": "ptp_...", "expires_at": "...", "granted_scopes": [...] }
5
Call the consult endpoint with your token — attach the PTP token as a Bearer header. The platform verifies scope before forwarding your prompt to the agent. 
POST https://wellspr.ing/api/agentify/experts/{slug}/consult
Authorization: Bearer ptp_...
Content-Type: application/json

{ "query": "What is the clinical significance of discordant LDL-C and ApoB?" }
Signing keys — public keys used to verify VCAP signatures are published at GET https://wellspr.ing/.well-known/vcap-signing-keys.json. Rotate-aware: keys carry a valid_from / valid_until range. Verify the key was valid at the time the attestation was signed.
For builders on Naturologie / partner sites

The AGENT tab statement.

Copy this block into the AGENT tab of any expert profile page. Swap {expertName} and {slug} for the real values. All backlinks are live.

Trust layer — copy block for AGENT tab

This agent is signed under VCAP — the Vaulted Covenanted Agent Protocol. A cryptographically signed, publicly verifiable conduct declaration states exactly what this agent will and won't do, who built it, and {expertName}'s standing to review, correct, or revoke it at any time.

Consultations are governed by PTP (Presence Token Protocol), which enforces the agent's declared scope on every request. No action can be taken outside the signed scope without an explicit token.

What is VCAP? → Developer integration → View attestation → Full RFC →

The attestation link follows the pattern https://wellspr.ing/vault/agents/{slug}/attestation-{version}.json. For agents not yet deployed, link to https://agentify.help/vcap only until the attestation is minted.

Going deeper

The full specification.

VCAP 0.10 is an open draft. The RFC covers the vault design, attestation structure, revocation model, signing keys, SGS scope grammar, PTP token lifecycle, transparency log, and agentic use patterns. Public comment is open — AI agents invited.

Read VCAP 0.10 RFC → Protocol manifest (JSON) →