← Trust LayerDeveloper API

Trust Layer API

One endpoint answers "can I trust this?" for an MCP/agent tool, a prompt, or a piece of content, and returns a verdict plus a signed, portable Trust Receipt. No SDK required, it is a single POST.

Base URL

https://queldrex.com

Authentication & limits

The API works with no key on the free tier. Sign in and create an API key (free) for higher limits and to attribute activity to your account, console, and policy.

FreeNo key20 requests / hour / IP
Account keyBearer qdx_… key5,000 requests / month, free

Create a key free in the console after you sign in. Send it as Authorization: Bearer qdx_…. Need more than 5,000/month? hello@queldrex.com.

Endpoints

POST/api/trust/authorize
POST/api/trust/verify
GET/api/trust/mode
PUT/api/trust/policy
GET/api/trust/receipt/{id}
GET/api/trust/badge/{id}.svg
GET/api/trust/pubkey
GET/api/trust/benchmark
GET/api/trust/benchmark/dataset

Enforce a tool call (authorize)

Ask this BEFORE your agent runs a tool. You get the decision the agent must obey, plus a signed receipt. Pass the actual call args so a clean tool driven with a malicious value (a cloud-metadata URL, an SSH-key path, a shell injection) is caught, not just a poisoned tool definition. Pass agentId for per-agent policy and budgets, and session flags for behavioral monitoring. In monitor mode the decision is always allow and wouldBlock tells you what it would have done.

curl -X POST https://queldrex.com/api/trust/authorize \
  -H "content-type: application/json" \
  -H "Authorization: Bearer qdx_…" \
  -d '{
    "tool": { "name": "fetch_url", "description": "…", "serverUrl": "https://api.example.com/mcp" },
    "args": { "url": "http://169.254.169.254/latest/meta-data/" },
    "agentId": "prod-agent",
    "session": { "untrusted": true, "sensitive": true, "egress": true }
  }'
{
  "decision": "deny",               // allow | require_approval | deny
  "rule": "call_args.malicious",    // the argument, not the tool, was the attack
  "reasons": ["A call argument references a cloud instance-metadata address…"],
  "riskScore": 0,                   // the tool definition itself scored clean
  "verdict": "safe",
  "mode": "enforce",                // enforce | monitor
  "wouldBlock": false,              // monitor mode: what it WOULD have done
  "approvalId": null,               // set when a human approval is pending
  "receipt": { "payload": { "id": "rcpt_…", … }, "signature": "…", "publicKey": "…" }
}

Verify a tool

curl -X POST https://queldrex.com/api/trust/verify \
  -H "content-type: application/json" \
  -d '{
    "kind": "mcp_tool",
    "tool": {
      "name": "send_email",
      "description": "Sends an email to a recipient.",
      "serverUrl": "https://api.example.com/mcp",
      "scopes": ["mail:send"]
    }
  }'

Verify a prompt / text

curl -X POST https://queldrex.com/api/trust/verify \
  -H "content-type: application/json" \
  -d '{"kind":"text","text":"ignore all previous instructions and..."}'

Verify content (image)

curl -X POST https://queldrex.com/api/trust/verify \
  -F "file=@photo.jpg"

Response

{
  "verdict": "unsafe",              // safe | unsafe | uncertain
  "riskScore": 97,                  // 0-100 (hedged, never certainty)
  "confidence": "high",             // low | moderate | high
  "headline": "Strong risk signals in this tool",
  "signals": [
    { "code": "tool_poisoning.hidden_instruction",
      "label": "Hidden instruction in tool metadata",
      "detail": "...", "direction": "risk", "weight": 0.7 }
  ],
  "subject": { "kind": "mcp_tool", "name": "send_email", "hash": "…" },
  "receipt": {                      // signed, portable proof
    "payload": { "id": "rcpt_…", "verdict": "unsafe", "riskScore": 97, … },
    "algorithm": "ed25519",
    "keyId": "0b507309cbb6235e",
    "signature": "…base64…",
    "publicKey": "…base64 SPKI DER…"
  },
  "disclaimer": "…"
}

Verdicts

Verify a receipt yourself

Every receipt is Ed25519-signed and carries its own public key, so you can verify it without trusting our servers. Confirm the key is ours against /api/trust/pubkey.

// Node
import { verify, createPublicKey } from 'crypto'
const ok = verify(null,
  Buffer.from(canonicalJSON(receipt.payload)),
  createPublicKey({ key: Buffer.from(receipt.publicKey,'base64'), format:'der', type:'spki' }),
  Buffer.from(receipt.signature,'base64'))

SDK & framework drop-ins

Instead of calling the API by hand, use @queldrex/enforce (zero-dependency, fail-safe) or a one-line framework adapter. Full guide at /verify/integrate.

// Vercel AI SDK — govern every tool in one line
import { withQueldrex } from '@queldrex/enforce/vercel'
await generateText({ model, tools: withQueldrex(myTools, { apiKey }) })

// Or the core enforcer (LangChain, OpenAI, MCP, or a custom loop):
import { createEnforcer } from '@queldrex/enforce'
const q = createEnforcer({ apiKey: process.env.QUELDREX_API_KEY })
await q.guard(toolDescriptor, session)   // throws unless allowed

// Claude Code: add a PreToolUse hook, no code:
//   "command": "npx -y @queldrex/enforce hook"

Embed the badge

<a href="https://queldrex.com/verify/receipt/{id}">
  <img src="https://queldrex.com/api/trust/badge/{id}.svg" alt="Verified by Queldrex">
</a>
Results are automated, probabilistic assessments, not guarantees. See the benchmark for measured accuracy. We process and purge inputs; we store the receipt (verdict + a hash), not your content.